http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-05-23 06:23:45 - 360 Security : Chris Sullo has a post out over on the HP Security Labs blog on hisexperience downloading Google Chrome He clicked and it wasinstalled no download prompt, no installer, nothing I actuallyexperienced it this morning before I left my apartment but in my hastesaid I'd wait until tonight to explore further I really thought I wasgoing crazy I'm glad to know that I'm not, or at least not in thiscaseI don't know if horrified is a strong enough word to express how thismakes me feel Shocked, disgusted, sorry I've ever defended Microsoftin the past these are a few things that come to mind Not only didthey undermine the security of Firefox they've destroyed my trustin them How will I ever feel comfortable accepting another Microsoftupdate after all, that's how NET came to be installed on mycomputer Had I went and downloaded it sure, but I didn't I didwhat we in the security industry tell every individual to do Iinstalled my available updates I even reviewed them but there was nonote that read "CAUTION: This will decrease the security of yourcomputer"Microsoft has managed to successfully allow drive-by downloads inFirefox My skin is crawling and unfortunately if my wife is athome browsing right now my computer probably is tohttp://www.secuobs.com/revue/news/100818.shtmlhttp://www.secuobs.com/revue/news/100818.shtml Secuobs.com : 2009-05-21 00:07:57 - 360 Security - Adobe had a turbulent start this year and in response to cries fromit's disgruntled users, Adobe security has announced several strategicmoves This blog post from Adobe describes the three much-neededthings Adobe will be doing to improve security for their popularReader and Acrobat productsFirst, Adobe's existing secure product development standards will nowalso be used against their existing/legacy code base Second, Adobenow promises quicker and more in-depth security incident responsemechanisms Finally, Adobe will be moving to a regular patch releasecycleThe three initiatives essentially mirror what we have come to know andappreciate about Microsoft's security processes About a decade ago,hit by bad press and poor industry reputation, Microsoft embarked on asimilar but grander vision The result of that effort is that todayMicrosoft is the leader when it comes to managing the enterprisesecurity development lifecycleThese initiatives are a great start for Adobe to begin rehabilitatingtheir image These initiatives go a long way, but they are stillmissing a few important componentsFirst, Adobe needs to learn how to reign in the bug finders Bothcritical security incidents with Adobe so far in 2009 have involvedsituations where proof-of-concept code was made public before Adobecould repair the bug Letting bug exploits out into the wild set Adobeback on their heels and left IT security groups in a reactionary modetrying to cover their security assets without much help from AdobeSecond, enterprise IT shops could benefit greatly from centralizedtools that allow for product policy changes If Adobe published meansand methods to disable product functionality using active directorygroup policies, then IT would be in a better position to respond andimplement policy-setting changesFinally, JavaScript bugs riddled Adobe products in 2008 and in 2009It would behoove them to consider disabling JavaScript by defaultThe long string of critical bugs in Adobe products has disappointedme, among many others The bugs, coupled with poor companycommunications and difficult to deploy mitigation steps have made thelast six months ever more trying in our security team Going forwardthere will be 2 key metrics of Adobe's successful implementation oftheir new security program First will the obvious - fewer securityholes The second indicator will be when Adobe has successfullyconvinced the bug finders to disclose holes to them instead ofpublishing them onlineThe bottom line is that the changes announced today by Adobe arewelcome and we all hope that Adobe sees immediate improvement acrosstheir install basehttp://www.secuobs.com/revue/news/99642.shtmlhttp://www.secuobs.com/revue/news/99642.shtml Secuobs.com : 2009-05-20 19:12:30 - 360 Security - Week 5 of the FBI Citizens' Academy was mostly dedicated tocounterterrorismFirst we received an overview of the counterterrorism program from thelocal assistant special agent in charge for the counterterrorismgroup The number 1 priority of the FBI is to protect the UnitedStates from a terrorist attack This includes protecting US interestsand citizens both locally and located abroad We learned about thejoint terrorism task force JTTF