Thursday, 3 May 2012

Is there a spreadsheet/template for Mapping WebServices Authorization Rules?

What is the best way to map/document the Authorization Rules? (for example of WebServices)

I'm looking for a spreadsheet/template that allows the business-rules (i.e. 'who has access to what') to be mapped, visualized and analyzed.

I looked at owasp.org and this is what I found (did I missed something?)
Read more »
Posted by at
Labels: ,

Creating a spreadsheet with WebService's Authorization Mappings

As per the Roadmap for Testing an WebService's Authorization Model and What is the formula for the WebServices Authentication mappings?

One of the assets that we need is the official mapping of TeamMentor's WebServices Authorization Rules. This is the mapping according to the 'Business Logic', and must be independent from what actually is happening at the live website (and within the code).

Our current solution is to have a shared GoogleDoc spreadsheet which these mappings.

Here are two screenshots of what it looks like (see the spreadsheet is here)




These mappings represent what is expected to happen, so for example if one of the methods marked with NO (in light red) can be invoked by that type of user (like an Reader), then that is a vulnerability.

What is very powerful about this mapping, is that it allows us (on the security camp) to have a proper 'conversation' with the business owners and key developers/architects (and we will get a lot of kudos if we are the ones that created this (or enabled its creation))

Basically what we are asking them is: Tell me how you expect your app to behave, so that I can tell you what actually happens.

Although this is a great step forward, there is still a lot to do:

  • Feed this data to a Dynamic or Static analysis script/tool (so that it takes into account the expected behaviour)
  • Once we have results, create a diff view of this data
  • Map this script with the actual WSDL so that any WSDL changes can be detected and fixed ASAP (for example when methods are added, edited or removed)
  • Find a way to store and map this data over time
These mappings are the key to the discovery of security issues and (in their absence) to provide assurance to the business that the application is behaving the way it should.

The interesting question is: how is it possible to perform an Authorization security analysis without this information? :)
Posted by at
Labels: ,

Wednesday, 2 May 2012

Roadmap for Testing an WebService's Authorization Model

Now that Arvind is asking THE real questions (see What is the formula for the WebServices Authentication mappings?) , it's time to define the roadmap.

Here is what I think needs to happen when testing and visualizing an application's Authorization Mode, in a WebServices driven application like TeamMentor:

  • Create UnitTest that are able to invoke the WebServices methods with valid state: (i.e. be able to successfully invoke all methods)
    • This is not just a case of having good enough data (which in a lot of cases is dynamic (i.e. Method B needs data retrieved via method A))
    • ...one also needs to take into account the cases where the data will be destroyed or corrupted (remember that If you not blowing up the database, you're not testing the whole app )
    • ..which means that the execution order is very important, since we will need to support a solid set-up,  tear-down and restore workflow 
  • Invoke those methods with different users and roles:
    • You will need at least two user accounts per different role, so that you can test what happens between user A and user B (of the same role) and user A and user C (with different roles)
    • The data created needs to be exported into a format that can be consumed by a visualization script
  • Analyse the Source-Code and extract the real formula: (using static analysis technology) 
    • This should be in a format that can be cross-checked with the Web Method's tests
    • There could also be a 'hard-coded' mapping file that defines what are the values that are currently accepted by the application's bussiness logic (think of this as a consumable version of the Application's technical-spec/architecture)
    • Note that that sometimes we can already find Authorization vulnerabilities by reviewing these static mappings
  • Cross-Check the Static Mappings with the Dynamically collected data
    • First step is to make sure that the current code assumptions are actually happening in the real world (note that while the static analysis represents what the developers would like to happen, the dynamic analysis represents what actually happens!)
    • Find blind spots and create ways to codify them
  • Fuzz it!
    • Using something like the FuzzDB, add abuse cases  (i.e. payloads on valid method's invocations) and check that the expected rules and mappings still apply (also keeping an eye for other weird behaviours and vulnerabilities)
  • When vulnerabilities are found, integrate them with current bug tracking system
    • In some cases each type of vuln will need to created (or updated) as an individual issue
    • In other cases, we will need to consolidated them so that we don't create too many bugs
    • We will also need go get a risk analysis from the application owner, since some vulnerabilities might be more dangerous than others
  • Apply a fix and (quickly) confirm it via the created scripts
    • Ensure the developer can invoke one (or all tests) from their IDE
    • The scripts created must be able to reflect code fixes
  • Integrate these tests into the build/release process
    • So that they run whenever needed (every day, on git push, on release, etc...)
    • Note that that the tests will need to be executed on the multiple development, QA and production environments (with an easy way to diff the results)
  • Package visualization created and empower developers
    • Make sure the developers can access the visualization/mappings created
    • Hand-over and train developers in how to access, use and maintain those scripts, so that it is the developers (or QA's) responsibility to make sure they keep running and reflect code changes
  • Create visualizations of data collected over time

