You can't secure what you don't acknowledge.SM

Thursday, June 4, 2009

My new security vulnerability scanning service

Well, I'm officially on the SaaS market. I've just launched my security vulnerability scanning service for both basic external security scans as well as the PCI Council's mandated Authorized Scanning Vendor (ASV) scans.

Here's what I just posted on my Web site:
Whether you need to minimize your investment in information security and compliance, you’re in need of an easy way to discover the low-hanging vulnerabilities, or you need help certifying your compliance with government regulations such as PCI DSS, HIPAA, and GLBA I offer managed security scanning service that can provide everything you need. You simply tell me which IP addresses you want to scan, tell me when you want them scanned, and pay for the scans up front. I'll run the scans and send you the results in a PDF report. You'll get up and running immediately. No hardware to setup. No licenses to buy. No systems to configure. No data center operational costs. No support costs. And no need to hire people with the right skill set to manage the process. Click here for more information on my security scan service.

Wednesday, June 3, 2009

Neat (and free) tool for finding Flash flaws

HP's Application Security Center recently released SWFScan - a standalone tool that decompiles Flash applications and searches for security holes inside the code. Very cool.

It's pretty surprising how many vulnerabilities Flash files can contain including XSS, embedded SQL statements, encryption keys, login credentials and more. Definitely worth downloading and taking it for a spin. Here's a screenshot of the interface and some findings:

Also, check out Billy Hoffman's video walkthrough of a Flash exploit. Watch it and you'll see that Flash poses some pretty serious security issues.

Secret list of nuclear sites released "by accident"

Apparently our Imperial Federal Government can't even follow its own rules for information privacy and security. It was just announced that a secret list of nuclear sites was released "by accident".

First of all, "accidents" are like "computer glitches" - there's almost always human error behind them. Do you see the irony here? How is heavily-regulated private industry to be expected to lock everything down when the very entity writing OUR regulations can't even protect their OWN information!?

The lost external hard drive at the National Archives a couple of weeks ago
was one thing. But this!? We're talking about potential national security issues here (although they claim there aren't any). I'm sure the data leakage prevention vendors are going crazy now.


Tuesday, June 2, 2009

Great quote on how our minds work

Here's a great quote from Bill Meyer that helps reiterate just how powerful our minds really are:

"Every thought is a seed. If you plant crab apples, don't count on harvesting golden delicious."

It's critical to never lose sight of the fact that we become what we think about the most.