You can't secure what you don't acknowledge.SM

Tuesday, December 19, 2017

Solared Cyber Security's APPscreener - a static application security testing tool worth checking out

A large part of the vulnerability and penetration testing work I do focuses on application security - both web and mobile. A growing portion of my testing in this area is source code analysis and looking at software flaws where they begin. I'm always looking for good tools to use and I recently came across one that you might want to check out called APPscreener. It's a cloud-based (or on-premise) static application security testing (SAST) tool that can look at both raw source code and, in the event you don't have access to the source, binaries for both traditional web applications and mobile apps. 

APPscreener has the best user interface I've seen in this type of tool. Once you get the on-premise version installed - or you simply get logged into the cloud version - it's literally point and click. I like this approach because not everyone with a need to perform a static analysis is super technical. These people, therefore, won't get bogged down with installation and configuration minutiae that's common in other SAST tools I've used (especially the open source ones). APPscreener's interface can be see here:

Reporting includes options for OWASP Top 10 (2017 support is said to be coming soon), PCI DSS, and more as shown here:

APPscreener's broad list of supported languages/platforms for static analysis is as follows:
  • ABAP 
  • C, C++, and C#
  • HTML5
  • Java and Java for Android
  • JavaScript
  • Objective C
  • PHP
  • PL/SQL
  • Python
  • Ruby
  • Scala
  • Solidity
  • T/SQL
  • VB 6.0
APPscreener can perform binary analysis on various filetypes as well:
  • Android
  • dll
  • exe
  • iOS
  • jar
  • war
One really neat thing about APPscreener is that you can point it directly apps in Google Play and Apple App Store as shown as follows:

This is a nice feature for enterprises that have standardized on a specific set of business apps and need to formally roll them into their security program by vetting them for security flaws. An especially important feature when you don't have access to the source code.

I'm always looking to improve my application security testing approaches and tools such as APPscreener make a big difference in not only the time and effort involved in this work but also in the quality of the findings I'm attempting to uncover. Check it out if you're in the market for a SAST tool. Based on what I'm seeing, you'll quite likely find many application security flaws you didn't know you had...and those are the best kind since you can't fix what you don't know about!

Saturday, October 14, 2017

When PR spam is actually amusing

I get spammed by PR firms all the time - quite likely a dozen or more emails from them in my business inbox every day. I think I get on their radar because certain articles I write happen to be related to what these spammers are trying to promote. Well, I recently got this spam message via email from a PR firm regarding an upcoming security conference. Looks interesting. But to heck with the show...and don't worry about what it says (I know, it's hard to see)...What's funny is that someone apparently did some edits to the original press release and the guy who sent it forgot to accept those changes (and proofread)...can't make this stuff up. ;-)

Thursday, October 12, 2017

Hacker Halted - a security show worth attending

I've been a big advocate of attending security shows in order to learn, network, and see/hear about the latest technologies. There are a ton of these shows each year - some are a good fit, others not so much. Well, there's one show that I just attended in Atlanta this week that's worth my mentioning and recommendation. It's called Hacker Halted. Put on by the EC-Council (Certified Ethical Hacker) folks, it's well-attended but not too big. I spoke with and exchanged business cards with several people from around the country. Word had it that around 2,000 people were in attendance. 

I saw several good speakers including one of the best in the business, Winn Schwartau, as well as the EC-Council's founder and president, Jay Bavisi. Jay shared some great points on the state of security, including how we're facing a skills shortage, not a labor shortage. I totally agree. There are many people working in positions of security authority and decision-making that don't really know a whole lot about security. It's learn as they go and that's bad for business, good for the criminals. 

Jay also covered the EC-Council's new LPT certification and about how penetration testing is becoming commoditized because of the assumption of vulnerability scans being "good enough" and overall ignorance of the process. Agreed! Jay also said that penetration testing often lacks professionalism, especially when it comes to security assessment deliverables. The emphasis is instead placed on shiny objects/cool tools and the prima donna attitudes emanating from many of the people who do this work. Love it! I see this all the time and it's hurting us and our field.

I believe Hacker Halted is usually in Atlanta. Check out their website and maybe I'll see you there next year.

Wednesday, September 27, 2017

SEC, Equifax, what's next? Focus on - and fix - the stuff that matters in security.