Now you might think that this is it and that we can stop here. The reality is that this workflow is still very inefficient, slow and hard to use by all relevant parties.

The way we should be creating these Authorization models, is by:
  • Creating a DSL (Domain Specific Language) that represents the current Application Business Logic and its Authorization rules
  • Getting the Application's business owner(s) to write the rules in the DSL language created (which they should understand and be comfortable with)
  • Feed those rules to the Static and Dynamic analysis tools/scripts
  • Analyse the data created and integrate the results into the SDL
Now THAT'S how Authorization models should be created, visualized, tested and enforced :)

Finally, for a great introduction to DSL and how to use it in C#, please take a look at this book: DSLs in Boo: Domain-Specific Languages in .NET (specially the chapter where the author talks about a Security-focused DSL)

Related Posts:

Posted by at
Labels: ,

Brilliant visualisation (circa 2008): Zoetrope: Interacting with the Ephemeral Web

This video (from 2008) is probably one of the most amazing visualizations of data that I've ever seen.

The toolkit that these guys have is out of this planet and it's crazy that this research project from Adobe seems to have been dropped (there are no other references to this project or technology since 2008)
Read more »
Posted by at
Labels: ,

What is the formula for the WebServices Authentication mappings?

ahh... that's THE Question :)

Arvind's journey stared with the need to First you create Tests for WebServices, then you add the abuse/security cases . He then started coding  Python scripts and Unit tests on his journey into testing WebServices in a developer friendly way with some interesting side effects: If you not blowing up the database, you're not testing the whole app.

After that he wrote:

and then asked me the "...humm, where can I get the Authorization mappings? (so that I can check my results against them)"

I was waiting for this question because that is one of the signs that a security test is going on the right direction (btw, if you have commissioned a security assessment and did not get that question you should be worried! ).

Basically what he wants is a mapping of TeamMentor's Authorization Rules, namely which functions should be accessed by the multiple security roles (Anonymous, Reader, Editor and Admin).

And this 'simple question' just happens to be one that very few applications and developers have!  (tip: if you find the answer and share it with the developers, you will move from being a TAX into being a 'visualization engine')

Usually when we (the security guys) ask this question, we get some old document that explained what they where trying to do, or some guy with pen+whiteboard doing a big diagram :)

My view is that it is impossible to have any type of decent assurance that an application doesn't have authorization blind spots without these mappings. One important factor is that they (the mappings) need to be created in a consumable way, so that they can be verified via automated scripts like the ones Arvind is writing (or by 3rd party scanning tools/services)

So where are this mappings?

Well ...  they exist in the application's source code code and (sometimes) in its data (like config-files or database tables).

Here is another example of why automated tools will never be able to have good coverage until they are customized.

In the case of TeamMentor the formula is exclusively in the code, since it uses .NET CAS (CodeAccessSecurity) permissions to issue a Security Demand before security sensitive actions are performed.

What is going to happen next, is that I'm going to use O2's Static Analysis engine to parse the code and extract the current formula into a format that Arvind can consume it.