that makes up federal, state andlocal law enforcement personnel The JTTF acts as an integratedinvestigative force to combat domestic and internal terrorism Here inthe Bay Area we also have a northern California regional intelligencecenter, also referred to as a fusion center After the overview,speakers led the class thru 2 separate case studies The first ofdomestic terrorism related to individuals harming local universityprofessors that worked in areas where animal tested is involved Thesecond case study demonstrated a case of international terrorism Inthis second case, a local bay area resident was found supportingterrorists on foreign soil by monetary meansThe evening ended with a quick discussion of InfraGard InfraGard is apartnership between the FBI and the private sector for informationsharing and analysis The partnership works towards preventing hostileacts against the United Stateshttp://www.secuobs.com/revue/news/99503.shtmlhttp://www.secuobs.com/revue/news/99503.shtml Secuobs.com : 2009-05-19 22:03:32 - 360 Security - Over the past few weeks, I've been looking at the OWASP Top 10 andthinking back to my time spent as the Sys Admin for a SMB As thetechnical resource at the company web app development also fell onmy shoulders This wasn't simply building the company website, as Iworked for a marketing company this included full blown webapplications for clients Now prior to joining nCircle, I lived andbreathed security it was and still is my passion This isn't thecase for Sys Admins and developers at other SMBs and even largerenterprises Security is often an afterthought sometimes a"way-afterthought" For these people, the ultimate resource to turn tois the OWASP Top 10, the ten most pressing concerns in web applicationsecurity decided on by experts in the industry The OWASP Top 10"represents a broad consensus about what the most critical webapplication security flaws are" and the people at OWASP "urge allcompanies to adopt this awareness document within their organizationand start the process of ensuring that their web applications do notcontain these flaws" I don't disagree with this, if everyone takesthe steps to prevent these flaws, we'll have a safer online worldThat being said, given the OWASP stated purpose of the Top 10, I don'tfeel that it is written to best represent everyone who uses it TheTop 10 often feels as though it is written by industry experts for therest of the industry This isn't, in my mind, what the document wasintended to do The Top 10 may be referred to by pen testers or webapplication researchers to reference, but it's primary goal is toraise awareness and provide assistance to developers Many of thesedevelopers aren't security oriented and simply write code look atthe colleges and universities, they have programs pumping out plentyof web developer grads who have never seen a course on secure codingUsability is number one is many of their projects It is these peoplethat I feel the Top 10 fails it doesn't give them something theycan easily work off and to me that should be the primary goal of aproject such as thisLet's take a look at two scenariosScenario #1Imagine you work for a small marketing company with less than 30employees You are the sys admin with all the regular sys adminduties, however you are also tasked with the responsibility ofbuilding web applications and/or web sites for customers and foruse within the company You have limited time and take the OWASPTop 10 as your guide to securing the application you are buildingYou aren't security oriented and someone pointed you toward thedocument If you first tackle A1 XSS you'll read the following:"Cross-site scripting, better known as XSS, is in fact a subset ofHTML injection XSS is the most prevalent and pernicious webapplication security issue XSS flaws occur whenever anapplication takes data that originated from a user and sends it toa web browser without first validating or encoding that content"You follow the advice of "Ensure output is passed throughhtmlentities or htmlspecialchars" and continue on to the nextline item A2 Injection FlawsHere you read this description, "Injection flaws, particularly SQLinjection, are unfortunately very common in web applications Thereare many types of injections: SQL, Hibernate Query Language HQL,LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection and manymore" As stated you aren't a security person, this is a job that youended up in but one of the things you notice is the mention of HTMLInjection Why does that sound familiar Oh yeah, A1 was a subset ofHTML Injection well I've protected against A1, that must mean I'mgood here and you move on to A3 STOP