Everyone is on the WAF bandwagon!!!……WTF?

July 5th, 2008 Drazen Drazic

I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Firewalls, IDS, PCI, PCI DSS, To cool, Vulnerability Management, WTF, Web Application Security, cyber crime | 7 Comments »

Internet Banking in NZ - Will be interesting to see some test cases….

July 4th, 2008 Drazen Drazic

The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

PCI DSS 6.6 - Getting on the comment bandwagon……

June 24th, 2008 Drazen Drazic

This one’s had quite a bit of press time, and discussion around the blogs recently - moreso as the deadline has approached. In Australia, it’s been relatively quiet in comparison to the US though. I think the fact that compliance across the board here is a way behind the US has a lot to do with that, with many organisations here still either unaware of their responsibilities or far off from being compliant.

Is all the publicity and debate around PCI DSS requirement 6.6 a bit of a storm in a teacup? I think so. I’ll put the case forward also that if your are compliant with the PCI DSS now, the new requirement 6.6 is superfluous:

Read the rest of this entry »

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security | 1 Comment »

Trend Micro attacks the bad guys on their own turf….

June 22nd, 2008 Drazen Drazic

Trend Micro announced today that they are now protecting the consumer by going after the bad guys directly. While specific details were not released, I ascertain from the advertisement in the Sunday paper today that they have developed some technology to fight the bad guys on their own turf and are able to neutralize threats from them before they can affect you and I.

“Only Trend Micro PC-cillin Internet Security Pro gives you bulletproof protection from every trick invented to steal your identity. Its unique Web Threat protection blocks bad stuff at the source, before it gets near you and your PC. And its keystroke encryption makes it impossible for someone to get your password”

We await more information on this. Amazed this has not made headline news in the IT media! :-)

Related post.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, news | 3 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

Stay Smart Online - Latest Australian Government Initiative…

June 6th, 2008 Drazen Drazic

I wonder what the old teams and program developers at NOIE/AGIMO etc think about the latest re-branding of government’s effort to demonstrate care about individual’s and businesses use of IT. (As reported here). I remember the old NOIE site. It was pretty good; rich full of information and a great source of help and knowledge. It was a shame relatively very few people were aware of it.

The latest incarnation with a few added “features” comes at a cost of $1.2M (just on the contract alone to AusCERT as reported by the Australian Newspaper). Will be interesting to see how it all goes…….

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 6 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Some interesting news and thoughts on McAfee/ScanAlert

May 19th, 2008 Drazen Drazic

There’s some interesting links also within the following posts at 0×000000 (and yeah, some backwards and forwards between sites):

http://www.0×000000.com/?i=573
http://www.0×000000.com/?i=574

Interesting that the mainstream IT press hasn’t really picked up on the latter.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

If you’re in the business of providing IT services to customers, ignorance of good security is negligence!

April 22nd, 2008 Drazen Drazic

Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.

Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!

What blows me away is:

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »

Security People vs. Security Vendors

April 15th, 2008 Drazen Drazic

Maybe I should be nicer and say Security People vs. Security Vendor Sales guys. Two different worlds as we’ve talked about before and as we had a laugh about here with the Symantec Guarantee.

Security product sales guys can be dangerous to an organisation that takes on trust these products are going to be their security salvation. Remember this one? Happy to send the press release out but when actually questioned by Michael Crawford……no response! I got a nice wrap for this from Marcus Ranum and the boys at SANS at the time.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Web Application Security | 4 Comments »

Further on the MS End to End Trust…..

April 12th, 2008 Drazen Drazic

Our friend Donal posts his thoughts in some detail at Ockham’s Razor. As with most of D’s stuff, well worth clicking the link!

Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »

For a laugh….okay April 1….

April 2nd, 2008 Drazen Drazic

Okay, some have seen this:
http://www.scanlesspci.com/

Yes, ScanAlert has copped it recently and rightly so! But I do take offence to my mates at Qualys being mentioned! You can’t compare a WRX to a Ferrari! The dude is funny but if all my clients ran Qualysguard at least weekly, I would be feeling like they are some way there to being more secure than 99% of companies we see! For a small investment, it’s a big step in their security! A start at least!

Posted in Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security | No Comments »

On the panic bandwagon?…..

March 26th, 2008 Drazen Drazic

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Posted in Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Oops….another big one…..

March 18th, 2008 Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 11 Comments »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

March 17th, 2008 Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

The Great Managed Perimeter Security Services Swindle

February 23rd, 2008 Drazen Drazic

I’ve had the following posted on IT Security Link:

The Great Managed Perimeter Security Services Swindle 

Good luck to the team there with their new site.

Posted in Bad Stuff, Dumb Security, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 2 Comments »

Forensics and Investigations Work on IT Security Breaches

February 16th, 2008 Drazen Drazic

This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Total Vuln Numbers Fall…..High Severity Vulns Rise

February 8th, 2008 Drazen Drazic

Interesting figures from ISS on vuln figures in 2007. “Reported vulnerabilities” should be the key consideration when reviewing these figures. Do I think vulns have gone down in numbers as the graph suggests? No way!

Statistics can be misleading. To many factors to take into consideration and ISS puts forward some in this blog post but this one; “The 5.4 percent decline in 2007 could simply be a statistical correction to the growth in vulnerabilities in 2005 and 2006″, reads like we’re working on a system like a stock exchange. We ain’t.

Read the rest of this entry »

Posted in Bad Stuff, Research, Vulnerability Management, Web Application Security | 10 Comments »

OWASP Australia AppSec 2008 Conference

February 8th, 2008 Drazen Drazic

The OWASP Australia AppSec 2008 Conference is on February 27-29th. Details here.

Looks like being a good event. Who’s going?

Posted in Research, Web Application Security, news | 1 Comment »

Website Security Basics

January 22nd, 2008 Drazen Drazic

ComputerWorld in the US recently picked up on the ScanAlert/Geeks.com story and it’s an interesting read from the marketing perspective - ie; if we have the logo, clients may be more inclined to use our site. We covered this in some detail in a recent post.

Bottom line is that most sites are insecure the day they go live. We’re never lacking content for website security topics as shown in the category listing.

Things are getting better but there’s still a way to go. Now, 20% of organisations we meet have developers that have heard of OWASP (as a starter)….far better than 2 years ago. This is the core of the problem…pumping out web applications that are developed by teams that don’t understand security. Then, possibly, thinking about them being tested well after the go live or after funny things start to happen (like credit card fraud).

It all comes back to basic good security practice and controls throughout the SDLC…..yeah, I know, I am preaching to the converted. Just funny how marketing spin can take the focus away from good security practice and controls!

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

« Previous Entries