Tuesday, July 22, 2008

Report: Vulnerabilities Abound in Open-Source Environments - Desktop Security News Analysis - Dark Reading

Dark reading has an interesting article on issues in Open Source software.  It looks like Fortify did a bunch of testing of some Open Source software and all was not happy in the land of free stuff.

 

Don't get me wrong, I like Open Source Software, but it's not immune to security issues, and I hope no one thought it was.  I know that in theory it's better since it's open for public scrutiny but that's only if the community actually cares about security.  I am personally a big fan of BSD (not sure why Linus is so touchy about that one http://article.gmane.org/gmane.linux.kernel/706950 ) but other packages have not stood the security test of time. 

 

It's a good read, check it out.

 

 

 

Report: Vulnerabilities Abound in Open-Source Environments - Desktop Security News Analysis - Dark Reading

Monday, July 07, 2008

A Chronology of Data Breaches

 

Ever want to check out a list of the the worlds most interesting data breaches?  Well my good friend David N. sent me this link and I think it's worth noting.  It lists some of the more interesting data breaches that have been released to the public with details. 

A special thank goes out to the The Privacy Rights Clearinghouse (http://www.privacyrights.org/index.htm) for putting all the information together.

Check it out here

The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Microsoft has announced a few interesting tools that developers of ASP pages can use to find vulnerabilities.  One was the Scrawler tool released by HP a few weeks back and the second is a tool that will look for SQL Injection in ASP pages.  Below if the link if you would like to check it out.

The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Sunday, July 06, 2008

Software Universe Israel (1 July 2008)

Most people I know have a short list of places they want to see in there life.  One of the places on my list has always been Israel.  I would venture to say that no place on earth has so much heritage and history.  It is rare to fine a place where you can stand where so many of the events that have shaped humanity have happened. 

Having said that, it was my great pleasure to speak at the Software Universe, Israel event yesterday.  I don't have a final count yet but I think there were around 750+ people in the auditorium.  What was exciting is that the vast majority of the people in attendance for my talk on Application Security was that few of them were "security" people.  Most were business owners, IT people, QA people and others.  I think this adds another data point to the believe that Application Security is a software / IT / Business issue not just a traditional "security" issue.

Many in the Application Security industry have been saying for years that application security needs to be addressed as part of the SDLC and the risks are business risks, not just technical risks so the business needs to be aware of them and take responsibility for ensuring they are properly addressed.  Based on the crowd and the response at this event in Israel I think we are heading in the right direction.  We still have a LONG way to go but at least we are on the right road.

.clickHereToBeOwned

Robert from the WASC team sent this out today

ICANN has approved new top level domains.

http://www.networkworld.com/news/2008/062608-board-opens-way-for-new.html

Things are going to get interesting :)

 

Ok, this just seems like a VERY bad idea for some reason.  Now you are going to have some joker register a domain like .gove and send link to the world from www.irs.gove with subject lines like "pay now and save".  

 

I'm not the most creative person on the planet and that just seems like a REALLY BAD idea.

Testing & Finance conference - AJAX/SOA/Web 2.0

2 June 2008 : I had the pleasure of speaking at the Testing & finance conference in Frankfurt Germany back on the 2nd of June.  It was a very good crowd and it was nice to see that application security was getting attention by the finance industry, and not just the security guys in the finance industry but the business leaders as well.  I gave a talk on AJAX/SOA/Web 2.0 security, which I have to thank Billy Hoffman for the majority of the content.

 

If you would like a copy of the slides they are available here:

http://www.lifecyclesecurity.com/files/Testing_Finance_2_June_2008.pdf

Tuesday, June 24, 2008

A few cool mentions in the press via HP

HP put out some pretty cool announcements over the last few weeks. HP is offering the Application Security Center suite of products in a SaaS model which is new.  I was quoted in a few articles if you are interested in reading more here is the link:

 

http://www.computing.co.uk/itweek/news/2217703/hp-offers-security-service

 

I think this just shows that HP has an ongoing commitment to application security which I expect will only grow.  Given that the industry now agrees that security needs to be an integral part of the SDLC this is a very logical direction for HP to continue to move in.

Testing & Finance conference - AJAX/SOA/Web 2.0

2 June 2008 : I had the pleasure of speaking at the Testing & finance conference in Frankfurt Germany back on the 2nd of June.  It was a very good crowd and it was nice to see that application security was getting attention by the finance industry, and not just the security guys in the finance industry but the business leaders as well.  I gave a talk on AJAX/SOA/Web 2.0 security, which I have to thank Billy Hoffman for the majority of the content.

 

If you would like a copy of the slides they are available here:

http://www.lifecyclesecurity.com/files/Testing_Finance_2_June_2008.pdf

Ruby flaws send security researchers into shock

The Register is reporting that a fairly major security issue was found in Ruby, the open source programming language, "which forms the foundation of Ruby on rails"

http://www.theregister.co.uk/2008/06/23/group_patches_ruby/

 

The vulnerability was originally found by Drew Yao of Apple Product Security according to The Register

 

IMHO this only goes to demonstrate that we need to be vigilant in verifying the security of any system we use to build our business on.  Both open source and commercial software packages can have issues.  To quote the old Russian saying "trust but verify".