How about we look at the othertypes of injection perhaps SQL Injection and protect against thoseas well Right now, reading this, you are thinking that no one wouldever do that but it happens Now why does it happenA1 is XSS and A2 is Injection Flaws XSS is a subset of HTML injectionwhich is a child of Injection Flaws, yet it's also been made a peer ofInjection Flaws There is a logic flaw that exists here and it isenough to cause confusion for many peopleScenario #2Now let's imagine that you are an enterprise with separate teamsfor Development, System Management and Security Auditing Companypolicy states that audits must be done before Web Applications gointo production and again immediately after going into productionThe criteria for the audit is defined by the OWASP Top 10Development and QA have done their part and the application isaudited internally The application passes audit novulnerabilities according to the Top 10 and sent off to SystemManagement for deployment The system is deployed and a follow-upaudit is performed Again no issues are found and the web app islive Two months later a report comes in that your web app hasbeen blacklist for serving malware An investigation ensues andsure enough, live malware is being distributed the website ispulled down and forensic investigation reveals that a flaw in theserver software was used to upload malware to the server If theauditing team had been using the 2004 edition of the Top 10, theywould have discovered this flaw, however Insecure ServerConfiguration was removed from the 2007 edition of the listNow as I said, I've been considering the Top 10 for quite some time,and both of these potential situations have caused me some concernLast week I started to consider this write-up on the subject andinstead decided to contact the Top 10 mailing list to discuss theseissues While the readdition of Insecure Server Configuration seems tohave been well received the problem that I see in XSS and InjectionFlaws has not I understand that the people responsible for this listare considered industry experts and I don't meant to slight anyone bymaking the suggestion that the current list is flawed That beingsaid, since a new version of the list is planned, that means thecurrent iteration isn't perfect and that there is room forimprovement I believe that this area is one of the areas whereimprovement can be achieved, but I'm not so full of myself to thinkthat because I believe it, it must be trueI fully understand that in the past, it made sense to distinguishbetween XSS and SQL Injection, they were two major issues that neededrecognition I'm not sure though that the categories XSS and InjectionFlaws properly represent the issues at hand With more and more peoplereferencing the Top 10 and the PCI Security Council leaning heavily onit to define web related portions of the PCI-DSS, I feel we need tomake it as clear and concise as possibleThat being said, there are three ideas that I feel more properlydescribe this situation:1 Drop Injection Flaws from the list, if the important items are XSSand SQL Injection and we don't want to combine them for fear of a lossof importance, then why lump SQL Injection in with anything XSS andHTML Injection are closer than SQL Injection and HTML Injection yetthey are not defined in that way So A1 would be XSS and A2 wouldbecome SQL Injection2 Merge XSS into Injection Flaws Make Injection Flaws A1, leaving A2open for the current "risk de jour" and lump them together in a waythat makes them technically accurate and easier to understand3 Create the OWASP Top 20, or two separate Top 10 lists One thatidentifies the buckets of larger groupings Injection Flaws and theother identifies the specific vulnerability classes XSS, SQLInjection, etcAs I said, this didn't receive the warmest welcome on the OWASP Top 10list, but I can't help but wonder if it's a matter of the experts notbeing able to place themselves in the shoes of the people using thelist This is a common and easily made mistake in our industry, webecome so comfortable and familiar with the material that while itmakes sense within our own grouping, we forget that the material needsto be referenced and acknowledged by people that don't live with ourmindsethttp://www.secuobs.com/revue/news/98408.shtmlhttp://www.secuobs.com/revue/news/98408.shtml Secuobs.com : 2009-05-14 19:00:05 - 360 Security - The date is May 12th 2009 and you are a mild mannered IT manageranticipating a single bulletin from Microsoft and a possible updatefrom Adobe The team has their assignments; their computers are lockedand loaded The team is ready to execute on the planned patch releasemechanismsAt 