Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Displaying articles for: December 2010

2010 - A Quick Look Back to Look Forward

"We can't solve problems by using the same kind of thinking we used when we created them." -Albert Einstein

 

I think that quote there (one of my favorite Einstein quotes, by the way) is a great way to sum up 2010, a year that saw many changes, many advances - yet the problems with vulnerable web applications remain in large part due to the kind of thinking that quote refers to.  I can't help but feel as if we in the software security assurance (or application security if you still prefer) space are still addressing the issues with the same eyes that are the cause of the problems in the first place.  In the final analysis, I feel like we're still missing the point, and since we have a bunch of hammers in our hands every problem appears to be a nail.

American Honda Motor Co - Hacked, Customer Info Exposed

Alright, so Honda's web sites didn't actually get hacked, but like McDonalds they are on the receiving end of a lump of coal in their stocking for Christmas.

 

A post on Honda's "Piloteers.org" website for Honda Pilot owners hints at a data breach at a vendor maintaining a mailing list for customer of My Acura and Honda's Owner Link websites.  From the forums post, it would appear as though SilverPop, the same company that was behind the breach of email addresses and information, also included Honda  [likely this is fallout from the SilverPop hack].

Complexity - A Sure Way to Fail

There has been a good deal of griping lately about what "us security people" are calling the "dumbing down" of products in whatever product space.  By this of course I mean products that seemingly drop advanced featrues to make themselves "easy to use" by the general end-user.

 

While almost every single product's marketing page has "Ease of Use" as one of the checkbox features, it's rare that this actually manifests itself in the real products.  The end result of difficult to use security products is clear - security breaches are rampant.  You don't have to take my word for it, do a search.

Labels: complexity| failure

Minimal Impact = Maximal Impact

Just a quick post today to highlight a conversation I had with a development manger that was very interested in bringing security into his processes ... but wanted to have minimal impact on his development team.

 

An interesting quote came from the conversation as I listened to this dev manager talk - "I'm very closely guarded of my development team's productivity - and won't do anything to compromise that ...so how do you see implementing security processes fitting into that?"

Labels: business case| ssa

Is There a Maturity Link Between Software Security Assurance, Bug Bounty Programs?

An interesting question was posed on Twitter by a colleague yesterday ... "I wonder if the final stage of Maturity for website vulnerability management is offering a bug bounty program?"  I thought that required some thought, and maybe a short blog post in case any of my readers don't read Twitter, or haven't made that connection yet.

 

In a word - no.

How to Hack Websites

There has been a considerable amount of "hacking" lately going on.  Sites going down, content being stolen, DDoS being leveraged.  So while there are various methods of "hacking" a site I think there is one thing that ties all of this insanity together.

McDonalds Database Compromise - 3rd Party Lessons

The McDonalds Corporation has an interesting FAQ up right now titled "Potential Access to Customer Data by Unauthorized Third Party".  Luckily, this incident isn't all that serious, because it only involved email, address and phone number details as well as your birth date and gender ...and "certain information about your promotional preferences or web information interests".  Interested?

So ...Who REALLY Cares?

As we close out another year, and look back at all the data breaches that were enabled through the hundreds of thousands of helpfully vulnerable web applications -it's time to once again ask how we can prevent this next year.

 

There are no good answers, of course, but I think I've managed to get things down to a basic question that I feel like we all need to ask ourselves.  There is one fundamental question that is at the heart of every good security program that acts not only as a check-box at the end of it all but becomes a pervasive thread throughout all application delivery.

Analysis: Flash Player in a Chrome Sandbox

On December 1st, the Google Chrome development team announced they would support running Adobe Flash in the development releases of Chrome browser.  This is no doubt an interesting development in the continuing saga of Adobe Flash, but I like to think what it all means in the bigger picture of things.

Labels: HTML 5| plug-in| sandbox

Surviving the Annual Holiday Production Freeze

Every year, about this time - usually starting the week before Thanksgiving (in the United States that's 11/22) and right on through the second week of January the online retail industry goes through a freeze period on their production systems.  I know, because I've lived through several of these freeze periods, that these can be  some of the most insanely busy, non-production-change times of the year!  This of course has several very important implications for the security of these online systems, so as we plow (excuse the pun) on through the holiday freeze I thought it would be relevant to highlight some of the key issues that the holiday freeze brings.

There Are No More Internal Applications

It's official.  There are no more internal applications.

 

Some of the hype and news around the recent leaks of extremely sensitive government information, and the [threatened] soon-to-be-released sensitive banking information demonstrates the label "internal only" doesn't really mean "no security needed".  That architects would score internal applications as low-risk automatically on the basis of being accessible only by people inside the corporate firewall (don't get me strated on perimeters!) made real security purists cry ... but now there is a good chance these highly publicized developments may change hearts and minds.  Well ...maybe not - but at least these events may give security analysts the ammunition to have concrete discussions on why internal doesn't mean no risk.

Labels: risk analysis
Search
About the Author(s)
Follow Us
Twitter Stream


Community Announcements
HP Blog

Technical Support Services Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation