Annual Security Surveys/Reports – Central Log for Reference/Access?

Posted on March 15th, 2010 by Drazen Drazic

(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »

“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

Randon Links and Rants…….

Posted on August 22nd, 2009 by Drazen Drazic

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal.

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”.

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Evaluating Automated Assessment Tools

Posted on August 5th, 2009 by matthew

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

• All scanners needed a lot of manual work to get any reasonable amount of code coverage.
• There were a huge amount of false positives.
• There were many false negatives. (Probably more than we know )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Posted in Applications, Vulnerability Management, Web Application Security | 9 Comments »

Busting IDS/IPS/WAFs/Firewalls Revisited……..

Posted on July 7th, 2009 by Drazen Drazic

It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:
http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Crime Insurance – Implications of bad business IT security practices……

Posted on May 25th, 2009 by Drazen Drazic

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 7 Comments »

Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions

Posted on May 24th, 2009 by Drazen Drazic

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Hiring Convicted “Hackers”……

Posted on April 20th, 2009 by Drazen Drazic

Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while…..

In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before).

What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well….

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | 12 Comments »

Wanted – Web Developer: Must Understand Security

Posted on April 3rd, 2009 by Drazen Drazic

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising…..in which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Industry Specialists Talk, Web Application Security | 2 Comments »

Workarounds, accepted mediocrity and questionable future benefits/improvements….

Posted on March 22nd, 2009 by Drazen Drazic

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Random Things – Busy Few Weeks

Posted on March 20th, 2009 by Drazen Drazic

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much. 

Posted in Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news | No Comments »

Cyber Security at the Crossroads

Posted on March 12th, 2009 by Drazen Drazic

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Posted in Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime | 1 Comment »

Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news | No Comments »

On my list……

Posted on March 9th, 2009 by Drazen Drazic

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one: 
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security, news | 3 Comments »

Not Patching Oracle – Risky Business

Posted on March 5th, 2009 by Drazen Drazic

Patrick Gray interviews Securus Global’s Declan Ingram on Risky Business 98. Make sure you listen to the end of the podcast.

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, Securus Global, Vulnerability Management, Web Application Security, news | 3 Comments »

Surveys, Statistics, Hearsay, Breach Disclosures….Painting an Accurate Picture?

Posted on March 2nd, 2009 by Drazen Drazic

No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Research, WTF, Web Application Security, cyber crime | 2 Comments »

Random vuln testing security vendor websites…..

Posted on February 24th, 2009 by Drazen Drazic

Interesting to once again hear little about any potential prosecutions against those people performing supposed illegal activity. What sort of message does that send out to others? Oh….it’s okay?

Previous post: Unauthorised access to company websites/information/systems….

In cases like this, it does not seem like searching for a needle in a haystack in regards to the identification of individuals….but I could be wrong. Jurisdiction issues? Less of an issue if the perpetrator is known (assuming “friendly” country involved)? Appetite for chasing it up on anyone’s part?

Posted in Bad Stuff, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | 2 Comments »

“System” view security vs. “Application” view security

Posted on February 5th, 2009 by Drazen Drazic

One key failing that limits an organisations ability to develop an enterprise/holistic view of their overall security position is assessing security solely on an application by application basis. Links, dependencies, information flows (relationships) between applications in a “system” (applications working and linked to each other) are rarely assessed (from our experience). A “system-level” perspective on security is vital in providing an organisation with a more thorough assessment of potential risks (direct and indirect) in a specific application and the corporate environment as a whole. Read on….

Read the rest of this entry »

Posted in Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 9 Comments »