10AM Pacific Microsoft releases their patch on time The singlebulletin is the anticipated bug fix for the PowerPoint vulnerabilitySome members of the team are a bit agitated by the high CVE count andthe lack of updates for the OSX Office platform You are able toquickly refocus the team and move forward Hours later, rumors hitthat not only did Adobe publish their fix, but also Apple released anew revision of their operating systemIn fact both of these things happen and OSX 1057 includes fixes for67 vulnerabilities Together the Apple, Adobe and Microsoft patchesaccount for 83 CVE fixes Now the team is seriously disheartened Yourjob is to draw the group together, review the unexpected workload andset priorities Did I mention that because of the economy, your teamis now smaller, but doing just as much, if not more workMicrosoft produces their risk categorization Adobe employs yetanother risk methodology and Apple also defines bugs in their own wayThe lack of any common metric across the three vendors in combinationwith the additional calculus needed to accommodate your internal riskequations equals uncertain resource drainOn any normal Microsoft patch Tuesday, most enterprises IT teams havetheir risk calculators in hand and resources at the ready Some teamssplit up the duties between client and server vulnerabilities Otherstake the highest risk first no matter where the bug lies Either way,the security team adapts in order to deal with the Microsoft specificcriticality ratings and their exploitability indexThe same thing ensues on an Oracle CPU day And even when smallervendors like Adobe release bug fixes, most enterprises know how tomassage the vendor specific risk data into their own risk profileequations This data manipulation is a completely avoidable stepCVSS Common Vulnerability Scoring System version 2 was finalized twoyears ago Even before that, CVSS v1 was in play for a number ofyears While everyone recognizes that there are some shortcomings withthe standard, it is nonetheless a common means to reliably communicateinformation about risk It enables vendors to consistently distributequantifiable information to enterprises who then use this data intheir own decision-making enginesSo with this industry wide tool readily available, why is it thattoday enterprise IT must differentiate and discriminate the variousmeanings of the word 'critical' from multiple vendorsOn a day like May 12th 2009, enterprise IT had a whole range ofdecision making to perform Which bugs were most important for myenterprise Where do the greatest risks lie and which patches shouldbe tested and delivered first Do you tackle the low hanging fruit orthe higher risk and possibly more cumbersome patches firstThese decisions are made countless times every year as vendors releasepatches Unfortunately for those in the trenches, too many valuableresources are consumed with just trying to normalize the vendordatasets If all vendors across the board delivered data with standardmetrics, then at least enterprise IT would be in a better position tohandle the inevitable changes smoothly and with minimal disruptionhttp://www.secuobs.com/revue/news/96323.shtmlhttp://www.secuobs.com/revue/news/96323.shtml Secuobs.com : 2009-05-12 21:44:16 - 360 Security - Why couldn't Microsoft have kept things easy this month Last weekMicrosoft's advanced notification information spelled out a singlebulletin for PowerPoint Given the single outstanding publicly knownvulnerability in Microsoft's products, May patch Tuesday certainlylooked like it would be an easy one Alas, we did receive a singlebulletin today, but with it came 14 CVEs and a note of more to comeDon't get caught up in the detailsFirst thing to take away is that newer Microsoft Office products carryon signs of being more secure Office 2007, with its new office fileformat, continues to present lower risk levels Even in the face ofzero day bugs like those of Excel in February and now PowerPoint,Office 2007 was noticeably less affected Now with the PowerPoint 4format being totally retired, managers have more ammo than ever to goobtain budget for upgradesThe second important piece not to overlook is that more patches fortoday's bugs are due out soon Microsoft recognized that these bugsalso affect the Mac Office products, but don't have patches availableyet Releasing patches for only piece of their product line andleaving the Mac users out in the cold is unlike Microsoft However,given that current exploit samples were less functional on the Mac andgiven the market share dichotomy between Office Mac and Windows, thesplit release cycle is understandableThe third piece of today's