You can't secure what you don't acknowledge.SM

Friday, April 1, 2011

Web security tidbits on developers, leadership, weak passwords & more

Here are a few pieces I've written recently on Web application security you may be interested in...things that affect each and every one of us working in IT and infosec:

I wouldn’t want to be a developer these days

Don’t overlook the importance of authenticated testing

You can’t change what you tolerate

Testing for weak passwords: a common oversight without a great solution

How often should you test your web applications?

Notable changes in the PCI DSS 2.0 affecting Web application security


Also, be sure to check out for all of my information security articles, podcasts, webcasts, screencasts and more.

Time management + getting over your job title in IT

Here are some IT career bits I wrote for TechTarget's that you may be interested in:

Time management strategies for the IT pro

Your title is worthless; your value is priceless

This is the best time ever to focus on these things.


Also, be sure to check out for all of my information security articles, podcasts, webcasts, screencasts and more.

Monday, March 28, 2011

A quick review of WebInspect 9 shows HP's still got it

It's been a long time coming but it's finally here: HP's WebInspect version 9. I've been using WebInspect for nearly 10 years now and I believe this new version of WebInspect is one of the most significant upgrades they've put out. They've essentially taken what was already one of the best Web vulnerability scanners and have made it better, especially when it comes to workflow and streamlined usability.

A few things I think you'll like about WebInspect 9 include:
  1. A Review Vulnerability feature which allows you to retest specific vulnerabilities without having to run a full scan again. Nice.
  2. A Steps feature which shows the pages/steps the scanner took to reach the vulnerability. Good for reproducing the flaw to exploit it manually and good for developers/QA pros to see how the scanner did what it did.
  3. Streamlined macro recorder. It may take some getting used to but I think it's better overall.
  4. A tab feature to Close All, Close This, Close All But This when you have multiple scans open. I know it sounds a bit trite but little things like this matter a lot over time.
Speaking of usability, the scanner seems faster too. Maybe it's just that I've finally realized the horsepower and torque needed to run such tools.

In addition, I've found that WebInspect 9 has gotten better at finding - and confirming - cross-site request forgery (CSRF) vulnerabilities. In fact when running WebInspect 9 it found some legitimate CSRF flaws that WebInspect 8 wasn't able to uncover running a scan with the same parameters. You don't want to rely on a scanner alone to find all CSRF-related flaws and you'll want to validate such findings through manual analysis and/or a tool like CSRFTester (which is something you should check out if you haven't already). That said it is nice to see that Web vulnerability scanners are getting better at ferreting out session-related flaws.

Also, SWFScan (HP's standalone Flash vulnerability scanner) is now integrated into WebInspect along with the traditional tools. As with HTTP Editor and SQL Injector, just right-click on a specific Flash vulnerability, select SWFScan and off it goes.

My least favorite thing about WebInspect 9 is that it marks yet another milestone representing the loss of even more former SPI Dynamics employees at long-time colleagues and friends. Working with such a vast group of development, QA and product management professionals who are so on top of their game gives me hope in software security and shows that software can be made top notch when the right resources are put forth. It also shows that software vendors ARE listening to what people say so don't hesitate to provide any feedback you may have. It'll make a better product for all of us.

Keeping in mind all the things I've said about vulnerability scanners, WebInspect 9 is definitely worth checking out.