Related Posts:



Posted by at
Labels: , ,

I'm looking for a C# Script that will find an open file handle in Windows

It's kinda crazy that in Windows 7, when I try to rename a folder I'm not told what process currently has an open handle to that folder (and is preventing the rename)

My current solution is to open SysInternals ProcessExplorer and do a search for that Handle via the folder anme (which is far to many steps and slow).

Now I know that this can be done in C# (via Com Interop) since I did it for Hackmebank (I bet nobody has found the vulnerability that that hack created :)  ).

But before I dig that code and reimplement it in O2, I was wondering if there is already a better solution out there :)
Posted by at
Labels:

We're all mortals, so lets make the most of it

Just heard today that a very good friend lost her husband to a 5 year cancer battle :(

I can't image what she has been through and it does show how the lottery of live can sometimes be quite harsh.

It's in times like this that one really must think about what we are doing with our time and make sure that we are having a positive impact.

In a way that is what I like so much about OWASP. It is a great community, made of amazing people, and each one of us, can be proud of our contributions, since we are having a positive impact on the solution of a big problem.

I fell very fortunate that I am able to spend my time doing what I am really passionate about, so if you are currently  stuck in a job just because it 'pays well', or it is the 'right thing to do', get out of there.

Life's too short to spend it on things we don't believe and are not passionate about.

Lets make sure that we have a positive impact while we are still around
Posted by at
Labels: ,

Real nice way to visualize 10 years of an company evolution

In http://blog.realexpayments.com/2011/07/12/breaking-up-is-hard-to-do/ Realex's Gary Conroy walks us through 10 years his company's structure.

It's interesting to see how security evolved, sometimes as a stand alone unit and other times inside another function.

What would be even more interesting would be to get a zoom on the Security activities/teams, namely:

  • how it evolved over time
  • what was the impact of 'external factors', like for example security incidents (with them or their competitors)
  • what where its roles and responsibilities
  • major success stories
  • influence on the product and SDL 

Here is the presentation:

Posted by at
Labels:

Tuesday, 1 May 2012

If information exists in the forest but it is not linkable, is it real?

I always had a 'just make it open' instinct but more and more I'm realizing that making information open and hyper-linkable is critical to help removing information-exchange speed-bumps and to promote collaboration.

This is also why I'm blogging so much, I'm trying to find a good way to capture the ideas, threads, deliverables, actions, etc.. that I do every day.

I'm also starting to think about where should the 'closed' lines be placed? Basically, what should be public and what should be private/protected. Isn't this what Privacy is all about?

On the topic of openness, Question: why shouldn't our emails be publicly.available, linkable and indexable?

Today, Google, most Governments and some other 'organizations' already have access to those emails, so why don't we just make it much more efficient and make 'most' of it public?

I said 'most' since there will be a couple emails that should be private. But those should be a minority. And by reducing the amount of 'closed' data, it would be much easier to protect it.

Posted by at
Labels:

TeamMentor for Security companies providing Application Security Services

After the launch of the TeamMentor Partner Program, one of the common questions I'm receiving is 'Ok.. that sounds interesting..but how does it work?'

So if you are working for a company currently providing application security services (PenTesting, CodeReview, Threat Modelling, Architecture review, etc...) this post is for you.

From your point of view,  TeamMentor will provide:
  1. Security-Focused Knowledge Base - to hyper-link your current reports
  2. Customized Reporting - ability to deliver your reports via a web interface (with your brand and custom content)
  3. New revenue streams - by selling TeamMentor and additional services to your clients

Lets take these in turn:

Security-Focused Knowledge Base

TeamMentor's Library is made of 4000+ articles with expert security guidance covering a wide range of Tecnologies, Phases, Types and Categories.

The key concept is that you shouldn't have to write detailed explanations about a particular security finding, how to fix it, or how it fits within the multiple SDL phases. TeamMentor should have those articles so you can just hyper-link to them from your reports.

Note that if the content that you want is not currently available in an TeamMentor Library, you can easily add it via the web interface (which provides full editing capabilities)

Customized Reporting

Once you are comfortable with TeamMentor's content and have a solid internal workflow, the next step is to start thinking about creating custom versions with your own branding and customer specific content (for example an TeamMentor How-to article with the code samples modified to reflect the application under test best-practices).