puzzle is that after you look over the massof CVEs patched; don't forget that one of them is the known zero daybug that was described in KB969136 This means that Micrsoft not onlypatched the known zero day bug as promised, but also went much furtherat delivering a more secure Office product lineuphttp://www.secuobs.com/revue/news/95021.shtmlhttp://www.secuobs.com/revue/news/95021.shtml Secuobs.com : 2009-04-30 03:54:35 - 360 Security - Week 4 of the FBI Citizens' Academy: Violent Crimes, White CollarCrimes and Civil Rights CrimesThe mission of the FBI violent crimes program is to:* Effectively address those violent crimes that pose significant riskto citizens of the US* Reduce incidents of crimes against children* Address other major violent crimes to include Indian Country,transportation and other special jurisdiction crimesCommon crimes include bank robbery, kidnapping, and extortion Thepresenter referred to the uniformed crime report UCR for anyonewanting the most up to date crime statistics He did, however,highlight some interesting statistics According to the 2006 UCR,there are only 24 sworn law officers per very 1,000 inhabitants inthe US Further, according to a number of news outlets, nearly 1 inevery 100 adults is behind barsThe presenter turned our attention to criminal gang activitynationally and locally According to Morgan and Quinto press, in 2007the most dangerous cities included Oakland at number 4 and Richmondin9th place Gangs, as the presenter taught us, fulfill social needsfor their members Whether it is the mimicking of an extended family,creating social or ethnic bonds, the gangs provide members with anidentity that is represented by their clothing, hand signs, graffitiand tattoosWhite-collar crime efforts fall into 2 areas of the national FBIpriority list - #4 combat public corruption at all levels and #7combat major white collar crime Crimes that typically fall under thewhite-collar division include public corruption, corporate orsecurities fraud and health care fraud Of these crimes, the most upand coming are financial fraud including mortgage fraud and Ponzischemes The FBI investigates public corruption cases and providescheck and balances in the criminal justice system because agentstypically have fewer local and political tiesThe final topic for the evening was civil rights The FBI is theprimary federal agency responsible for investigating all allegationsof civil rights violations Selected crimes involving civil rightsallegations include: hate crimes, color of law, human trafficking andfreedom of access to clinic entrances acthttp://www.secuobs.com/revue/news/90330.shtmlhttp://www.secuobs.com/revue/news/90330.shtml Secuobs.com : 2009-04-29 03:36:48 - 360 Security - Hard to believe, but RSA 2009 was just last week I found it to be avery successful show and now it's my turn to recapThemesEvery year the marketing team tasks me with finding themes at theshow In no particular order, the top themes between the talks and thebooths were: virtualization, cyberwar/cybersecurity, andcompliance/policy/regulationAttendanceDuring the first part of the week, I had noted that the attendanceappeared to be dramatically lower than usual To my surprise, as theweek progressed, the attendance appeared to be on par with prioryears In fact, a member of the RSA conference PR team emailed me tosay that the unofficial count for 2009 is less than 15% off of prioryears Considering current news of financial cutbacks, a drop in lessthan 15% would appear to be pretty goodBest EventWithout a doubt, the security bloggers meet up on Wednesday eveningwas the week's highlight This was a great chance to chat candidlywith bloggers, press and friendsOne Thing I LearnedThe Virtualization Security Panel opened up slew of new thoughts forme Hopefully, I'll have some time to both implement my ideas at workand share them in a blog postSpecial ThanksSpecial thanks to a number of journalists who let me share some timewith them: George Hulme, Dennis Fisher and Ryan NaraineAll my blog posts from RSA 2009http://www.secuobs.com/revue/news/89511.shtmlhttp://www.secuobs.com/revue/news/89511.shtml Secuobs.com : 2009-04-28 23:16:36 - 360 Security - In my independent study of Gregory Bateson and Alfred Korzybski Itruly understood for myself that the name is not the things named oras some would say the map is not the territory I call your attentionto this manner of thinking because we have a problem with metrics inthat the count is not the things counted Many metrics for risk andcompliance describe beautiful mathematical formulas but only see alimited success because the classification of the things being countedis