A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses. Epic fail. Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting…
Author: vanderaj
Security checklists are not bad, it’s how they’re used
There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks: (Paraphrasing) Checklists don’t work Actually, PCI DSS is making in-roads in containing data breaches. See for yourself. So what’s the big deal? Those who know me, know several things: I…
Passwords are neither free nor cheap
I don’t know how many clients over the last decade I’ve been trying to get this basic fact through their very thick business skulls, but here goes again: PASSWORDS ARE NOT FREE PASSWORDS ARE NOT CHEAP PASSWORDS ARE NOT SAFE PASSWORDS ARE NOT ACCEPTABLE FOR HIGH VALUE DATA / APPLICATIONS. EVER. Vodaphone has found this…
New laptop – Asus K52DR-EX143V
Much earlier this year, the Minister of War and Finance’s (hi Tanya!) old Dell augured in and bought the farm. First, Tanya spilt Milo (granulated malt) grains on the keyboard and this got under the key caps, causing the keys to stick. I tried cleaning it a couple of times, but many keys were never…
Top 2010 Defenses
I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me) Defenses change the world. Defenses make software more secure – permanently, and…
E-mail bankruptcy 2010
I’m very sorry to do this – again – but I’m going to declare e-mail bankruptcy on Dec 31, 2010. I have failed miserably in keeping my personal inbox clear and replying to e-mails this year. That has to change as it lets a lot of good folks down. If you have sent mail to me and…
CPRS / ETS / “a price on carbon” is back. WTF!
The government never seems to learn. They nearly lost the election, they lost their previous leader, and the opposition lost their previous leader over a money spinning taxation mechanism called “a price on carbon”. No second order mechanism has ever succeeded in their intended effects, and always have unintended consequences. Legislating first order effects is simply much…
Arbib is a spy, or we are the 50-57th states of the USA
Mark Arbib, agent provocateur of the right wing ALP and one of those involved in the coup against Prime Minister Kevin Rudd, turns out to be a protected source of the United States. The Age calls Mark Arbib a “confidential contact” for the USA, but so was convicted spy Jean-Philippe Wispelaere. According to Wikileaks disclosure of…
Force.com secure code review howto Part 1
For those of you who have to review unusual platforms, here are my notes for reviewing apps coded in Apex and Visual Force. As I learn more, I might add some additional entries, but I’ve been so constrained with time for so long, don’t hold your breath. Terminology and Basics Force.com is Sales Force’s SAAS…
In defense of Microsoft’s SDL
Richard Richard Bejtlich says on Twitter: I would like fans of Microsoft’s SDLC to explain how Win 7 can contain 4 critical remote code exec vulns this month I am surprised that Richard – an old hand in our circles – can say such things. It assumes defect free commercial code is even possible, let alone what…