Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

iPhone “worm” discussion….

Posted on November 12th, 2009 by Drazen Drazic

I enjoyed listening to Paul Ducklin on the latest Risky Business podcast that featured interviews on this iPhone “worm”. Worth a click through to Risky Business.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Developers, Dumb Security, cyber crime | 44 Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Wanted – Web Developer: Must Understand Security

Posted on April 3rd, 2009 by Drazen Drazic

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising…..in which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Industry Specialists Talk, Web Application Security | 2 Comments »

Cyber Security at the Crossroads

Posted on March 12th, 2009 by Drazen Drazic

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Posted in Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime | 1 Comment »

Surveys, Statistics, Hearsay, Breach Disclosures….Painting an Accurate Picture?

Posted on March 2nd, 2009 by Drazen Drazic

No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Research, WTF, Web Application Security, cyber crime | 2 Comments »

Browser Vulnerabilities – What’s New?

Posted on December 17th, 2008 by Drazen Drazic

With some “experts” suggesting you switch browsers to hide away from bad vulnerabilities in IE, you have to wonder what some of these people are thinking. It continues to highlight the IT industry’s obsession with band-aid solutions – rarely looking at, nor attacking, the root cause of the problems we face with insecure software.

David Rice in his latest post here at the Geekonomics website covers it well.

Posted in Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, WTF | 2 Comments »

Australian Information Security Association – Position on Government Mandatory Internet Filtering

Posted on December 9th, 2008 by Drazen Drazic

You may have already read about this in MIS (and yes, the “spokesman” comments were mine representing the opinions of AISA – not Securus Global or Beast or Buddha), but here is the full press release that people have been asking to see:
http://www.aisa.org.au/index.php?page=175

About AISA: http://www.aisa.org.au/

Posted in Bad Developers, Dumb Security, Internet Filtering, WTF | No Comments »

So we own your client database and everything important to you…

Posted on November 19th, 2008 by Drazen Drazic

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? Scenario repeats every week – new developer, next website, next web app. See you then!

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 7 Comments »

The “Cloud” is taking us backwards! Please punch anyone who uses that term to you in the face! They deserve it!

Posted on September 1st, 2008 by Drazen Drazic

The “cloud”!! The thing we knew as the Internet on many a whiteboard for so many years…..that thing we all decided to know little about, (okay, at least layers 1-2), because it was magic!!!!

WE HAVE LEARNED OUR LESSONS NOW YOU DUMB PRODUCT VENDORS!!!! We don’t need another cloud…..we’re smarter than that now! WE KNOW YOU USE THAT TERM TO HIDE THE FACT THAT YOU HAVE NO IDEA AND WANT TO “CLOUD” THAT FACT IN A BLOODY CLOUD!!!

Can you seriously believe, that we believe that by “hiding” the “difficult” things, you make us think you know what you are doing and keeping us secure?! You’ve lost the plot….not that most ever had it, so to regain face (ie; keep revenue growth on path), lets hide sh*t in a “cloud” to cover up our inadequacies.

So, I am starting an anti-cloud movement and I ask you all that anytime you hear and see a sales rep talking about “clouds”, you ask the question; “what happens when many clouds come together….do we have a storm? and what does that mean to my investment with your company?…will I get my money back if I cop a category 5?”….. Please share your stories here!

BG did a post in the forums about this today:

http://beastorbuddha.com/forums/index.php?action=vthread&forum=1&topic=108

I had to comment. Some of the people’s thoughts are priceless….I also need to rethink the software I use for this blog

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF | 28 Comments »

Implications to other countries if a 9/11 type attack happened on the Internet to the US?

Posted on August 27th, 2008 by Drazen Drazic

Firstly, thanks to Donal and Wade who originally some time back linked me to the video discussed in this post.

David Rice, who I chatted with recently has posted some interesting thoughts on an Internet based 9/11 type attack on his Geekonomics site. (Video included in the link). David looks at the potential scenarios but importantly addresses the implications to the rights of the citizen by way of introduction of any Internet version of the US Patriot Act.