narrowly understood This blog posting makes the assertion that ourproblem with effective metrics is not one of numbers but one ofsemantics; not of the counts but of the things countedThe things being counted must be named, defined, and ultimatelyunderstood by a community of practice The very act of naming is anact of mapping or classification; it comes with a certain level ofprecision and consequences A useful classification standard for onecommunity may be useless for another To the degree that this mappingor classification is common with others in your community of practice,you achieve a mutual semantic coherence some call this objectivitybut I reject that term The durability of a set of metrics ischallenged when multiple communities of practices are asked to engagein a common objective for the business Such is the case when oneproposes a standard terminology and metrics that apply across a largeenterprise consisting of multiple communities of practice and diversepersonas To be useful one must know what these metrics mean and to beable to draw inferences from experienceA measurement system must be judged on the notion of “usefulness to acommunity of practice” and this scoping must be made explicit Theutility is a function of the audience’s ability to draw inference fromthe counts and things counted Let me share with you an example Iexperienced with my Toronto team I said to one of my Canadiancoworkers “Dude, it was in the 90’s in San Francisco today” A blankface appeared as I saw him think and convert this implicit 90 degreesFahrenheit to Celsius F – 32 x 5/9 because he could not draw aninference from Fahrenheit Inferences like it being weather forshorts, no jacket required, that it is odd for San Francisco to have ahigh of 32 Celsius, that homes in San Francisco don’t have AC becauseit is never that hot and so on and so onWhen you look at the notion of temperature, you can see that thedifferent communities have chosen different standards because of theway they have come to know those units and it is more about thesemantics than the mathematics This becomes exponentially moredifficult when the syntax is the same but the semantics vary Taketerms like ‘asset’ or ‘platform’ and you can fill a page with what itmeans in certain context with certain communities even within the sameenterprise Each community of practice has come to know the term‘asset’ in very different ways; this person has encoded work andmeaning in ways that are different than others While mathematicsremains important, we must turn our focus to formal ways to sharesemantics Only then can we share both the numbers the count withintheir intended context the things counted; semantics that can onlybe seen through a keen ethnographic eye that respects heterogeneoussense-making and the diverse viewpoints of an enterprisehttp://www.secuobs.com/revue/news/89412.shtmlhttp://www.secuobs.com/revue/news/89412.shtml Secuobs.com : 2009-04-24 04:07:37 - 360 Security - Putting Simon Crosby and Chris Hoff on the same panel to discussvirtualization security is a recipe for a good lively discussion Atthe end of the panel, the audience was not disappointed In additionto Crosby and Hoff, the panel also included Michael Berman of Catbirdand Stephen Herrod of VMwareThe discussion started with some hi jinx by Crosby and Hoff Crosbyhanded out gifts to the panelists that included a broken toy sword anda ball and chain Hoff gave out cigars, one notably much smaller forhis nemesis, Mr Crosby Despite Chris Hoff's sometimes-flamboyantstyle, he initially came out mild mannered and on an even keel Hismoderate, centrist and thoughtful approach lasted throughout thediscussion Conversely, Simon Crosby of Citrix and huge proponent ofXen spent most of his time trying to put VMWare into a corner Crosbytouted Xen as the most secure hypervisor system because of its opennature and its continuous real life testing because of it's use as thefoundation of Amazon's EC2 offeringDespite the moderator's attempts to encourage the panel to discussreal world security implications of virtualization, the topics keptgoing back to the implementation and security of VMware products likevShield In the final moments of the session, the panelists didfinally provide a few recommendations worthy of implementing todayOne of these nuggets was that insight included most of the securitybasics necessary for all systems, virtualized or not Examples ofthese basics included using configuration guidelines, creatingoperational plans that include security and risk considerations andbuilding architectures that consider the security implications of theentire virtualization life