You can't secure what you don't acknowledge.SM

Friday, September 7, 2007

How secure is your law firm's extranet?

Do you work for a law firm that provides a client Web portal that houses extremely sensitive case information (or other similar system that allows a client to manage their own data)? If so, chances are there are weaknesses in the system waiting to be exploited. Be it the commonly-used SharePoint or any other commercial or home-grown system, all it takes for someone with ill intentions to create a problem is a weakness in the login mechanism or login requirements, poor input validation (JavaScript and SQL statements), test files left loaded on the site - you name it - the possibilities are endless.

It doesn't matter if the application is "behind the firewall". It doesn't matter if it uses SSL for encryption. And it doesn't matter if all the software in use is patched with the latest hotfixes or service packs. The problems are at the application level and they're still there regardless of how hardened the environment is.

I bring this up because it's so easy for business managers to Web-enable anything and everything to woo their clients/customers. I'm seeing these types of Web vulnerabilities more and more. Business apps are cropping up on the Internet more and more - especially in the legal field. A lot of them are not being tested for security vulnerabilities in the slightest way. OK, some are being scanned with whatever freeware security scanner the network admin is familiar with, but that's not enough - not even close! Commercial OS and Web application scanners - and more importantly - manual testing is required to really figure out how Web portals such as this can be exploited.

There are so many complexities and variables in Web applications which, again, is one of the reasons I love testing software (see my related post on this). If you've got a law firm extranet or some other type of Web portal housing information you can't afford to have compromised, you've got to look at the environment from a malicious attacker's perspective. Test and test again - now and as long as the system is publicly-accessible. The Web application flaws will eventually be found by someone - might as well be you!

Thursday, September 6, 2007

Is it too much to expect the best?

There's something that's coming up more and more that I'm building a stronger opinion about each year. It's expecting the best of ourselves and others. We're coming to a point in our society where it's inappropriate, offensive, and politically incorrect to demand the best from our ourselves and others in literally every aspect of our personal lives and our careers. This is especially true in our society where those who prove that hard work makes luck are actually looked down upon. [Hmmm - teacher's unions and government schools come to mind - but back to my point.]

You hear people say all the time things like " "Wow, that lady did what she said she was going to do! What a stand-up professional...". Are you serious!? Does doing what you say you're going to do deserve such praise? Not really but I can understand why it's happening. It's sad but true that many people don't even do the basics they commit to doing (or are expected to do) much less put in the extra work to under promise and over deliver.

What I'm trying to say is that the levels of mediocrity in society and business give those of us in IT and information security a chance to really stand out above the noise . All it takes is to do what we say we're going to do and then put in some extra effort to really excel. Want to see it work? Commit to yourself now that you're going take some risks and go the extra mile. Give it a try - you may not notice the immediate benefits but you'll be amazed what it will do for you long term.

Wednesday, September 5, 2007

Why I love testing Web applications

I get the question "What part of security do you like the best?" quite often. The first part of my response is always "security testing". Any given network has lots of weaknesses - regardless of how much it's locked down and I love trying to find and point out all the flaws. [My wife used to say I was really good at pointing out other flaws, but I've since worked past that personality quirk. It is an interesting tie-in though. ;-)]

The second part of my response to this question is "Web applications!". I've seen - and still do see - a lot of vulnerabilities across a lot of operating systems, wireless networks, and network infrastructure devices earning a living performing security assessments. The thing is that most of these vulnerabilities are pretty predictable. Missing patches here - missing passwords there - unhardened systems everywhere. Beyond these basics, as of late I'm really growing to enjoy performing Web application assessments. Here's why:
  1. They're all different
  2. They're ever changing
  3. They can be extremely complex (read: more chances for security problems)
  4. There are no real standards for locking them down like there are for operating systems, wireless, etc. because they're all so unique
  5. There's no way that all developers are going to think to secure everything
  6. Much to the chagrin of executives and even certain developers, no firewall in the world is going to protect against poor application logic!
  7. There are a lot of great Web application scanners including some free ones to help take the pain out of the testing process. [Web vulnerability scanners won't find everything though! They're only about 50% of the equation. Human context and reasoning picks up where they leave off.]
The bottom line is that Web applications are almost always riddled with security problems that someone, somewhere didn't think about along the way. So, if you're wanting to know what area of security to focus on over the next...oh, decade, you can't go wrong with Web applications. They're here to stay and they're out there full of holes waiting to be found and plugged.

Welcome to my new blog!

It's taken some time to put the technology together, but I've finally done it! I'm officially on the blog bandwagon. Still building out some functionality - but the basics are up and running.

What I talk about here ties in with my Security On Wheels audio programs. Thanks for checking in and joining me in this adventure. Many security opinions, commentaries, and insights to come!