You can't secure what you don't acknowledge.SM

Friday, September 24, 2010

Want to be a security expert? Just start a blog & a Twitter account

I find it intriguing how may security experts there are on the Web with zero credentials to back it up. I especially see this with former journalists and reporters turned infosec pundits. It seems that so many of these people who used to write for newspapers and computer magazines have suddenly changed their focus now that security's all the rage. Maybe it's the job market? A friend told me recently that he believes why these people are cropping up everywhere is because they're unemployed are trying to stay connected. Maybe so...

Don't take this the wrong way, I know you can eventually become an expert in something by diving in and getting your hands dirty over an extended period of time like I talked about here and here. But does throwing up blog and having a Twitter presence without any real education, training or field experience count? Just because you're good with words and maintain a strong online presence doesn't automatically make you an anything.

Maybe I'm missing something.

Tuesday, September 21, 2010

Just run down the checklist - that's "good enough"

No offense to my auditor friends/colleagues and all the hands-on auditors of the world who DO know their stuff...Here's a new piece I wrote about one of the greatest impediments to reasonable information security in business today:

Why do so many people buy into “checklist” audits?

...goes back to the compliance crutch mentality that my colleague Charles Cresson Wood and I wrote about last year. Time to move on?? Looking at how we treat other things involving risk (automobiles and healthcare come to mind) I suspect we never will.

As the saying goes good enough hardly ever is.

Monday, September 20, 2010

With this tool there's no excuse to not analyze your source code

A few months back I wrote about Checkmarx's CxDeveloper source code analysis product. Well, I've had some more recent source code analysis experience with the tool and thought I'd write a follow up piece.

I'll start by saying that I can't stress how cost-effective this tool is for performing source code analysis...esp. when similar products cost MUCH more. Granted, I haven't performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:
  • hard-coded cryptographic key and password string (ouch!)
  • SQL injection
  • cross-site scripting
  • file manipulation
  • path traversal
The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.

CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn't think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.

CxDeveloper simply finds stuff in your source code that you're not going to find otherwise at small fraction of the competition's licensing fees. And it's very simple to use...there's not much to it at all. Maybe I'm missing something but it seems like a winner to me - especially in a product segment that's struggled to get off the ground yet has so much to offer.

For further reading on source code analysis, here are some articles I've written on the subject:

Essentials of static source code analysis for Web applications

Eight reasons to do source code analysis on your web application

What to do after penetration testing: source code analysis

Be careful what you ask for

Richard Carlson once said "Be careful what you ask for....sometimes your life is pretty darn good exactly the way it is." He went on to say "Think carefully through what it is you think you want, because you just might end up getting it, which is often more than you bargained for - more frustration, more grief, more travel, more responsibility, more conflict, more demands on your time, and so forth."

These words can apply to so many facets of IT and information security. Keep this in mind especially if you're searching for a job or thinking about changing careers...or if you're assuming the grass will somehow be greener on the other side. Maybe yes, maybe no.

On a related note regarding time management, it's easy to overlook the fact that when we take on something new we have to give up something else. There's only so many of us to go around. Good example of less is more - especially when it comes to having peace of mind.

Silent tyranny in the name of "cybersecurity"

I just finished a new article on the Cybersecurity Act of 2009 (a.k.a. Rockefeller-Snowe Cybersecurity Act or S. 773) and the equally scary Protecting Cyberspace as a National Asset Act of 2010 (a.k.a. Lieberman-Carper-Collins or S. 3480).

Goodness gracious folks. Have you read these pieces of legislation yet? Are you tracking what's going on?

There's some serious government control headed our way if we sit back at let politicians force these policies and ideals on us. Not that we haven't experienced some serious lashing since January of 2009 but every single business here in the U.S. will be affected by this additional government control in some capacity...ditto with those of us working in the field.

I'll post the article once it's published...and I know I'll have a lot more to say about this in the coming months. In the meantime, here's to limited government and more personal (and business) freedom!