cycleOverall, the virtualizations security panel was entertaining andinsightfulhttp://www.secuobs.com/revue/news/87586.shtmlhttp://www.secuobs.com/revue/news/87586.shtml Secuobs.com : 2009-04-23 18:44:44 - 360 Security - superheros by night, or trade show at least These guys were closeenough to our booth that I managed a snapshot I'm sure I wasn't theonly one, given how proficient they were at striking this pose Iwonder what their super powers areCisco_Superheros_500jpghttp://www.secuobs.com/revue/news/87255.shtmlhttp://www.secuobs.com/revue/news/87255.shtml Secuobs.com : 2009-04-23 18:44:44 - 360 Security - Maybe it's in my nature to expect something more all the time MelisaHathaway's speech lasted maybe 20 minutes and could have been writtenduring the prior administration last year Any insight into what wecan expect for goals from the 60-day review were completely glossedoverThe keynote began with a hokey spoof of the classic TV show MissionImpossible A narrator with a deep voice gives, Ms Hathaway hermission to secure the nations cybersecurity infrastructure Themessage concludes with a warning that her blackberries willself-destruct in 60 days, a weak nod to the technical audienceMs Hathaway's speech followed the typical script She coveredhistorical, current and real threats along with their outcomesWhether it was the recollection of the movie WarGames or an attack onATM machines that was years old , the content was a supposed to makethe audience feel fear These obvious tactics were old news for thetechnical and extremely knowledgeable audienceWhen she finished dispensing fear we learned about the enormous effortof the 60-day review she is carrying out Ms Hathaway likened theambitious goal to a marathon, not a sprint, and told us about thenumerous organizations consulted The 60-day review team is targetingprivate companies, federal, state and local governments as well as toother countries No surprise hereIn what Ms Hathaway termed as a "trailer", we got a brief glimpse intoher 60-day review findings To no one's surprise the review calls forgreater public discourse, private/public partnerships and asignificant call to action for the audience sitting directly in frontof herWhat we didn't get was any new information or new ideas and nospecific course of action beyond what we all already understand to benecessary It must be my fault for expecting something more I'll workon pulling back on my expectations in the futurehttp://www.secuobs.com/revue/news/87254.shtmlhttp://www.secuobs.com/revue/news/87254.shtml Secuobs.com : 2009-04-22 07:46:05 - 360 Security - This post is a taste of my presentation at the nCircle booth at RSACome by and see it if this is interestingWeb application risk is a hot topic these days, but there's somethingmissing from the discussion Vendors seem to be focused on addressingweb application risk in a vacuum They limit their marketing andproducts to custom web applications and ignore two things: vendorsupplied web applications and what I'll call the dependency risk ofweb applicationsWhen you choose to deploy a web application, you're deploying muchmore than just that web app There is, of course, the web applicationitselfweb_browser_custom_100jpg web_browser_vendor_100jpgWhether it's custom built or vendor supplied, the web application canbe vulnerable to things like cross-site scripting, SQL injection orcross-site request forgery Think about all the products you'vedeployed that are managed via a web interface They're all potentialsources of web application risk But the risk doesn't stop there Thatweb application has to run on some kind of HTTP serverglobe_icon_wwwjpgThe web server itself can be vulnerable to buffer overflows, directorytraversal, cross-site scripting again and other conditions Butwait, there's more That web server has to run on some platform,whether hardware or virtual, you've got an execution space that canalso be vulnerable There are a near infinite number ofvulnerabilities that might exist on the OS or other applicationsrunning the web server itselfFinally, there's likely a database somewhere on the back-end It mayhave sensitive data or may be vulnerable itself or may run on yetanother vulnerable platformThe point here is that scanning just your customer-built webapplications or scanning them with a completely separate tool justdoesn't cover the whole problem You can't make good risk mitigationdecisions without a clear view of the entire risk contexthttp://www.secuobs.com/revue/news/86478.shtmlhttp://www.secuobs.com/revue/news/86478.shtml Secuobs.com : 2009-04-21 22:42:45 - 360 Security - Yesterday Monday was all about Metricon 35 in San Francisco