Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs. These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way. RSA chose not to discuss the details of the attack,…
Category: Security
Time for something new
As many of you have probably noticed by now, my larger than life frame is not at AusCERT 2011. This is a shame as it sounding like one of the best AusCERTs in the history of AusCERT. There’s a couple of reasons for my absence – flu and the strange case of the disappearing job. My services at…
Upcoming speaking engagements – AusCERT and iTSMF
I am scheduled to talk or give tutorials at a couple of places so far this year. AusCERT I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard. This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design…
OWASP Podcast 82 – Authorship of OWASP Top 10 2007
Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be…
Need a secure code review? We have slots available
I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. 🙂 We have open slots in our schedule for secure code reviews starting from mid March 2011. We perform our code reviews against the OWASP Application Security Verification Standard Level 2B – Automated…
Take Two on Top 10 2010 Security Defenses
A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses. Epic fail. Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting…
Force.com secure code review howto Part 1
For those of you who have to review unusual platforms, here are my notes for reviewing apps coded in Apex and Visual Force. As I learn more, I might add some additional entries, but I’ve been so constrained with time for so long, don’t hold your breath. Terminology and Basics Force.com is Sales Force’s SAAS…
In defense of Microsoft’s SDL
Richard Richard Bejtlich says on Twitter: I would like fans of Microsoft’s SDLC to explain how Win 7 can contain 4 critical remote code exec vulns this month I am surprised that Richard – an old hand in our circles – can say such things. It assumes defect free commercial code is even possible, let alone what…
Risk Management 103 – Choosing Threat Agents
A key component in deciding a risk is WHO is going to be doing the attack. The above image is from the excellent OWASP Top 10 2010, and I will be referencing this diagram a great deal. We’re talking about the attackers (threat agents) on the left today. So you’re busy doing a secure code…
Risk Management 102 – when is a high a high
There’s a lot of consultants (and clients) who know little to nothing about proper risk management. This is not their fault – it was never taught at computer science or most similar courses. If you get good at it, you’re unlikely to be a developer or a security consultant. That’s a shame, because risk management…