The TeamMentor interface is very flexible and all the content is exposed via a WebServices layer, so you can either use TeamMentor's main GUI, create your own, or just consume its data from an existing customer portal.

Note that you can also use TeamMentor to host your own (private) content which you will only share with some of your customers (for example a series of articles on Oracle security)

New Revenue Stream
Finally, for the cases where your customers want to start using TeamMentor internally, in addition to a commission that you will receive for each sale, there are additional services that you could provide (for example converting/mapping your customer's internal security policies or coding standards into an TeamMentor Library).

Posted by at
Labels:

Submitting a request to the OWASP Platform

Here is a message from Sarah Baso on how to ask a question to them :)

The original question was about how to get OWASP support for participating in local events.

Read more »
Posted by at
Labels:

Don't copy and paste from Google, copy and paste from TeamMentor!

This is a simple concept that I find myself using when explaining what TeamMentor is and how it can be used.

Here is a very common web activity for developers: Do a google (or StackOverflow) search on a particular problem, find a solution that looks good, copy and paste the code sample into the current application and fiddle-with-it until it works.

The problem with this approach is that the code pasted might not be the most secure solution for the problem at hand (and the changes made, might make an secure code sample, into an insecure one).

So what we want is for the developers to copy and paste from TeamMentor (vs from Google)

The idea is that once the content has been customised to the target application, the developers can use it as their 'copy and paste' repository (since those code samples are basically an application's or company's coding guidelines)

Yes, the 'out-of-the-box' articles are good and will add a lot of value, but without customisation their are just a faster way of finding similar content in Google.

But once those articles reflect the target application's reality, its value dramatically increases, and finally will have a location where we can point developers for: focused, prescriptive, relevant and accurate security guidance.

Posted by at
Labels:

Releasing a tool open source: how-to and what license?

I get this question quite a lot, so here is my view on this.

In terms of releasing a tool or code under an Free or Open Source license, once you have decided on the licence (see below), its best to just publish the code and go from there. Since I wouldn't expect a huge amount of traffic from day one, you will have time to get all the pieces working before any major announcement.

In terms of infrastructure I would put it on GitHub since it gives you most components you need (note that GitHub doesn't have mailing lists, so you can create one at Google Groups). Btw, if the project becomes really popular, your users will start using StackOverflow.

In term of license, I guess you need to decide if you want Control or Mass Adoption.


  • The GPL will give you more control (with its viral behaviour forcing code disclosure, but preventing other cases from occurring)
  • The Apache 2.0 license will give you more adoption since there are less limitations on its use (yes it might be used by a 'closed product' but if that grows market share, is that really a bad thing?)
My preferred license is the Apache 2.0 (which is what I use) since it is simple and allows for maximum use + distribution.

The key factor to understand is that the most powerful brand in an open source world belongs to the key driving forces and the developers of an project. 

So if you continue to be the most knowledgeable part of your ecosystem, then the bigger the usage, the bigger the opportunities.
Posted by at
Labels:

Monday, 30 April 2012

Empowering users to create and manage content (using TeamMentor)

After our InfoSec adventure, Tom Bain (@tmbainjr1) from SI has started blogging about his experiences in actually using TeamMentor (vs finding a way to market it :) )

His first post I'm not a developer but I play one on TV... shows that the 'make it simple to use approach' that we tool with the latest version of TeamMentor is starting to work.

Tom is not a programmer, but he is a power-user, which means that once he gets how to do something, he is able to run with it.

So my approach was to create a couple XML files that :

  • were easy to update, 
  • had immediate feeedback on changes,  and 
  • looked good

Here is what these pages looks like:

If you look at the source code of those pages (view-source:http://docs.teammentor.net/xml/Customer) you will see the XML that Tom is editing (pretty clean right :)  )


Note the XSL reference at the top which points to this XSL content: view-source:http://docs.teammentor.net/xml/xslt_LandingPage%20Variation%202  (again managed by TeamMentor and online editable)

It is worth mentioning that I did try to get Tom to edit this page using a WYSIWYG client app that he installed on his local box, and it was a nightmare. The formatting started to go wrong, there was not easy way to preview the final solution, etc...

