 |
|||
|
August 10, 2009
Just got back and saw this was confirmed: CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience. Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook. Comments (0)
August 5, 2009
By Declan Ingram Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain. Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing. The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features. We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc. The results were……interesting:
However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates. The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security! The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results. July 7, 2009
It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”. Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”: http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on: June 12, 2009
In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself. In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration): •   Articulation of the Security Strategy. How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)? Are exercises like this 12 month+ plus projects ala Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on. May 25, 2009
Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”? Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on. Now this one could be the biggest of the lot. Read on….. May 24, 2009
Reposted (post accidental deletion). On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live. I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are). After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on… May 23, 2009
I’ve posted quite a few times on this topic over the years but things change over time and I don’t think we’ve (the industry) ever been more fragmented in terms of what we think is right or wrong about this topic? I am really keen to hear what people think, in their opinion, is right and what is wrong about vulnerability disclosure. Please post your thoughts. April 20, 2009
Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while….. In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before). What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well…. April 13, 2009
This is far from my first post on the role of the CIO. While most posts have been focused on the [CIO] failures to fully understand the role of Information Security professionals and the industry in general, many [posts] have also looked at the fundamental failures of CIOs and their roles in business. The two are interdependent. Somewhere around the late 90s, this “CIO” title started to became the role “title” of choice for the most senior IT person in the organisation. Out went “IT Director”, “IT General Manager” and similar titles, and in came the trend of “CIOs” starting to consider themselves business people. Now at the time, most CIOs were IT people and drawing that long bow to be now viewed by their own staff as “business people”, created one of the major turning points. This has been a catalyst for leading our industry into more than 10 years of little change in regards to significant IT development, better security, and to an extent, relatively effective control of IT in a business, any potential, and most importantly, understanding and forceful commitment to the emerging Information Security industry and the rising impacts of the latter to business. Is this the reason good information security adoption has lagged, and to many extents, is just plainly non-existent in many organisations? Taking this deeper, without that critical mass of acceptance at that senior level – the representative voice of IT to the business and flow-on effects to society as a whole has failed. Accountability means little to nothing in the overall scheme of things pertaining to longer term strategy – “Governance” in IT security overall would be deemed a failure. Risk Management across an enterprise from a holistic view is a failure. (In silos, there are some successes but what overall benefit if the business as a whole has no business-wide understanding of itself). Without this review and the most basic and potential root cause analysis and planned treatment of the root causes, we have the lack of progress, (though some would call total failures)….should we expect to be in a better position now or in the short term future? Part II will look at more detailed analysis of the CIO in business and their relation to IT Security. Thanks to Donal for this one: Why aren’t CIO’s competences being analysed from within their own departments? While I know so many good CIOs, I’ve met far more who are out of the their league and you wonder what they really know. If they want to be “C-level” people, they need to be more scrutinised in the same way as CEOs and CFOs (even though we know that is also far from ideal a lot of the time).. Stay tuned for Part II March 22, 2009
Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer). So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on: |
Categories
|
||
I prefer to just talk……