It wasa long day beginning at 8am and concluding around 5pm The event wasat the San Francisco Google office and a special thanks to John Flynnand the Google team for hosting this event I can’t even tell you howimpressive the lunch buffet was at this place If I worked at Google Iwould be 400 lbs in a few weeksThe event as you can see for yourself from the link above was brokenup into case studies, panels, metric frameworks, measurement of realdata, and last but not least modeling RetD The material was very highquality and for the most part, there were no surprises I took notesand from here on out you will get my humble opinionIn the Enterprise Case Studies, it was interesting to hear eBay,Kaiser, and Google speak about their measurement systems I have avery sensitive ear toward the community of practice for these systemsand while eBay and Kaiser was your traditional start at the top withthese measurements, Google was more of a bottom up which is great tosee The role of the designer of these systems is to put data in termsthat the audience can understand, not to dictate the way in which theaudience should understand it This required both a ethnographicalevaluation as well as a mathmatical evaluationIn the Metrics from Real Data, Jeremiah Grossman from Whitehat alwayshas good stuff and it was followed up with Wade Baker from Verizon ontheir breach investigations In the framework section, I found FredCohen’s work on legal matters very educational This community ofpractice, judges and layers, have a very well established method tounderstanding information and it was great to hear the challenges formeasurement in that space Essentially, a bag of bits is real if andonly if it has an intersection with other bags of bits and event thatsupport the claims It is like a n-dimensional crossword puzzle wherejust being correct up and down is not sufficient One has to be rightacross and in some cases many other vectorsIts about 8am in SF and I begin another crazy day at RSA In closing,I want to make an observation about all of these experts who claim tohave the ultimate measurement system Your challenge is not in thenumbers or mathematically consistency It is in the semantics and theclassifications of the objects within the domain The reality is thata large enterprise will have nothing short of 5 very discreet personaewho on a good day can’t even agree on what to order for lunch Gettingthem all to come to common terms on the meaning of ‘x’ is much moredifficult than getting them to understand that 5 is one more than 4This standardization of object within a domain is a prerequisite tomeasurement and must be addressed before one can impose a metricsystem across multiple communities of interestResearch in this area Star 2009 shows that standards are:* Nested inside one another* Distributed unevenly across the socio-culture landscape* relative to communities of practice; one persons ideal standardcan be another's nightmare* increasingly interwoven in ways that are not always hierarchical* consequential on the value systems of the communityThe measurement is not in the numbers but in the understanding of thenumbers—tkhttp://www.secuobs.com/revue/news/86289.shtmlhttp://www.secuobs.com/revue/news/86289.shtml Secuobs.com : 2009-04-21 22:42:45 - 360 Security - In what is traditionally a shoulder-to-shoulder mad dash forgiveaways, the opening night of RSA was more reminiscent of the lastday when most of the people are already homebound Forget trying todetermine who isn't here this year, but consider which companies won'tbe here in 6 months as witnessed by their dotcom-bomb spendingpatternsBecause I always buy a full conference delegate registration for RSA,I am left out in the Moscone lobby area waiting for the expo floor toopen In years past, the crowd waiting in line for their free food anddrinks on the Monday night open has looked more like a giant herd ofcattle This year, you could have popped a tent; BBQ'd, and setup atennis court The cavernous rooms didn't stop there Once the flooropened, lines at the bar were nil and corridors were congestion freeHistory repeats itself time and time again Here is a hint, want toknow who will be bought in 2009 Just look around at the show floorand take inventory of which vendors are spending like they didn'tlearn anything about the dotcom bomb days Which vendors bought biggerbooths Which are giving out free stuff without asking for anything inreturn Don't feel pity for the small vendor booths on the perimeter,go congratulate them for spending within their meansSee you at the showhttp://www.secuobs.com/revue/news/86288.shtmlhttp://www.secuobs.com/revue/news/86288.shtml