Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Evaluating Automated Assessment Tools

Posted on August 5th, 2009 by matthew

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

• All scanners needed a lot of manual work to get any reasonable amount of code coverage.
• There were a huge amount of false positives.
• There were many false negatives. (Probably more than we know )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Posted in Applications, Vulnerability Management, Web Application Security | 9 Comments »

Journalising, Journalism and Blogging…Restrictions on Posting

Posted on July 5th, 2009 by Drazen Drazic

I had a few comments sent to me about my last post. Some of the feedback; “It wasn’t inspirational”, “Its perspective wasn’t that unique”, “What was the point?” etc…. All fair points. My only response is that at times, I will use Beast or Buddha as my journal to write about things that aren’t necessarily meant to change anyone’s world or inspire, (though I did think the PCI post tried to do that)……just reflections on my day, week and thoughts going through my head about the good, and the bad in our industry, (though the latter motivates me far more to dissect and rant). I started Beast or Buddha for these reasons. Read on:
Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Research, Risk Management, Securus Global | 8 Comments »

Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions

Posted on May 24th, 2009 by Drazen Drazic

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Wanted – Web Developer: Must Understand Security

Posted on April 3rd, 2009 by Drazen Drazic

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising…..in which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Industry Specialists Talk, Web Application Security | 2 Comments »

Workarounds, accepted mediocrity and questionable future benefits/improvements….

Posted on March 22nd, 2009 by Drazen Drazic

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Cyber Security at the Crossroads

Posted on March 12th, 2009 by Drazen Drazic

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Posted in Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime | 1 Comment »

“System” view security vs. “Application” view security

Posted on February 5th, 2009 by Drazen Drazic

One key failing that limits an organisations ability to develop an enterprise/holistic view of their overall security position is assessing security solely on an application by application basis. Links, dependencies, information flows (relationships) between applications in a “system” (applications working and linked to each other) are rarely assessed (from our experience). A “system-level” perspective on security is vital in providing an organisation with a more thorough assessment of potential risks (direct and indirect) in a specific application and the corporate environment as a whole. Read on….

Read the rest of this entry »

Posted in Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 9 Comments »

What is “Penetration Testing”? Dead? Not yet!

Posted on January 14th, 2009 by Drazen Drazic

Interesting article talking about the death of penetration testing written by Bill Brenner – also referenced and discussed here at Jeremiah’s site.

We’re (Securus Global) getting to the stage of a more generic description of just plain old “security testing”. I can’t see it being “dead” anywhere in the short term future. What’s the real workable alternative for testing of “production” software against known and in many cases unknown types of attacks and vulns? (Still surprises me in regards to the latter how many “specialists” believe 0days only exist when reported publicly. ) Code-level reviews while good are too expensive for most companies and do hinder delivery dates (regardless of the value they provide) – business realities.

Is it dead when it’s barely started across the business world? Where’s the starting point for the “new” (already lacking/wanting) approaches?

Posted in Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

Looking at the latest F-Secure stats for 2008

Posted on December 7th, 2008 by Drazen Drazic

http://www.f-secure.com/2008/2/index.html

The data shows predictions by some vendors earlier this year were a bit premature (read: silly) – and if anyone believed they were “on top of it” (as some claimed they were), I’d say those people were extreme optimists. We can only hope.

Easy predictions for 2009 – it’ll get even worse. No great amount of genius required to make a statement like that from me. New technologies, surprises when we start publishing stuff on existing technologies and the ongoing threats will be the gist of it for 2009. Anyway, the F-Secure report is worth the read as it always is.

Reading through some of the proposed plans by governments and other bodies to attack the problems leaves me somewhat perplexed at times.

Read the rest of this entry »

Posted in Applications, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

So we own your client database and everything important to you…

Posted on November 19th, 2008 by Drazen Drazic

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? Scenario repeats every week – new developer, next website, next web app. See you then!

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 7 Comments »

Talking with David Rice; insecure software implications, regulation, vendors, making change and other things….

Posted on July 29th, 2008 by Drazen Drazic

David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.”  For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

I had a chance to talk with David recently and I hope you enjoy the read.

———————————————————————————-

BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general?

DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that.

The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also.

On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security.

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 14 Comments »

Web Application Security Professionals Survey

Posted on July 28th, 2008 by Drazen Drazic

As you know, I am not a fan of most IT security surveys but Jeremiah Grossman’s Web Application Security Professionals Survey is an exception. The full survey and comments are well worth downloading. (And if you use HackerSafe, well what did you expect industry specialists were going to say?!)

Posted in Applications, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Responsible Disclosure Debates……What about No Disclosure?

Posted on July 27th, 2008 by Drazen Drazic

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them – I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?

Read the rest of this entry »

Posted in Applications, Bad Stuff, Disclosure Laws, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 9 Comments »

Everyone is on the WAF bandwagon!!!……WTF?

Posted on July 5th, 2008 by Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 16 Comments »

No care factor on liability and no pressure to change……

Posted on June 14th, 2008 by Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

SAFECode Forum – The first? Right focus? Losing focus?

Posted on October 27th, 2007 by Drazen Drazic

EMC Corporation, Juniper Networks, SAP, Microsoft and Symantec have formed a new consortium whose goal, as reported at TechNewsWorld is to: “……help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity”.

Is it just me who read this and thought; yeah…let’s see how many people remember the name SAFECode Forum in 12 months time? Hey, good luck to them. I hope that they do achieve their goals, but is this really the first of these things we have seen, as they promote it being?

The question has to be asked, have these companies admitted that they cannot today and in the future deliver more secure products on their own? Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, cyber crime | 3 Comments »

Defenders of the Realm….not Hackers!

Posted on September 17th, 2007 by Drazen Drazic

A take on defining hackers, ethical hackers and penetration testers by Matthew Strahan (SA Consultant):

A short time ago there was a discussion here about the term “ethical hacker” versus the term “penetration tester”.

The term “ethical hacker” is thrown around quite a lot nowadays without any real concern of whether it’s accurate or not. When people ask what I do, I find that “ethical hacker” or “professional hacker” gets the point across much quicker than a full discussion of what a penetration tester or a security consultant actually does.

The interesting thing is that I don’t really like to think of myself as a “hacker” or “cracker” since those terms are fundamentally different to what a “penetration tester” does.

Though we may use similar tools to the hackers, we are by nature, defenders, and hackers are by nature attackers.

Lets look at the difference between attacking and defending. Read the rest of this entry »

Posted in Applications, Industry Specialists Talk, Research, Vulnerability Management, Web Application Security, cyber crime | 5 Comments »

“Ethical Hacking”….that term is a worry….

Posted on August 7th, 2007 by Drazen Drazic

Courses that teach under-skilled individuals the basics of “hacking” are a worry to me. Companies that teach “ethical hacking” courses are worry…….most I know I would not hire to review a static one page site. What is that they are trying to achieve? I read the course objectives for pretty much all of these courses and they worry me.

So….big company that can afford to send netadmin to one of these courses now thinks netadmin can do network and web app pen test…..saving bucks now by not hiring a third party?!?! Akin to me reading the “Idiots Guide to Accounting” and professing to be able to manage the financial books of News Limited.

Come on….WTF….give the professionals some credit!

Posted in Applications, Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 15 Comments »