"System" view security vs. "Application" view security
February 5, 2009

One key failing that limits an organisations ability to develop an enterprise/holistic view of their overall security position is assessing security solely on an application by application basis. Links, dependencies, information flows (relationships) between applications in a “system” (applications working and linked to each other) are rarely assessed (from our experience). A “system-level” perspective on security is vital in providing an organisation with a more thorough assessment of potential risks (direct and indirect) in a specific application and the corporate environment as a whole. Read on….

(more…)

Comments (7)
Posted in: Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


What is "Penetration Testing"? Dead? Not yet!
January 14, 2009

Interesting article talking about the death of penetration testing written by Bill Brenner – also referenced and discussed here at Jeremiah’s site.

We’re (Securus Global) getting to the stage of a more generic description of just plain old “security testing”. I can’t see it being “dead” anywhere in the short term future. What’s the real workable alternative for testing of “production” software against known and in many cases unknown types of attacks and vulns? (Still surprises me in regards to the latter how many “specialists” believe 0days only exist when reported publicly. :-) ) Code-level reviews while good are too expensive for most companies and do hinder delivery dates (regardless of the value they provide) – business realities.

Is it dead when it’s barely started across the business world? Where’s the starting point for the “new” (already lacking/wanting) approaches?

Comments (1)
Posted in: Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime


Looking at the latest F-Secure stats for 2008
December 7, 2008

http://www.f-secure.com/2008/2/index.html

The data shows predictions by some vendors earlier this year were a bit premature (read: silly) – and if anyone believed they were “on top of it” (as some claimed they were), I’d say those people were extreme optimists. :) We can only hope.

Easy predictions for 2009 – it’ll get even worse. No great amount of genius required to make a statement like that from me. New technologies, surprises when we start publishing stuff on existing technologies and the ongoing threats will be the gist of it for 2009. Anyway, the F-Secure report is worth the read as it always is.

Reading through some of the proposed plans by governments and other bodies to attack the problems leaves me somewhat perplexed at times.

(more…)

Comments (0)
Posted in: Applications, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news


So we own your client database and everything important to you…
November 19, 2008

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? :-) Scenario repeats every week – new developer, next website, next web app. See you then!

Comments (7)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, governance


Talking with David Rice; insecure software implications, regulation, vendors, making change and other things….
July 29, 2008

David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.”  For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

I had a chance to talk with David recently and I hope you enjoy the read.

———————————————————————————-

BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general?

DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that.

The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also.

On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security.

(more…)

Comments (9)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


Web Application Security Professionals Survey
July 28, 2008

As you know, I am not a fan of most IT security surveys but Jeremiah Grossman’s Web Application Security Professionals Survey is an exception. The full survey and comments are well worth downloading. (And if you use HackerSafe, well what did you expect industry specialists were going to say?!) :-)

Comments (3)
Posted in: Applications, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime


Responsible Disclosure Debates……What about No Disclosure?
July 27, 2008

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them – I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?

(more…)

Comments (9)
Posted in: Applications, Bad Stuff, Disclosure Laws, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime


Everyone is on the WAF bandwagon!!!……WTF?
July 5, 2008

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

(more…)

Comments (16)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime


No care factor on liability and no pressure to change……
June 14, 2008

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

(more…)

Comments (8)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime


SAFECode Forum – The first? Right focus? Losing focus?
October 27, 2007

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? (more…)

Comments (1)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, cyber crime


« Newer PostsOlder Posts »