What is even more interesting is what happened after the first couple edits. Tom started to become comfortable with the user interface, and focused on the content + user experience.

We start talking about 'What should be user experience on this page? , 'What should the links and buttons do?' , 'How to we best communicate our ideas?'

And since he was able to quickly try things out, our productivity (me in London and he in Boston) was really high. Not to mention that Tom really enjoyed the experience (he was in control) and feels empowered to make more changes.
Posted by at
Labels:

WebAppSec 4 day contract in Dublin, and Security Teams for Hire

Just got contacted by {somebody} who needs a resource asap for a 4 day project (WebAppSec assessment) in Dublin next week (starting on the 8th of May)

If this is something you can do (and have the skills + availability), please ping me and I'll put you in touch.

And if you are looking to hire a team or want the services provided by a company (vs a contactor) I will recommend that you talk with these guys below (just a quick list from the top of my head of when I think of WebApp Security companies):

Posted by at
Labels:

If you not blowing up the database, you're not testing the whole app

One of the key signs that I expect to see when doing any type of automation test on a website, is the moment when a test (or request) destroys or heavily corrupts the database/content of the site being tested.

And this is exactly what just happened to Arvind (from A journey into testing WebServices in a developer friendly way ). He was testing TeamMentor (TM) WebServices and suddenly there was no content on his test server :)

Couple interesting points:

  • That happened because Arvind now has a better test setup which is able to invoke the TM webservice as reader and editor
  • His tests have better state (i.e. correct values for real data, like a Library GUID)
  • One of the WebServices he is now able to invoke correct is the 'DeleteLibrary'
  • You can guess what happened next :)
  • Test that were passing before the delete , started to fail
  • Arvind will need to take into account the fact that some WebServices methods have 'destructive behaviour' (and only invoke them selectively)
And here is the key point: Most apps that DO something, will have a sequence of events that either corrupt or delete key data required for its normal behaviour. And if the automation tests are working they will trigger that scenario.

Or in another words: if your spider is not blowing up the database, it is not spidering deep enough

Another nice thing of the test suite that Arvind is building is the fact that we will end up with a 'the app is working ok' monitor, which is very valuable to any developer and TM user (good example of Security Tests adding a lot of value to the target application)




Posted by at
Labels:

Solution to copy and paste images into blogs

I still don't have a good solution to copy and paste images into blogs like this one (or my O2 Wordpress blog)

At the moment I have a mix of O2 scripts and some automation, but it is still not the workflow I want.

Basically I want to be able to have this workflow:
  • open up editor and screenshot tool (like the one from O2 or built-in into OSx)
  • write text
  • take screenshot
  • paste screenshot into article
  • write more text
  • take more screenshots and paste them
Basically I want to have the minimum disruption and pause between the moment I take the screenshot and the moment I use it in a blog.

Currently the workflow I have is:
  • take screenshot and save it locally
  • go into blog gui and click on the add image
  • select image from local disk
  • click on upload
  • select uploaded image
  • click on insert into article
That 6 steps for something that should be 1 step.

And this is what 'Design' is all about. Find a problem and make it simple (i.e. reduce the number of steps required to execute a particular action)
Posted by at
Labels:

Happiness makes business sense

This TED talk by Shawn Achor "The happy secret to better work" makes the case that positive energy and 'happiness' make us more productive and effective.

Not only his presentation style is great, I think he is completely right.

Specially on the part that 'happiness' is a habit and needs to be constantly exercised.

From a business or organisational point of view, this means that it should be a 'corporate' objective to deliver happiness to its players (employees, members, clients, partners, etc...)

