Here's an informative video and accompanying article by the folks at Acunetix showing the exploitation of XSS on Facebook. It demonstrates how XSS can not only be made into a serious flaw but also how it's carried out in the background without the user ever knowing about it.
Thursday 29 July 2010
Wednesday 21 July 2010
Good Web application security resource
Posted on 12:43 by Unknown
In typical monster corporation style, Hewlett-Packard's Web site is painfully difficult to browse around, much less find what you're looking for when it comes to, well, pretty much anything. There is an exception however that benefits all of us in information security. It's HP's Application Security Center Resource Library. It's chock full of goodies from HP (and former SPI Dynamics) engineers, developers, and Web security evangelists.
In addition to more recent material, there are links to several whitepapers and articles I authored/ghost-authored for SPI Dynamics a few years back on regulatory compliance and performing Web vulnerability assessments (under the Technical Approaches and Legal and Regulatory Compliance headings). You may also want to check out their blogs under the HP Security Labs heading. Again, yucky user experience but great information if you can find your way through the thicket.
All in all a good resource for Web security if you're looking to brush up on the subject.
In addition to more recent material, there are links to several whitepapers and articles I authored/ghost-authored for SPI Dynamics a few years back on regulatory compliance and performing Web vulnerability assessments (under the Technical Approaches and Legal and Regulatory Compliance headings). You may also want to check out their blogs under the HP Security Labs heading. Again, yucky user experience but great information if you can find your way through the thicket.
All in all a good resource for Web security if you're looking to brush up on the subject.
Tuesday 20 July 2010
Sometimes it's the little things that'll get you
Posted on 07:26 by Unknown
If you're like me you've likely experienced in your daily life how something seemingly innocuous or too simple can create a big problem. Here's a new piece I wrote where I talk about this issue with regards to Web security:
Web security oversights: Don’t overlook the “small” stuff
With information security there's usually no need to sweat the small stuff....just don't overlook it altogether!
Web security oversights: Don’t overlook the “small” stuff
With information security there's usually no need to sweat the small stuff....just don't overlook it altogether!
Monday 19 July 2010
Lessons learned & reminded of this past week
Posted on 05:51 by Unknown
After taking this past week off to be with my family during my mother's passing I'm back to work this week. I wanted to thank each and every one of you who reached out and sent cards and kind words to me during this tough time. It really meant a lot.
There's one thing I learned this past week. It's that no matter how much you think you're prepared, how much you believe your expectations are set, losing a family member like I have - like we all do - hurts beyond what words can describe.
There's also one thing I was reminded of this past week. That is just how precious human life really is and how we cannot take any second we're here on earth for granted. As my mom often said, Life is too short. Indeed it is Mom.
There's one thing I learned this past week. It's that no matter how much you think you're prepared, how much you believe your expectations are set, losing a family member like I have - like we all do - hurts beyond what words can describe.
There's also one thing I was reminded of this past week. That is just how precious human life really is and how we cannot take any second we're here on earth for granted. As my mom often said, Life is too short. Indeed it is Mom.
Monday 12 July 2010
A joyous announcement
Posted on 06:20 by Unknown
Early this morning my mother, Linda Parks Beaver, left this earth and joined the angels. Her fight with cancer is over. Her pain is over. Her suffering is over. She's now resting in peace. God bless her soul.
Many heartfelt thanks to the support and kind words so many of you have given me this year. And thanks so much to my clients and business colleagues who've been so understanding and patient with me. Please continue to bear with me over the next few days as my family and I grieve our tremendous loss.
Many heartfelt thanks to the support and kind words so many of you have given me this year. And thanks so much to my clients and business colleagues who've been so understanding and patient with me. Please continue to bear with me over the next few days as my family and I grieve our tremendous loss.
Friday 9 July 2010
The reactive nature of policies that people ignore
Posted on 08:14 by Unknown
I got stuck in a traffic jam while passing through the famous and lovely town of Kennesaw, GA yesterday because of this unattentive truck driver trying to cross a raised railroad crossing:
I wonder what part of the No Trucks sign he didn't understand. There's another sign out of the frame that warns truckers of a $1,000 fine if they cross there. Ouch!
This situation can be compared to the disconnected and reactive nature of most security policies. People ignore them and the repercussions are reactive in nature....two things that certainly aren't going to keep an incident from happening in the first place.
I wonder what part of the No Trucks sign he didn't understand. There's another sign out of the frame that warns truckers of a $1,000 fine if they cross there. Ouch!
This situation can be compared to the disconnected and reactive nature of most security policies. People ignore them and the repercussions are reactive in nature....two things that certainly aren't going to keep an incident from happening in the first place.
Unique resource for managing Windows logs
Posted on 06:23 by Unknown
I like the practical avenue Randy Franklin Smith (@randyfsmith) has taken with his new Windows Audit Logging Kits. I haven't seen them but I like his approach.
Check them out here:
http://www.ultimatewindowssecurity.com/securitylog/rosetta/default.aspx
Check them out here:
http://www.ultimatewindowssecurity.com/securitylog/rosetta/default.aspx
Thursday 1 July 2010
Lack of security in SMBs? Only if you make it so.
Posted on 06:34 by Unknown
This new piece from Dark Reading on lack of security in SMBs hits some interesting points. I agree with the fact that many SMBs overlook security, at least until it's too late. But I see things a bit differently than some of the things stated and quoted such as:
SMBs make up a large portion of my business performing independent security assessments. If SMBs choose to address security - and many of them do - then they tend to find the budget to make it work. It's like any other business priority. Granted there are millions of SMBs in the U.S. and I'm sure a majority of them don't take security seriously. But there are many, many SMBs out there with leaders who do. It's all a matter of choice. It's the ability of SMB leaders to think long term.
In this same article, Robert Richardson with CSI, hit the nail on the head when he said "Small businesses have the opportunity to be a lot more protected because they have an opportunity to be a lot more uniform in how they implement policy."
This is the thing that stands out to me the most. It's indeed an opportunity to do it now when it's easier and cheaper. Do security right up front when things are small and straightforward and the business can grow into the established infrastructure as it evolves. It's an amazing thing but it really works and there's a profound payoff for the SMBs that make it happen.
Check out my Smart IT blog at Bizmore.com if you're interested in further reading on information security in SMBs.
- "SMB have historically not given security much thoughts"
- "With budgets so slim, organizing security in an SMB is difficult"
SMBs make up a large portion of my business performing independent security assessments. If SMBs choose to address security - and many of them do - then they tend to find the budget to make it work. It's like any other business priority. Granted there are millions of SMBs in the U.S. and I'm sure a majority of them don't take security seriously. But there are many, many SMBs out there with leaders who do. It's all a matter of choice. It's the ability of SMB leaders to think long term.
In this same article, Robert Richardson with CSI, hit the nail on the head when he said "Small businesses have the opportunity to be a lot more protected because they have an opportunity to be a lot more uniform in how they implement policy."
This is the thing that stands out to me the most. It's indeed an opportunity to do it now when it's easier and cheaper. Do security right up front when things are small and straightforward and the business can grow into the established infrastructure as it evolves. It's an amazing thing but it really works and there's a profound payoff for the SMBs that make it happen.
Check out my Smart IT blog at Bizmore.com if you're interested in further reading on information security in SMBs.
Subscribe to:
Posts (Atom)