The business side of Web security (you can't afford to ignore)

Here's a new piece I wrote about the *other* aspects of Web security beyond the bits and bytes...Don't let this stuff catch you off guard.

Preventing phishing attacks is not just a technical issue

Read More

Talk about old school...

I recently came across a Web site I was creating an account for which stated the following for its login requirements:

Your user name & password must consist of letters in all caps 4-7 characters in length.

Too funny...

Read More

AppDetectivePro v7 worth checking out

Have you checked out Application Security's (somewhat) new AppDetectivePro version 7? Have you even heard of AppDetectivePro? If not, it needs to be on your radar. It's a powerful database vulnerability scanner that can perform both unauthenticated penetration tests as well as authenticated audits of SQL Server, Oracle, MySQL, DB2, Notes/Domino and Sybase (wow) systems. A screenshot of a penetration test of an Oracle 11g-based system is shown below:
























AppDetective is a tool that I've relied on for years to help with database security assessments. The price per database instance is pricey but it's worth it. I've found that the results are very similar when running it on similar systems so one scan per platform may be enough to get by with as long as you implement the same changes on like systems across the board.

Probably the biggest improvement with AppDetective Pro version 7 is the User Rights Review shown below:
























User Rights Review allows you to run reports on effective role and user permissions for a specific database. That's big in today's world of big government and big regulation. I'm not surprised at its utility, however, since reporting is one of AppDetectivePro's strong suits - pleasing compliance managers, auditors, and regulators from sea to shining sea for years.

The bad news (not necessarily related to the new version 7) is that I recently lost about 5 hours of my life troubleshooting a problem with AppDetectivePro that should've been readily-accessible in the documentation or online knowledgebase. In essence, a SQL Server system I was testing was running in shared memory mode and had TCP/IP disabled. Running the tool on the same SQL Server box still yielded a big fat nothing until a level 2 support person helped me get to the bottom of the problem.

Overall, AppDetectivePro is still the most comprehensive and recognized database vulnerability scanner. It's definitely worth checking out. As for SQL Server 2008 R2 support (a biggie in my book) I checked with the folks at Application Security about a month ago, and according to their site today, there's still no support for it but I suspect that'll come soon as more clients demand it. Furthermore the name of the product doesn't really reflect what it does (databases not apps, although it used to perform basic Web app scans)...but, hey, now you know, right?

Read More

Is this quote one of the contributing factors to lax infosec?

Novelist Robert Heinlein once said "In the absence of clearly-defined goals, we become strangely loyal to performing daily trivia until ultimately we become enslaved by it."

I suspect this is a large contributing factor to the lack of information security - and subsequent data breaches - in business today.

Feel like you need a jump start on goal setting? Check out this piece I wrote on the subject:

Eight steps to accomplishing your IT career goals

Read More

Got compliance? Here are some tips for moving ahead.

Tired of "compliance"? Me too. But, it's still one of those necessary (arguably sometimes unnecessary) evils we must deal with in business today.

Here are some new pieces I've written for the fine folks at SearchCompliance.com that will hopefully be of some benefit to you and your business.:

Priorities for your sound regulatory compliance management policy

Put compliance management back into server virtualization

Achieving compliance is about more than secure data encryption

What compliance professionals shouldn't do after data breaches

Can mobile device security include risk management and compliance?

....and finally, any discussion on compliance wouldn't be complete without talking about THE approach we need to take to any security/compliance project: risk management. Here's a bit a wrote about metrics you can use ensure your efforts aren't in vain.

Using metrics to enhance information risk management

For further reading on all the fun things about compliance check out my compliance resources page.

Read More

911, what's your emergency?

There's a saying when seconds count the police are only minutes away. Maybe yes, maybe no - and like I just experienced, sometimes they may not care at all. Let me explain...

Have you ever been driving down the road and witnessed someone driving completely erratically to the point where you think "WOW, that person is going to cause a wreck, soon." Well, I was out for a leisurely drive in a nearby town and was unfortunately the near-recipient of such a wreck by a gotta-have-it-now-the-world-revolves-around-me-probably-hopped-up-on-meth-idiotic driver....not once but twice! Yep, within a matter of about 4 minutes I nearly got nailed by this person TWO times.

It appeared the older lady (mid to late 60s) in a ~2005 Buick Regal license plate number (ah, nevermind) was either intoxicated OR on a suicide mission. I thought to myself, I've got to call the police and tell them about this woman....I survived her but that doesn't mean everyone else will.

So I called 911 - presumably the City of Cartersville, GA Police 911 center since I was driving right by their headquarters building when I called. I gave them some very basic info, and started to fill the operator in on some more details they probably could've used. Instead, the 911 operator I spoke with said thanks, cut me off, and went on her merry way. Yep, I heard a click....I said uh, eh, ah, oh...and there was nothing. Phone line was dead. Our government at work! I know 911 call centers have to be succinct and not tie up their...and sure, this wasn't an emergency, yet. But come on.

Keep this in mind everywhere you are - in the car, at home, and at work - for at the end of the day the police have no obligation to protect us (really); therefore we must fend for ourselves.

Read More

Beware of the oversights w/default policies in Web vuln scanners

I just ran some Web vulnerability scans against an app I'm testing using a couple of default/benign scan policies. Nothing big turned up. I re-ran the scan using a full scan policy that checks for everything and the new MS10-070 ASP.NET padding oracle vulnerability reared its ugly head...BIG difference in the outcome.

Keep this in mind when checking for Web security flaws with your automated scanners and never ever completely rely on their results. You can't live without them but they're only ~50% of the solution.

Read More