Showing posts from March, 2010

Presentations available: RSA, ISACA, and Agora

It's been a busy month of presentations including RSA Conference 2010, ISACA Puget Sound, and the Agora.
The Agora is a "successful strategic association that meets quarterly to bring together the pacific Northwest's top information systems security professionals and technical experts, as well as officers from the private sector, public agencies, local, state and federal government and law enforcement."
At RSA and Agora I discussed tactics intended to compare security data visualization to strictly textual output generated by IDS/IPS. These discussions included details on AfterGlow, Rumint, NetGrok, and Maltego.
At the ISACA Puget Sound chapter meeting I covered securing the company web presence (common security threats to your web presence and what you can do about it). This talk included details specific to the OWASP Top 10 and the CWE/SANS Top 25.
The RSA presentation is here.
The ISACA presentation is here.
The Agora presentation is available upon request (russ at hol…

#6 of the Top Vulnerability Discoverers of 2009

As I was last year, I am again pleased to report that the vulnerabilities I've been happily and responsibly disclosing and posting have resulted in 6th place on the list of Top Vulnerability Discoverers of 2009. Thanks to Scott Moore of the IBM ISS Frequency X Blog who compiled the list for 2009.
I remain both pleased and disconcerted to find myself on this list and wish to convey a few thoughts on the subject.

1) First, a reminder that my work has focused entirely on vulnerable web apps and pales in comparison to the likes of others named on both the all-time list and the list for 2009. Congratulations and well done to you all.

2) My efforts resulted in what the Frequency X post indicates is 48 unique web application vulnerabilities in 2009. This again serves as a stark reminder of what a challenged state of affairs the development process is for so many web application vendors. May the SDL and its ilk prevail.

3) I will continue my discovery and reporting efforts with the intenti…

RSA: Visualizing the Zeus attack against government and military

In keeping with my presentation this Friday at RSA, I managed to time my toolsmith topic to correlate precisely; specifically, visualizing the recent Zeus attack against government and military. For the article I discuss NetGrok and AfterGlow; for the RSA presentation I'll be more focused on NetGrok and Maltego as the present more readily for a live audience. Now that "advanced persistent threat" or APT is the latest buzz word/acronym/phrase we can reminisce that good old Zeus was amongst the best and brightest of early APT adopters. ;-)

From the RSA presentation abstract:
The flood of raw data generated by intrusion detection systems (IDS) is often 0verwhelming for security specialists, and telltale signs of intrusion are sometimes overlooked in all the noise. Security visualization tools provide an easy, intuitive
means for sorting through the dizzying data and spotting patterns that might indicate intrusion…the presentation will focus on specific tools and methodology to…

Financials and the need for software regression testing just published my article regarding Financials and the need for software regression testing.
This article cites Ameriprise as an example of a financial services provider who would benefit from improved regression testing and version control.

This article was actually written prior to the recent SQL bug I discussed involving Ameriprise, and is made even more interesting by discussion of a possible small, unrelated Ameriprise data breach in New Hampshire.

I truly hope Ameriprise takes a close look at the suggestions offered and moves towards enhancing security practices on behalf of their consumers.

Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)