Posts

Showing posts from June, 2009

ASS Cert Online Store is Hacker Safe

Image
Those of you aspiring to proudly display your recently acquired Application Security Specialist certifications can rest comfortable knowing that the CafePress ASS Cert Online Store is protected by McAfee Secure/Hacker Safe. This is wonderful news as it guarantees that your transaction is safe while you purchase your favorite ASS Cert products. The store is offering ASS Hats, Office Attire, ASS Gear, framed certificate tiles, and framed oath reminders for those of you who may forget:

I will maintain my status as a Certified Application Support Specialist as proof of my knowledge and experience.

While you're logged in, you can even make use of an added feature: an open redirect that allows you direct internet traffic to any destination of your choosing!
Check it out here.
Enjoy, and I expect to see all you Application Security Specialists to be wearing your ASS Hats when I see you at defcon.



del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

IT Infrastructure Threat Modeling Guide now available

In April I discussed the IT Infrastructure Threat Modeling Guide (then in beta), a Solutions Accelerator I've written with the Solution Accelerators for Security and Compliance team.
The IT Infrastructure Threat Modeling Guide is now available for download via the Technet Library and the Download Center.

Networkworld's kind coverage of the guide's release provides additional insight.

Purpose of this Guide:
Provide an easy-to-understand method that enables IT professionals to develop threat models for their environments and prioritize their investments in IT infrastructure security.
IT infrastructure threat modeling should be incorporated into an organization's IT mindset as a matter of policy, much like any other part of the validation, implementation, and installation process. Threat modeling in the name of secure infrastructure should be performed throughout the technology implementation process, much like any other component that is measured for performance, usability, …

Presenting at Defcon 17 with Mike Bailey

In case you didn't know, CSRF still works. ;-)
Mike Bailey and I will be discussing this sad fact via CSRF: Yeah, It Still Works at DEFCON 17 at the end of July. We do hope to see you there!
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

eWeek hypes "secure" SaaS without checking the facts

Image
In an article called SaaS Proof Points, eWeek put on the blinders and jumped on the bandwagon declaring such SaaS wisdom as "not only have modern SAAS applications assuaged security concerns, but the SAAS model itself is seen by some as the most secure approach to handling data".
What!? Wow.
Add to that the well-intended declaration of SaaS neophyte Kimberly Rogers of Santander Consumer USA, while detailing her company's use of Service-now.com. Rogers, who had never worked with a SaaS-based application before, added that "security can be as tight as you want it to be." Noting such blind faith from a Service-now.com user I was motivated to take a closer look at the provider.
Kimberly, respectfully, you are making a dangerous assumption.
Putting on my bad guy hat for a second, if I can entice you to click a link in a targeted, specially crafted email (phishing), that in turn executes JavaScript in the context of Service-now.com (cross-site scripting) and returns the …