I recently consulted with a client on the SEC and Equifax breaches and had some thoughts that I left with that I wanted to share here:
  1. Your security program is only as good as your day-to-day processes and people. No amount of policies, plans, and technologies is going to prevent you from getting hit.
  2. Reactive security is apparently the new norm, at least according to SEC chairman Jay Clayton. I don't disagree with this, in spirit. No one is 100% immune from hacking and breaches. However, you still have to make efforts find and fix the silly, stupid stuff that's creating problems such as these. Just ask Equifax about web security penetration testing and patching and how seriously they should be treated.
  3. Unless and until the information security basics are mastered, you're a sitting duck.
  4. More government, more regulation, more "cyber" whatever won't fix these elementary security gaffes. It'll certainly make it look like something's getting done and (sadly) that's often good enough...until the next breach occurs.
  5. Money spent on computer systems and applications does not translate to security. In fact, it can make it worse due to the false sense of security and because of all the system complexities involved. 
Bottom line, pay attention to what's happening. You can't hit a target you can't see - or aren't even thinking about. Let these other peoples' experiences and misfortunes be teachable moments for improving security in your business. Don't repeat history because, as Stein's Law says, if something cannot go on forever, it will stop.

Here's some additional reading on this subject:

Focus on the right things to get security results

Do what you can to solve your known security challenges

Thursday, August 31, 2017

HIPAA and data encryption - what you need to know

When I co-wrote the first edition of the book The Practical Guide to HIPAA Privacy and Security Compliance, both HIPAA and data encryption were a big deal. Fast forward nearly 15 years and they're still a big deal, yet many people are still struggling with both. 

If you're looking for some insight/guidance on HIPAA compliance, data encryption, or security intelligence in today's business environment, here are a few new pieces that I wrote for the nice folks at Thales e-Security that you may want to check out:

Going beyond addressable with HIPAA and doing what’s right with data encryption 

How security intelligence can support HIPAA compliance

Why PHI access controls matter

The HIPAA compliance payoffs of protecting PHI with encryption


Wednesday, August 16, 2017

Hacking For Dummies featured in new Lifetime movie Running Away

I had the neat opportunity to recently see my book, Hacking For Dummies,  featured in this summer's Lifetime movie called Running Away. I've known that it was a possibility for some time but it was cool to see it on the screen! Here's the scene it's featured in:

You can see more about - and purchase - Hacking For Dummies (currently in its 5th edition) on Amazon by clicking the graphic below:

Thanks for your support!

Thursday, August 10, 2017

Rapid7's Insight platform provides focused analytics for your security program

Fairly recently, Rapid7 took their vulnerability management platform up to the next level with their analytics platform called Rapid7 Insight. It's a beneficial for an independent consultant like myself and even more useful for enterprises with IT environments of growing complexity. Rapid7 Insight is marketed as a way to bring together the Nexpose vulnerability research, Metasploit exploits, global security intelligence and exposure analytics into a single system that can help businesses solve more - and better - security problems. 

A cloud tool that integrates with your Nexpose instance, Rapid7 Insight lets you see what's being uncovered in your environment, monitor specific vulnerabilities, and bring it full circle with ticketing system integration to support remediation workflows. you even have a choice on where to store your data in the cloud in order to meet specific compliance/legal requirements. Here are some examples of Insight's "Liveboards" that provide info on specific areas of vulnerability management. These are external-facing security vulnerability data including details on exploitable vulnerabilities.

Being able to run a tool such as this can add tremendous value to security testing and vulnerability remediation programs. This level of detail can show you exactly where you need to focus your efforts in order to expedite remediations and ensure returns on your security efforts. Hint: getting your patching under control, once and for all will likely be front and center. This information is good for sharing with executive management and can also help you prioritize your efforts that involve security policy development, user awareness and training, incident response and other core areas of security that need attention.

Rapid7 Insight, nor any other tool, is going to fix all of your security will at least set you on the right path. The discipline required to see things through is totally up to you.

Monday, August 7, 2017

How to gain control & become an IoT security expert

You've no doubt heard the vendor spiels and seen their solutions for gaining control of your Internet of Things environment. But do you truly have IoT under control? Like other things in IT, it can be pretty overwhelming, especially when you're struggling to keep your arms around your traditional network environment with cloud and mobile and all the complexities they bring. 

