You can't secure what you don't acknowledge.SM

Wednesday, May 25, 2011

Web appsec compliance & low-hanging fruit - it's all up to us!

Here are some recent pieces I wrote on Web application security common sense for my colleagues at Acunetix that you may be interested in:

But Compliance is Someone Else’s Job!

Low-hanging fruit becomes big news with the 2011 Verizon Data Breach report

Going Beyond Confirmed Web Security Flaws


As always, be sure to check out for links to my 500+ articles, whitepapers, podcasts, webcasts, books and more.

Texas Comptroller's Office IT woes = security breach

Here's a Dallas Morning News story I was interviewed for - interesting IT woes in the Texas comptroller's office:

Texas comptroller’s tech office had high turnover, employee complaints before breach

Thanks go out to Kelly Shannon and my colleagues over at for getting me involved.

If you don't have NetScanTools Pro v11, you're missing out

It's been a long time coming but the latest incarnation of one of my favorite network/security tools - NetScanTools Pro v11 - is out. Kirk Thomas at Northwest Performance Software has done a bang-up job on the user interface in the new version...something that's gotten better - albeit slowly - over the years. Not that I could do any better - I can't imagine having to know network protocols at this level AND be good at UI design at the same time. ;) Anyway, here's a sample of the new user experience:

NetScanTools Pro v11 also has the following new features that stood out to me:
  • support for IPv6 (pretty cool, now we just need businesses that use it!)
  • SNMP Scanner (which has an SNMP dictionary attack tool for cracking community strings for further system enumeration)
  • Connection Monitor (a neat tool that listens for incoming connections - great for all sorts of network and security stuff)
The Promiscuous Mode Scanner (for finding sniffers on the network), Packet Generator (for, well, generating network packets) and Email Validate (for email testing) tools are nice as well.

Probably the most under-rated tool of all developed by Northwest Performance Software is the Switch Port Mapping Tool which can help take the pain out of figuring out what's where.

I'm not crazy about the lack of automation during the initial setup and licensing process when getting NetScanTools Pro up and running. That said Kirk was very responsive with the registration code I needed to complete the process.

For $249 ($299 for the portable USB version) there's no reason to *not* have an all-in-one network toolset like NetScanTools Pro. The time savings and convenience factors alone that come with having the tools you need in one location will pay for the program over and over again. Check it out.

Monday, May 23, 2011

Sony PlayStation discussion download

In case you missed our Sony PlayStation Security Fiasco roundtable discussion last week, here's a link to the MP3 recording.


Recap of TechEd 2011: more of the same, but you need to go

Given that TechEd was held in my neck of the woods this year I couldn't resist the opportunity to check it out. It's funny, I've been working with/around Microsoft products for some 22 years now and I've *never* attended this show. Maybe it's my ingrained Novell bigotry that I've yet to shed.

My main goal was to catch up with some clients and see the latest happenings with Security Compliance Manager (SCM). I say that because I'm working with Microsoft on the development of this product and wanted to see/hear the team cover the new version 2.0 currently available as a CTP. If you're not familiar with SCM, you really should check it's a good tool/resource that can help you fine tune your configuration baselines for various Microsoft products (Windows, SQL Server, IE, etc.). I know security standards are boring and unsexy but, seriously, how are you going to support your policies, please your auditors and manage your risks otherwise?

I also spoke with some other clients and colleagues at/after the show who said they grew tired of Microsoft's cloud push all week. Oh well, TechEd is as much about marketing Microsoft than anything else, no? And given the money they must drop on such an event, can you blame them? That said I did hear from a few people that they loved the technical detail of some of the sessions. It reminded me of when I used to do network administration/management early on in my career and attended Novell's BrainShare conference. Going to that show every year and hearing/seeing the technical details of Novell's software that weren't available otherwise no doubt made me a sharper IT guy. The same goes for TechEd - if you're hands-on with Microsoft products on a daily basis (really who isn't in IT?) then you really need to check it out.

Overall, the conference was not all that different than other IT/security shows. You know how the marketers and bloggers often make things out to be new and exciting and then once you're there you see that's not really the case...? TechEd was the same old type of show we've all attended: tons of vendor glitz, tons of sessions (some good, some bad) and tons of information that the human brain is really not capable of absorbing in such a short period time (at least not my feeble brain)....but it was still worth it.

Attending TechEd made me realize that I need to keep attending TechEd. If anything just so I can keep up with the current tools, products and trends from Microsoft and see everything up close. The vendor chachkis aren't bad either. Maybe I'll see you there next year?