You can't secure what you don't acknowledge.SM

Friday, April 2, 2010

THE process for successful Web security testing

Here's a new piece I wrote for SearchSoftwareQuality.com where I talk about the lifecycle of testing for Web security flaws. From obtaining buy-in to reporting to the stakeholders, it's a process you need to master.

Security testing best practices for today's Web 2.0 applications

Thursday, April 1, 2010

Two B I G reasons to secure your home computers/network

Here's a crazy story: burglar breaks into a home, uploads child pornography on the family computer, and tries to frame the husband of his co-worker who he had a crush on.

If this isn't a good enough reason to secure your home computers, I don't know what is.

Not to mention your wireless network. How'd you like one of those creeps we used to see on Dateline's To Catch a Predator doing what they do online using your Internet connection. Better hope you have some good investigators who can show what really happened.

Interestingly, most people are oblivious to this stuff...Amazing. What can you do.?

Tuesday, March 30, 2010

A couple of neat things about WebInspect

If you're into finding the Web security flaws that matter HP's WebInspect should be on your short list of prospective Web vulnerability scanners. Over the past six months WebInspect has repeatedly found a couple of items that I know I otherwise wouldn't have uncovered or been able to exploit to the extent I did.

The first is SQL injection. WebInspect does a very good job finding the actual flawed inputs but really stands out when it comes to exploiting the vulnerabilities - something that proves highly valuable during security assessments. Recently, I came across an application that had authenticated SQL injection that was only exploitable at one role level - which was, of course, the unexpected one. The following is a screenshot of WebInspect's SQL Injector in action showing it's appropriately named "Data Pump" function.



















You often have to tinker and be persistently patient with SQL Injector to get it to exploit a SQL injection flaw...and it does have its false-positive moments hence the need for detailed manual verification. But man, when it gets rolling, look out.

The second thing about WebInspect is its ability to uncover the usage of HTTP GET requests in an otherwise POST-centric world. As with SQL Injector, some are false positives so you have to manually verify that the finding is indeed a problem. But if you can confirm the issue your efforts will pay off because HTTP GET requests can "get" your users and your business in a real bind...It's a big enough problem and such a common finding that it inspired me to write this article: Why use POST vs. GET to keep applications secure.

I could go on with more good things about WebInspect but I'll save that for another time. Until then, don't forget my firm belief that you almost always get what you pay for when it comes to Web vulnerability scanners...there's just too much at stake not to invest in a good tool such as this.

Monday, March 29, 2010

Don't forget about XSS *behind* the login prompt

Don't assume that your Web security concerns stop at the login prompt. Here's a new piece I wrote where I talk about cross-site scripting (XSS) and whether or not it matters for logged-in users:

Authenticated XSS - problem or not?

Got Linux security on your mind?

Here's a new webcast and accompanying podcast I recently recorded for SearchEnterpriseLinux.com where I share some insight and opinions regarding the biggest weaknesses I'm seeing with Linux today...and what you can do about it:

Tightening down Linux security (webcast)

Tightening down Linux security (podcast)