Tuesday, June 23, 2009

ASS Cert Online Store is Hacker Safe

Those of you aspiring to proudly display your recently acquired Application Security Specialist certifications can rest comfortable knowing that the CafePress ASS Cert Online Store is protected by McAfee Secure/Hacker Safe. This is wonderful news as it guarantees that your transaction is safe while you purchase your favorite ASS Cert products. The store is offering ASS Hats, Office Attire, ASS Gear, framed certificate tiles, and framed oath reminders for those of you who may forget:

I will maintain my status as a Certified Application Support Specialist as proof of my knowledge and experience.

While you're logged in, you can even make use of an added feature: an open redirect that allows you direct internet traffic to any destination of your choosing!
Check it out here.
Enjoy, and I expect to see all you Application Security Specialists to be wearing your ASS Hats when I see you at defcon.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Monday, June 15, 2009

IT Infrastructure Threat Modeling Guide now available

In April I discussed the IT Infrastructure Threat Modeling Guide (then in beta), a Solutions Accelerator I've written with the Solution Accelerators for Security and Compliance team.
The IT Infrastructure Threat Modeling Guide is now available for download via the Technet Library and the Download Center.

Networkworld's kind coverage of the guide's release provides additional insight.

Purpose of this Guide:
Provide an easy-to-understand method that enables IT professionals to develop threat models for their environments and prioritize their investments in IT infrastructure security.
IT infrastructure threat modeling should be incorporated into an organization's IT mindset as a matter of policy, much like any other part of the validation, implementation, and installation process. Threat modeling in the name of secure infrastructure should be performed throughout the technology implementation process, much like any other component that is measured for performance, usability, and availability.

This guide maps directly to SDL guidance and marries threat modeling infrastructure to a sound, existing framework.
This has been quite an effort and a valuable learning experience for me.
I'd like to thank the following for their contributions, leadership, and effort during this process:
Kelly Hengesteg, Steve Wacker, Karina Larson, Adam Shostack, Frank Simorjay, Jeff Sigman, Chase Carpenter, Sumit Parikh, and Shruti Kala.
To the numerous people who reviewed and provided feedback, thank you as well.

When you use a structured method as described in this guidance to develop threat models for your IT infrastructure, you identify and mitigate threats to your environment in an efficient and effective manner.
It is the intent and hope of this guidance that the benefits of choosing to develop a threat model portfolio for your IT infrastructure will be many, and that a holistic state of security becomes commonplace for those who undertake the process.

I look forward to your feedback as you read the IT Infrastructure Threat Modeling Guide and hope to learn of your success stories as you utilize it to enhance security in your associated environments.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Tuesday, June 09, 2009

Presenting at Defcon 17 with Mike Bailey

In case you didn't know, CSRF still works. ;-)
Mike Bailey and I will be discussing this sad fact via CSRF: Yeah, It Still Works at DEFCON 17 at the end of July. We do hope to see you there!

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Saturday, June 06, 2009

eWeek hypes "secure" SaaS without checking the facts

In an article called SaaS Proof Points, eWeek put on the blinders and jumped on the bandwagon declaring such SaaS wisdom as "not only have modern SAAS applications assuaged security concerns, but the SAAS model itself is seen by some as the most secure approach to handling data".
What!? Wow.
Add to that the well-intended declaration of SaaS neophyte Kimberly Rogers of Santander Consumer USA, while detailing her company's use of Service-now.com. Rogers, who had never worked with a SaaS-based application before, added that "security can be as tight as you want it to be." Noting such blind faith from a Service-now.com user I was motivated to take a closer look at the provider.
Kimberly, respectfully, you are making a dangerous assumption.
Putting on my bad guy hat for a second, if I can entice you to click a link in a targeted, specially crafted email (phishing), that in turn executes JavaScript in the context of Service-now.com (cross-site scripting) and returns the cookie you use for authentication to Service-now.com (credential theft), is it still reasonable to assume that "security can be as tight as you want it to be"?
I think not.
Service-now.com suffered from a cross-site scripting (XSS) vulnerability that allowed cookie theft and other XSS fun such as frame defacement.

Before XSS:

After XSS:

Please note that Service-now.com responded to my advisory and made repairs in a reasonable amount of time, all the while communicating admirably.
That said, if SaaS providers don't ratchet down hard on their basic web application security, silly yet valuable data spills such as described above will continue to prevail unabated.
If trade publications continue to publish hype rather than balanced facts I must assume that data breaches and provider shortcomings will continue to be commonplace as said providers won't be held to a higher standard.

When StrongWebmail fell so readily to an XSS vulnerability this past week (well done Lance, Mike, and Aviv), I simply shook my head in dismay. Are service providers so blind as to not consider the holistic security view before putting 10k on the line?
That was a rhetorical question.
Answer? Obviously.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...