Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Displaying articles for: January 2011

Things I Learned at Shmoocon 2011

Conferences are more than just going to interesting talks, meeting interesting people, and attending after-parties.  Sometimes, if the conferences is really a gem (like Shmoocon) you actually learn something.  After attending this year's Shmoocon 2011 I sit here waiting to go home ...and think it relevant to share my thoughts.

Labels: conferences

The Velocity of Pwn3d


Getting pwn3d (or "hacked", compromised, exploited ...whatever) has evolved since I first flipped on my orange and black screen and started programming Turbo Paschal ...that was a long time ago.

Labels: evolution| hacking| ssa

Lush Cosmetics - The Real Business Impact of Being Hacked

Lush Cosmetics has a problem, that's more than just image.  The attack and compromise of their e-commerce site in the UK caused the company to not only launch an investigation but to completely shut down their site and rebuild from the ground up.

Labels: compromise| hack

Exclusive: Q&A with hacker "srblche srblchez"

Hack happens.


Getting into the mind of the 'hacker' is often difficult because they're so elusive and don't necessarily want to take interviews ...unless you're a Wh1t3 Rabbit.  So with you readers in mind, I decided to try and see if I could get a peek into the mind of the hacker who was selling pwn3d sites (here: ) and hacking services.

Best Anti-SQL Injection Message Ever

The title says it all ... someone on a hacker forum was complaining about a site that had a 'funny SQL injection rejection' message ... so I took a screen capture.  This is hilarious.

Hacker Sells Pwn3d Government Sites at Bargain Prices

Wow, the things you find for sale these days.  Researchers have uncovered an interesting trove of government-related websites across the globe all for sale ... but so what, sites get hacked into all the time.


The discovery of this trove of sites boasts painfully to the fact that organized hacking is getting more and more fearless.  It's also interesting to note the prices for complete control of some of these sites.  The cost of buying one of these hacked sites, at the most is $499, with many sites under $100USD.  That's incredible ...but brings up an interesting point.  Is the black market for pwn3d sites so super-saturated that prices are so low?  Or is the hacker that took these over simply looking to make a quick buck and disappear?

4 Components of a Successful Sofware Security Assurance Program

My last post outlined 3 things that virtually guaranteed the swift and untimely demise of any software security assurance program.  One of you loyal readers (actually, it was eventually more than just one) then pointed out that simply pointing out what was wrong just wasn't my way of doing things - so I had to write a follow up post that outlined the things that I felt that a solid SSA program needed.


Luckily, I just so happen to have a Top 4 handy.  Why top 4, you ask?  Because there really are 4 components that make up a successful software security assurance program.  More importantly there are 4 things that I have personally witnessed and implemented that have contributed greatly to the success of many programs - and so without further ado here is my list of 4 Components of a Successful Sofware Security Assurance Program.

Labels: ssa

Avoiding the Top 3 AppSec Mistakes (Staying Off the Hamster Wheel)

It happens one day, seeming out of nowhere.  Your manager has a revelation (usually inspired by an incident, or the board of directors) and walks into your cubicle and says "We should put together an application security program".  Now what?


Let's be realistic here for a moment - you're understaffed, overworked, and ill-prepared to roll out a software security assurance (SSA) program overnight so how do you avoid making some of the biggest mistakes?  Let's look at the 3 most common mistakes hasty organizations make and see if we can't help you avoid these.  Look, it's bad enough that you're starting up a software security assurance program in January 2011 (while everyone else you know got funded back in 2007!) ... let's not make this any more painful than it's already going to be.

Hackers "Borrow" Excess Server Capacity, Play CoD: Black Ops

Those pesky hax0rz.

They just want to hack in, steal your data, plant trojans and spread evil.  ...sometimes not though.


Stories like this just don't get enough coverage because it's more funny than sinister - but apparently on November 12th, around 2:00am local time someone broke into the Seacoast Radiology of Rochester, NY server and didn't try and download their 232Gb of database ...nope, they just borrowed the server to play "Call of Duty: Black Ops".  For 4.5hrs that night someone was using the radiology center's server capacity to play a video game.

Labels: hacking

Why Deer Don't Run & AppSec Programs Fail

If you've ever had the misfortune of driving late at night and injuring (or worse) one of these beautiful creatures you can't help but wonder to yourself - why didn't that deer just move when it saw me coming?!  There was plenty of time, ample place to run away to all it had to do was decide and execute.


Then you sit down at your desk Monday morning and notice that your App Security program isn't making any headway ...and it's been 6 months.  You've laid out all the things that need to be accomplished, goals, tools and processes - but nothing's getting done.  Just like the situation with the deer - there are avenues for success and all someone has to do is make a decision and execute.

Will IPv6 Cause Chaos for the Browsing Public?

Here's the question - as IPv6 becomes a reality (probably even in our lifetime...) for the general browsing public - what sort of new chaos will this create?  Or does it even make any difference with the current encoding schemes that can be used to trick even the savvy web browser?

Is Truly Anonymous Web Browsing Possible?

"The problem with losing your anonymity is that you can never go back."   --Marla Maples


There's anonymity, and then there's being anonymous.


Oddly enough the line is a lot more difficult to understand then one may wish.  Anonymity is a tricky thing because on one end of the argument you must concede that in order to have an acceptable user experience in the modern web world you must be tracked to some acceptable extent, while the other end of the argument would say that we don't want web sites, vendors and nation-states/organizations tracking us and our browsing habits.  Throwing into this the complexity of free content (what's really "free" today, really?) like FaceBook and other types of free-for-a-fee sites and you have yourself an ugly little mess.


So what are the issues?

News Flash - Exploiting Software Defects for Profit: Still Illegal

A story ran in the Pittsburgh Post-Gazette on Tuesday that triggered some interesting conversation.


"Moments before he was to stand trial for bilking The Meadows Racetrack and Casino out of nearly a half-million dollars in fraudulent jackpots, a Swissvale man was arrested Monday by federal authorities, who say he actually may have stolen as much as $1.4 million from casinos in the U.S. and abroad."

5 QA Myths Debunked: Why QA Doesn't Do Security Testing

QA teams have some interesting ideas when it comes to answer this question: "Are you doing any application security testing currently?" ... and depending on who you ask it's possible you will receive a variety of different answers.  I am, of course, taking the assumption that you've accepted that security testing is as much a part of the QA testing cycle as oxygen is to breathing.

Understanding Developer Psychology

Happy 2011 everyone!  I hope everyone's break was restful... so now on to business.


Towards the end of last year I started to hint that some of the approaches being taken in software security assurance (SSA) needed to change and that one of the foundational pieces of software security was understanding the mind of the developer.  To that end I have a request ...

About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation