Random Links and Rants…….
August 10, 2009

- How not to setup a Hotel Safe: I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- Ockham’s Razor post on Security Shapes. D’s stuff is always interesting and worth a read.

- Our old friend Big Galoot has certainly shown the power of the Internet Blogger. His “Protect Jerrys Plains” blog has exposed many questionable business and government practices. In recent times, his work has received attention from mainstream media. He may well have brought down a minister.

- Saw this one on my return – reported by Pat at Risky.Biz: “McAfee Leaks 1400 Security Pro Details“. I haven’t had a chance to listen to the podcast yet where Pat interviews McAfee over the incident. I question how big a deal this is. How much of the information is confidential really? AusCert and many other conferences send out similar lists (albeit the attendees have opted-in for their information to be available to sponsors). Mistake or marketing – Hey, look how many important people were interested in McAfee. Might drive others to follow these important people. DLP discussion/debate? Seriously?

- Christian has a new post where he poses some good questions around putting solutions together and approaches to Information Security; “Keep It Simple“.

- Jarrod looks at the “Full-Disclosure” debate here at his /Dev/Null blog.

- We’ve added a few more to the list of Australian IT Security Bloggers. Let me know if you want to be added to this list.

- I see Kiwicon 3 has been anounced for November 28-29, 2009. Details here. Follow on Twitter also.

Back now after almost 4 weeks abroad. While I was away, the guys at Tek-Tips kicked off publication of some of my articles. I’ll be writing more for the publication so will post links sometimes from here to the site. Anyway, I better get back to work now.

Comments (0)
Posted in: Dumb Security, WTF, news


Police Checks on Employees – Important Considerations

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

(more…)

Comments (0)
Posted in: Industry Specialists Talk, Risk Management, cyber crime, governance


A CIO and CEO Guide to improving corporate security today – it is possible.

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Comments (0)
Posted in: Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news


Evaluating Automated Assessment Tools
August 5, 2009

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

  • All scanners needed a lot of manual work to get any reasonable amount of code coverage.
  • There were a huge amount of false positives.
  • There were many false negatives. (Probably more than we know :-) )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Comments (9)
Posted in: Applications, Vulnerability Management, Web Application Security


« Newer Posts