They should do this not because it is 'nice', but because it makes business sense.
Read more »
Posted by at
Labels:

Business case for investing in Application/Data security in the pharmaceutical 'Big Data' world

Lets say that company XYZ works on the pharmaceutical field and they provide the service of analysing large sets of data and creating reports with actionable information.

The data analysed (thing 'Big Data') is already confidential (for example a consumer usage of a particular trial/released product) and the report created is even more sensitive (since it might provide massive competitive advantage)

Today I don't believe most companies that deal in this space have very mature Application/Data Security programs and are able to protect this confidential data over the multiple places it is used (from its storage to the applications and entities that consume/expose it)

And if there, is please point me to real examples and published information.

Usually the reasons for lax of security are down to: low number of attacks, weak regulation, weak customer pressure, lack of 'secure metrics' and no-competitive-advantage-in-being-secure.

So how do we change this?

If you were going to meet a executive of one these companies tomorrow, how would you present a valid business case for the investment on Application/Data security?

Of course that we can use FUD, but our industry is so good at it, that these exec have probably already spend a bunch of money on FUD-driven products

My view is that the first step actually starts on the executive side. Basically, they (the company) must first decide that they want to make Application/Data security one of their competitive advantages and something they want to sell to their customers. Only then any initiative will be sustainable.

Of course, that if a company (or their direct competitors) is a victim of a successful attack then they will want to invest a bit.

Question: are there good example of companies that went bust, lost a lot of business or had big fines; due to the compromise of medical/pharmaceutical data they were handling/analysing?

Posted by at

Sunday, 29 April 2012

JSIL : C# in the Browser - amazing IL to JS

Just found about http://jsil.org and looks pretty spectacular :)

This is project created by Kevin Gadd and here is his description of how it works:


JSIL is a compiler that transforms .NET applications and libraries from their native executable format - CIL bytecode - into standards-compliant, cross-browser JavaScript. You can take this JavaScript and run it in a web browser or any other modern JavaScript runtime. Unlike other cross-compiler tools targeting JavaScript, JSIL produces readable, easy-to-debug JavaScript that resembles the code a developer might write by hand, while still maintaining the behavior and structure of the original .NET code. Because JSIL transforms bytecode, it can support most .NET-based languages - C# to JavaScript and VB.NET to JavaScript work right out of the box.

Check out the the demos:
In addition to a really powerful combination of technologies, here is what I really like about this site:
  • Clearly explains what it does
  • Allows the user to Try it now (of course that running the code in the browser helps)
  • REPL environment on browser 
  • Very social with direct links into creating GISTs with the code created
  • First step to using it is a Git Pull and active encourage of Git Forking
  • Little mascot :)
I really want to see if I can integrate this with the O2 Platform since this could be the missing piece that I was missing to create jO2: the port of parts of O2 into Javascript :) 
Posted by at
Labels: ,

A journey into testing WebServices in a developer friendly way

Following from the workflows that I described in First you create Tests for WebServices, then you add the abuse/security cases , Arvind has now started to blog about his efforts, challenges and solutions.

I asked him to start from the beginning since I think his history and evolution will be very relevant and interesting to others trying to implement similar solutions:

What is very interesting about this series of posts (with many more to come) is that Arvind is really capturing the thinking (and evolution) that needs to happen when doing Authorisation Security testing on an application like TeamMentor.

I also really like the honesty of Arvind's voice and some of his funny comments :)

I hope you enjoy reading his journey
Posted by at
Labels: ,

Friday, 27 April 2012

TeamMentor.net vulnerable to BEAST and SSL 2.0, now what?

Ok, so from https://www.ssllabs.com/ssltest/analyze.html?d=teammentor.net&source=tim we can see that https://teammentor.net gets a B rating because it is vulnerable to the 'BEAST Attack' (whoohh that sounds scary :) )

The link on that page points to Mitigating the BEAST attack on TLS which provides some background info on the problem, but it doesn't answer the questions I have at the moment, which are:

  • What is the risk impact of this vulnerability on a site like http://teammentor.net?
  • What are the exploit scenarios?
  • Is there any mitigation (or not) by the use of IIS 7.0?
  • How do I fix this in IIS 7.0?
  • Can anything been done at the Application Layer?
In a way this is where security fails. Instead of giving me a solution, SSL Labs (which rocks btw) is giving me a problem.