Worse case scenario, and not debating likelihoods of it happening or even being possible (for now in terms of this post), if it were to happen, what are the flow-on implications to other countries either directly or indirectly by way of the “global” Internet links to the USA?

We see US regulation/reactions to events affecting business around the world already (SOX as just one example of many). What happens if the US does enact an Internet Patriot Act? Would something like this in a quick knee-jerk reaction affect and change the Internet as we know it today? I think it’s something that needs to be considered and researched outside of just implications to the US and its citizens.

Or am I just way off base here and assuming too much in the way of US influence on the Internet as a whole?

Posted in Bad Developers, Bad Stuff, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 12 Comments »

The CIO Sticking Point – Time to Get them out of the Reporting Line

Posted on August 8th, 2008 by Drazen Drazic

CIOs cop quite a bit of criticism from the Information Security industry and the people in it. (They’ve also copped quite a bit in posts here). Rightly so I believe in most cases.

There are some really good CIOs out there when it comes to understanding and working on Information Security issues and doing the right thing by their companies, but to be honest, there are many CIOs that fail dismally also. Regardless of whether they’re getting advice and guidance from their security people, ultimately, a level of accountability must sit with them.

If you’re a CIO and you’re not reporting state of risk and security on a regular basis to your CEO and/or Board, you not only are putting your organisation at greater risk but looking at the bigger picture, also business partners, shareholders and everyone else associated with that business? (The CFO is reporting financial position and risks on a regular basis, so why aren’t you?)

What is the problem?

Read the rest of this entry »

Posted in Bad Developers, Dumb Security, Risk Management | 4 Comments »

Talking with David Rice; insecure software implications, regulation, vendors, making change and other things….

Posted on July 29th, 2008 by Drazen Drazic

David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.”  For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

I had a chance to talk with David recently and I hope you enjoy the read.

———————————————————————————-

BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general?

DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that.

The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also.

On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security.

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 14 Comments »

Everyone is on the WAF bandwagon!!!……WTF?

Posted on July 5th, 2008 by Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 16 Comments »

It’s all just a matter of time and accessibility and everything today is breakable in the short term future…

Posted on June 26th, 2008 by Drazen Drazic

By YanaBanana and Drazen Drazic

Not talking about a new theory here but maybe some points worth discussion. Starting ramble:

With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.

Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket – ready to fire at any target you wish.

Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime | 3 Comments »

No care factor on liability and no pressure to change……

Posted on June 14th, 2008 by Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

Be careful of being too cockey…Lifelock CEO cops it….

Posted on May 25th, 2008 by Drazen Drazic

Watch the Lifelock ad on the site as it scrolls through. Story at ha.ckers.org.

From the story in Yahoo! News.

Another one to add to the list of failed magical solutions? You have to take any promises of total security with a grain of salt. See recent posts about ScanAlert and the links within the links. (Aside: Is this the most hated product/service in the IT Security industry?)

But then again, we have the old Symantec Guarantee. Posted here again for your viewing pleasure and evidence requirements for any legal action you may ever contemplate. (Though by clicking on the software agreement when you installed it, you probably signed away all rights you had anyway, but worth a shot!)

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime, news | 4 Comments »

If you’re in the business of providing IT services to customers, ignorance of good security is negligence!

Posted on April 22nd, 2008 by Drazen Drazic

Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.

Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!

What blows me away is:

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »

SAFEcode – where are we at..a load of BS?!

Posted on April 2nd, 2008 by Drazen Drazic

I have the barrel and the fish are in it and I am about to shoot…..Yes, we predicted this. So what is new? Okay…here’s a few free hits to the site to make them feel good: http://www.safecode.org/ and members: http://www.safecode.org/members.php

The biggest news is that Nokia has joined. The “Best Practice” papers should not be printed..save the environment or at least if you have to, let your kindergarten kid scribble on the back of the page after you have discarded the rubbish as useless! So this is what out industry is doing? So this is what shareholders of these companies are investing in?

WTF are the CEOs of these companies thinking, doing and agreeing to????

Posted in Bad Developers, Bad Stuff, Dumb Security, WTF, cyber crime | 1 Comment »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

Posted on March 17th, 2008 by Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »