Suggested Blog Reading – Tuesday October 9th, 2007

ReadWell I’ve finally lost my cold…and as a reward…I’ve thrown out my back. *shakes fist*

Here is the list:
Virtualization Security Training? – That’s not a half bad idea 🙂

If the industry is having trouble finding IT generalists with training in virtualization security, I can only imagine the dearth of qualified security experts in the hopper. I wonder when the first SANS course in virtualization security will surface?

Common Criteria Web Application Security Scoring (CCWAPSS) Released – Interesting white paper. Has anyone implemented this scoring system internally?

The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

The Merits Of Threat Modeling – I suspect that threat modeling exercises would help prevent quite a few design flaws if organizations took the time to hold them.

As a consultant, I have been involved with many-a threat modeling exercise. Oftentimes, they are boring, process intensive sessions where you stare out the window praying that the meeting ends or that the lunch you ate contained botulism. They are also boring, process intensive meetings that have more impact on the longterm security of your organization than just about anything you are likely to do.

WinHex, X-Ways Forensics, X-Ways Investigator 14.4 released – Quite the list of features in this release.

Official release of SQL Power Injector 1.2 – Download Now! – Another tool to try.

SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

The emphasis for this release is maturity, stability and reliability with secondary goals of usability, documentation and innovation.

Lessons From a Cyberdefense Competition Red Team – Michael posted his insights from his recent ISU Red Team involvement (Part 1, Part 2, Part 3). It sounds like it was a good opportunity.

This weekend Iowa State University held its annual CyberDefense Competition in Ames, Iowa. The event is hosted by students and faculty from the Information Assurance Student Group and the Electrical and Computer Engineering department. In the event, teams of students attempt to deploy and manage various services representative of normal business applications. During the 20 hours the event covers, the teams are scored on their service uptimes as tracked by network monitoring (Nagios) and other neutral teams acting as normal users of the services. In addition, much like the real world, there is another team of students, faculty, and area professionals acting as attackers, intent on owning and bringing down those offered services. The services the teams were required to offer were web services (with pre-packaged web content), mail (smtp and imap), a telnet shell, ftp, wireless access for normal users, and dns to get it all working.

Something You Should Know: FTC Is Aggressively Going After Companies With Poor Security – Witch hunt or proactive initiative? 🙂

Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing “unfair and deceptive trade practices.”

Indiana State Police Forensics Field Triage Program a Success – Good news!

Approximately two years ago, the Indiana State Police instituted a unique program in which examiners conduct on scene computer forensics. The goal of the Computer Forensics Field Triage program is to utilize departmental resources efficiently to improve cyber crime investigations by conducting on scene computer examinations in a forensically sound manner. The program was an immediate success. Investigators found that conducting examinations on scene was far superior to conducting examinations in a laboratory setting. Specific circumstances sometimes dictate that an on scene examination is the only viable alternative…

Website Vulnerability Statistics (17 mo. and counting) – Download the report and give it a read.

It’s that time of the quarter where we get to release our WhiteHat Website Security Statistics Report (PDF) – the aggregate vulnerability data we’ve collected when assessing the custom web applications of hundreds of the largest and most popular websites on a continuous basis (weekly is typical). This data is also very different from Symantec, Mitre (CVE), IBM (ISS) X-Force, and others who track publicly disclosed vulnerabilities in commercial and open source software products. WhiteHat’s report focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites

Auditing open source software – Great post on auditing open source software with some solid examples.

Google encourages its employees to contribute back to the open source community, and there is no exception in Google’s Security Team. Let’s look at some interesting open source vulnerabilities that were located and fixed by members of Google’s Security team. It is interesting to classify and aggregate the code flaws leading to the vulnerabilities, to see if any particular type of flaw is more prevalent.

Scroll to top