Another good example of 'Security as TAX' vs 'Security as Enabler'.

We are going to have to spend resources to understand, fix, test, validate this problem (i.e. pay a TAX) with very little return

The other issue to solve is to remove SSL 2.0 support is IIS7. As per this post How to Disable SSL 2.0 in IIS 7 , it looks like it needs to be done by changing the registry. Is that the only way to do this?

Also asked this question on:

Posted by at
Labels:

Hack Yourself First: Jeremiah at TEDxMaui

Jeremiah was recently at TEDxMaui presenting Hack Yourself First which is an interesting development for WebAppSec and OWASP since I think it is the first time that a member of our community gets to present at TED (which is one of the best conference-series in the world)

Couple comments:

  • he was quite nervous, which shows the 'pressure to deliver' that TED has. 
  • I really like the concept of 'Hack yourself first' but I wished Jeremiah had given more examples on how to do it an a personal, corporate and organisational level
  • there was FAR too much FUD for my taste. I would had been better if he found a more positive way to deliver the message
  • It is also quite obvious by Jeremiah performance that he really cares about WebAppSec and wants to make the world more secure
    • Of course that he owns a company that helps companies to 'Hack themselves first' so there is a lot of vested interest in there too :)
  • I think that OWASP doesn't get one mention, which is not Jeremiah's fault. I just shows the weakness of the OWASP Brand
Here is the Video:

Posted by at
Labels: , ,

Academic Papers on Software Analysis and Visualization

Paulo Coimbra (of OWASP Project Management fame) just sent me this list about the HPI publications on Software Analysis and Visualization

I really think that Visualization is key for Application Security , and we really need to start using this research in the Application Security field (unfortunately, note how in the Software Analysis and Visualization page there is not one mention to 'Security' or 'Secure').

Some of them have PDFs/Videos online:


But some only have images (where is the article!!!!)




Posted by at
Labels:

Trustworthy Internet Movement and SSL Pulse

Ivan's interesting work at Qualys continues with the launch of the Trustworthy Internet Movement (TIM) and SSL Pulse at RSA.

There are a number of interesting developments here:

  • Great presentation and message
  • Real nice project page for SSL-Pulse: https://www.trustworthyinternet.org/ssl-pulse/
  • Good funded project: Its looks like they started with 500k USD investment from Philippe Courtot
  • Some efforts at creating a community (with a Join the Movement) although it doesn't say what happens next
  • Reuse of  Ivan's SSL Labs great work gives this 'Movement' a good momentum 
  • Now look at they fundamentals ('Innovation, Collaborate, Individual Expertise'), principle ('TIM’s mission is to resolve major lingering security issues on the Internet, such as SSL governance and the spread of botnets and malware, by ensuring security is built into the very fabric of private and public clouds, rather than being an afterthought.') and Target Audience ('Experts, Innovators and Technical gurus, Stakeholders, Corporations, Academic institutions and non-profit organizations, Angel investors and VCs')
    • Quite a targeted audience 
    • Will be interesting to see who joins and provides financial backing
    • Its quite SSL focused, there is a lot more to cloud security than SSL :)
    • No reference to openness :)
    • It sounds a lot like the model Mark Curphey wishes OWASP would follow :)
So at the moment this is basically a good Qualy's branding exercise, and will help a bit to improve the WebApp security world, but the key question is if there will be community adoption/participation and if others will join the party.

There is nothing wrong with what Qualys is doing, and the fact that this investment (on Application Security) is happening outside of OWASP shows that OWASP doesn't currently have a model/structure that promotes this type of collaboration. And that is very unfortunate, since in terms of worldwide community and reach there is SO much OWASP could do to help this type of initiative.
Posted by at
Labels: ,
Subscribe to: Posts (Atom)