Showing posts from March, 2009

Application Security Specialist: Don't Fall Behind

I've long supported certifications, in concert with experience, to be used as a measuring stick for the likely success of individuals in the information security field.
SANS, of course, offers significant value on this front,and what security professional is ever given due consideration without their CISSP?
When I was asked to participate in the Application Security Specialist pilot program, I jumped on the opportunity. And now, having become an ASS, my career has simply blossomed.
With the increased credibility it offers I've been able to demand more per hour for pen testing engagements.
I've even gained the respect of vendors and merchants alike; they're now less likely to blow me off when I tell them their apps are broken.
Given the pilot program I participated in, I can only say, now that its widely available, you should become a Certified ASS as soon as possible.
You can even join the LinkedIn group here.
Being an ASS is all it's cracked up to be!

Certified Appl…

The 100th post: Philosophy feeding action

As I was writing this I realized that this is my 100th post, and it therefore seemed somehow significant. With some interesting personal news to report it also provides me with the opportunity to declare a current philosophical mission statement:
No matter the activity, be it researching, advising, and disclosing ailing web applications, tracking malware attributes, or researching and documenting useful tools and methodology for incident responders and security professionals, I do it for one reason.
I simply believe it is our inherent responsibility to try to thwart miscreants in anyway possible. There are too many of them, and too few of us. Thus, the more we disclose and fix, the better we understand maliciousness, the stronger our implementations and investigations, the more secure we may become.

Two recent developments speak directly to this philosophy:
1) The Solutions Accelerators group at Microsoft, my employer, asked me to write the IT Infrastructure Threat Modeling Guide, born o…

Why trust marks can't be trusted

Trustmarks & security badges don't provide security, just false confidence.

Hopefully,a month or so ago, you noticed the headlines and have read that, via its parent company Genica Corp, has settled with the FTC and will allow "allow federal regulators to monitor its website security for 10 years to settle charges it violated federal laws requiring it to adequately safeguard sensitive customer data."
I'd be remiss in my duties if I didn't remind you, dear reader, that was a Hacker Safe (now McAfee Secure) site.
I'm certain that if you've ever read my blog before you know I've taken McAfee Secure to task numerous times, and consider my point well established.
It's all really part of a larger discussion that should come as no surprise.
The only value of a trust mark/security badge is to the merchant wielding it, often under false pretenses. I've not met a trust mark yet amongst whose customers I couldn't find web applicat…

Online finance flaw: At least AIG got this one right

As our economic conditions worsen, and the gloom and doom chatter intensifies, much attention has been paid to AIG. The crux of the AIG dilemma, to hear Ben Bernanke say it, is that they're too big to let go under, but most observations indicate they deserve to.
"I share your concern, I share your anger," Bernanke told the Senate Budget Committee. "It's a terrible situation, but we're not doing this to bail out AIG or their shareholders. We're doing this to protect our financial system and to avoid a much more severe crisis in our global economy."
Add to that this past week's disclosure that AIG will pay out $170 million in tax payer dollars as bonuses, and today's news that the $170 billion at large is basically already all gone.
Thus, the list of big finance companies becoming fodder for verbal abuse and regulatory oversight just keeps growing.
That said, I am neither an economist or even remotely intelligent enough to speak on these issues w…

asSaaSsinated: more on SaaS & cloud risk

As previously discussed, SaaS represents frightening scenarios for well intended enterprises seeking to offload cost and resource demands. The same motives are driving businesses into the cloud like lemmings off a cliff.
Yet, these businesses/enterprises may not conduct best effort diligence when it comes to ensuring their vendor of choice is managing their security properly.
Under such circumstances, their well being in the SaaS realm could well be at risk.
Consider previous examples such as Online finance flaw: one flaw to rule them all, or the discussion regarding SageLive.
Enter Baynote, whose offerings include SocialSearch.
Following the principles of one flaw to rule them all, a single validation error in the q variable found in http://[Insert customer here].com/socialsearch/query?cn=[customer]&cc=us&q= led to numerous Baynote customers falling prey to cross-site scripting.


To their credit, Baynote was responsive and fixed the issue quickly (well done!) but the issue ex…

Why PCI DSS is in a continued state of fail

Databreaches abound, half a million sites fall to SQL injection in 2008…the headlines are horrific and leave me to wonder.
Where does the PCI DSS fit in all this, if at all?
According to the WHID report about the rampant SQL injections, 11% of the sites were finance oriented and another 11% were retailers. According to my mad math skillz, that indicates that it is possible that 22% of 500,000 sites that fell to SQL injection attacks last year were beholden to PCI DSS. That’s 110,000 PCI sites that apparently failed to meet a very basic standard.
With my ear to the tracks for ongoing indiscretions, a delightful tidbit hit my radar, courtesy of a cheeky fellow in the UK named Michael Kemp of clappymonkey, who, whilst recently bored, was exploring the PCI Security Standards Council (PCI SSC) website, when lo, what did he find?
Yep…a lovely XSS vulnerability, in all places, the PCI QSA search script.

Mike indicates a swift fix on the part of PCI SSC on his blog, but I must say, this findin…