Busting IDS/IPS/WAFs/Firewalls Revisited……..
July 7, 2009

It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:

http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
(more…)

Comments (4)
Posted in: Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security


Crime Insurance – Implications of bad business IT security practices……
May 25, 2009

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..

(more…)

Comments (7)
Posted in: Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news


Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions
May 24, 2009

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

(more…)

Comments (4)
Posted in: Applications, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security


Hiring Convicted "Hackers"……
April 20, 2009

Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while…..

In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before).

What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well….

(more…)

Comments (12)
Posted in: Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime


Wanted – Web Developer: Must Understand Security
April 3, 2009

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising…..in which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites :) To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

Comments (2)
Posted in: Applications, Bad Developers, Bad Stuff, Disclosure Laws, Industry Specialists Talk, Web Application Security


Workarounds, accepted mediocrity and questionable future benefits/improvements….
March 22, 2009

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

(more…)

Comments (3)
Posted in: Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime


Random Things – Busy Few Weeks
March 20, 2009

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

Comments (0)
Posted in: Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news


Cyber Security at the Crossroads
March 12, 2009

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Comments (0)
Posted in: Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime


Random thoughts….Is it just me?
March 10, 2009

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

(more…)

Comments (0)
Posted in: Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news


On my list……
March 9, 2009

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one:  :)
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Comments (3)
Posted in: PCI, PCI DSS, Vulnerability Management, Web Application Security, news


« Newer PostsOlder Posts »