Well, IoT security doesn't have to be that difficult. It's complicated in terms of a well-run security program but, in many ways, there's really nothing new...I can assure you that if you step back to look at the bigger picture of what's going on with IoT security, from vendor marketing overload to understanding your network to fixing the basics, you can (and will) gain control of IoT if you take a measured approach. 

Here are several pieces I've created on IoT security that can help you in your endeavors:

Integrating the IoT into your application security program

Getting Ahead of the IoT Security Curve (an ISACA/TechTarget webinar)

Don't overlook this key element in securing the Internet of Things

Is Your Security Program Ready for the Internet of Things?

IoT at RSA brings a new focus on old problems

Securing the Internet of Things

Top cybersecurity trends for the first half of 2017

I hope this helps. Don't hesitate to reach out to me if you're ever in need of IoT security testing or strategy consulting. Cheers!

Wednesday, June 21, 2017

Using Centrifuge for IoT security testing

I love hacking things, especially new things like what's showing up on networks around the globe in the form of IoT. If IoT security is anywhere on your radar, you're likely incorporating these devices into your security testing program. Well, there's a new IoT security assessment tool in town that you need to know about called Centrifuge brought to you by Tactical Network Solutions - makers of the former (and awesome) Reaver Pro tool

Centrifuge is a cloud-based platform that can reverse engineer binary firmware files and analyze them for security flaws. It supports various IoT systems, including firmware from common routers and network devices from Belkin, D-Link, and Linksys, and finds some interesting stuff. For example, here's the platform showing the file structure from an older Netgear R7000 wireless router's firmware:

And here's the output of Centrifuge's crypto analysis...note the public and private keys uncovered:


The most telling is the number of vulnerabilities uncovered (an amazingly scary number of command injections and buffer overflows in just one product's firmware) as shown here:

IoT poses formidable security threats to both end consumers and businesses alike and those of us in IT and security need to be paying attention. We simply cannot rely on IoT vendors to keep things in check. Instead, we have to find and resolve security flaws ourselves and establish compensating controls where possible. Clearly, there's a lot going on in terms of IoT least we have tools like Centrifuge coming to market to help us further the cause.

Monday, May 15, 2017

The real reasons behind the WannaCry ransomware

As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges.
  • Outdated/unsupported operating systems are running. We are responsible.
  • Patches are not getting installed in due time. We are responsible.
  • People are clicking links and making other bad decisions. We are responsible.
  • Stuff is happening on the network, sight unseen. We are responsible.
  • Policies are ignored. We are responsible.
  • Unfunded mandates still exist. We are responsible.
  • Systems – even entire network environments – remain untested. After all, you can't secure what you don't acknowledge. We are responsible.
  • Underscoped and unauthenticated vulnerability scanning and penetration testing paints an inaccurate picture of the average security posture. We are responsible.
  • Incident response procedures remain undocumented. We are responsible.
  • Credibility and relationships are essential for mastering information security, yet we continue to focus on everything but that. We are responsible.
  • Information security continues to be seen as IT's problem. We are responsible.
I don't know how many more widespread breaches we'll have to endure but I do know that everyone has a hand in these challenges before us. We can continue down the path of promising that we are compliant and secure when we are, in reality, reacting aimlessly to everything that happens. I know that managing enterprise IT environments is not easy and I certainly don't envy anyone responsible for securing them. Still, there is so much that most organizations are leaving on the table. But, why?

Is it people protecting their territories under the guise of long-term job security? Perhaps it's lack of budget or management buy-in? Maybe it's an out-of-control user base continuing to not think before they act...?

Whatever it is, it needs to change. The criminal hackers and those supporting them are not going away. In fact, they look at issues such as the WannaCry ransomware outbreak as yet another reason they need to keep doing what they're doing. As the saying goes: change before you have to.

Monday, May 8, 2017

My CSO interview/story: What it takes to be an independent information security consultant

I'm very honored to have been interviewed recently for CSO Magazine about my background and what it takes to stand out - and survive - as an independent security consultant. Check it out here:

Thanks for the nice write-up, Bob Violino!