You can't secure what you don't acknowledge.SM

Friday, April 3, 2009

Restating the obvious?

This just in (OK, it's really from a couple of days ago): Cybersecurity hearing highlights inadequacy of PCI DSS.

But I thought compliance = security!? And anything forced down our throats at the hand of industry bodies and government goons is all we need to manage business risks!?

Seriously...how long do you think we'll continue to hear about this...ay yay yay?

Wednesday, April 1, 2009

WebInspect - the Mac Daddy Web app scanner?

I've recently covered two of my favorite, yet lesser-known, Web vulnerability scanners: Acunetix Web Vulnerability Scanner and N-Stalker Web Application Security Scanner. Two worthy products indeed. Now I'd like to shed some light on HP's WebInspect.

I've been using WebInspect since before testing Web sites/apps was cool. In fact, WebInspect was one the original commercial Web scanners. It may have even been the first. Anyway, I started a relationship with the folks at S.P.I Dynamics back in 2001 when I was working for an B2B marketplace startup. What a great bunch of people to know and work with. Many of those folks have since jumped ship since they were acquired by HP. :|

The good news is that the acquisition has not bastardized the product like I assumed it might when I first heard about HP coming into the picture. [sidenote]I used to work for HP and it was a great company so I had some confidence that they'd do the right thing...but you never know what the corporate monster's next move is.[/sidenote]

Anyway, without going into too much detail, I've found that WebInspect consistently finds the key Web vulnerabilities you need to know about. It's not going to find everything - no scanner does like I talked about here. But it does tend to find vulnerabilities that no other tool - or manual analysis - can find. Well, except for a few here and there that slide by. This is why I've reached a point in my career that I'm realizing using multiple tools can be your security saving grace.

WebInspect also has a good toolset that they used to charge extra for it but it's now bundled in. The following screenshot shows the basic interface of WebInspect 7 (which has since been "fixed" in WebInspect 8 just released today) along with the toolset:


I'm not at a point at the moment to show you their latest incarnation of WebInspect - version 8 - but I'll see if I can't show some screenshots in a follow-up posting. I will say that I've been pleased to see what they've done with it. I'm loving the interface. Also, WebInspect can now perform static analysis on Flash and has *much* improved reporting (which has been kind of a pain up to this point). They've also improved the macro recording and JavaScript handling which should help speed up the security scan process - two other sticking points with the product for me in the past.

WebInspect is not without its flaws or shortcomings...No security testing tool is perfect. Probably the biggest grip I have about it is the Web Brute password cracking tool. I'm still waiting for it to live up to its name (it's a dictionary cracking tool - not a brute-force tool as the name implies). Makes you appreciate what HooBie accomplished with Brutus "way" back in 1998! As with any product (or relationship for that matter) the wise adult learns to live with it and stays focused on the positive side of things. :-)

That said, if you're looking for a leader in the Web security scanner space and can justify the investment definitely check out WebInspect.

Tuesday, March 31, 2009

Goofy "feature" in GoToMyPC that can put you at risk

I use GoToMyPC for remote access occasionally and came across a situation you may want to know about....

Before I left the office last night I made sure my Windows screen was locked. My locking screensaver kicks in after a few minutes but I just wanted to make sure. While at home I accessed my laptop a few times logging on and off of GoToMyPC. When I returned to the office this morning my screen was unlocked....not my idea of security. :-o

It turned out that the "feature" to relock your system when you disconnect from GotoMyPC is not enabled by default. Here's what it looks like:

Let this be a lesson to all of you out there who use GoToMyPC or similar tool. All it takes to negate the benefits of locking screensavers, whole disk encryption, and the whole shebang is something really basic (and stupid) like this. Time to spread the word to your users...and change those default settings!

Coping site for security breaches?

This just in: from the government agency that brought us HIPAA we now have a new site to help us all deal with the troubling economy. Maybe one day the site can be expanded to include those of us who are affected - both personally and professionally - by security breaches. At least there's hope....and when there's hope, there will be "change". ;)

Funny how government creates a crisis and then comes to our "rescue". Are you starting to see what's happening here folks?