Miscellaneous Security

Reading time: 3 – 4 minutes

BsidesSF was an amazing event, and I congratulate Mike Dahn for putting together an event that ran super smooth.

All of the presentations at BsidesSF were cutting edge and highly informational. There were two presentations, that in my opinion, clearly stood out.

Gunter Ollman – Your Computer is Worth 30 Cents

Gunter Ollman’s presentation explained how botnets and malware has changed the state of penetration tests.

Penetration tests are sometimes misunderstood and it is important to understand what a “real” penetration test is. Pen tests are supposed to replicate real attacks that an attacker would use to penetrate your network.

Gunter explains how these penetration tests have evolved over time:

In 2000, the easiest way to break into a network was to submit a job application, get the job, plug into the network, own it, and never show up the next day.

In 2005, the easiest way was to hand out USB drives in the parking lot that called home.

Now, the easiest way is to purchase machines inside of the corporation that already belong to a botnet.

I think this was a very eye opening presentation and although we have seen startup companies focused on  protecting your corporate assets from becoming part of these botnets, I think we will begin to see startup companies focused on removing your corporate assets from botnets.

Tim Keanini – Computing Risk without Numbers: A Semantic Approach to Risk Metrics

The other talk that was very ground-breaking was presented by Tim Keanini, CTO of Ncircle. TK presented on identifying risk through the use of semantic language. This is an alternative and interesting approach to risk management, that uses semantic language to rate the risk of assets to a network.

After the presentation most people explained they would need to watch TK’s presentation three or four times to extract all of the information out of it. I completely agree and am thankful that all of the presentations have been archived.

Reading time: 2 – 3 minutes

I recently had the opportunity to speak at BsidesSF last week. This was an awesome experience and I highly suggest everyone attend one of the next Bsides coming up at Boston, Austin, or Las Vegas.

I presented, “Security? Who Cares!” This talk focuses on the way the security community views their beliefs and how privacy is dying. Feel free to leave your comments after viewing it. It takes about 25 minutes to watch.

Reading time: 2 – 4 minutes

Photo: Rionda

While attending OWASP AppSec DC this week, I was able to see the preliminary release of the OWASP top 10 for 2010. This is the first release candidate and the 2010 top 10 are now available for public comment. We will soon see what the security community thinks of it, but OWASP is hoping for an finalized release in the early first quarter of 2010.

For regular readers, you will not see much new on the OWASP top 10 2010. The main change is the order, or rather priority, of vulnerabilities has been changed. While the OWASP Top 10 – 2007 list focused on the top 10 vulnerabilities in web applications. The 2010 top 10 have been re-clarified to reflect the Top 10 Application security risks to an organization.

The 2007 list also focused on the frequency of the occurrences of the vulnerabilities in the web application. However, the OWASP Top Ten 2010 list is prioritized based on an estimated risk to the organization.

Risks Added to the OWASP 2010 Top 10

The new vulnerabilities are Security Misconfiguration (A6) and Unvalidated Redirects and Forwards (A8). I will address these two risks in future articles.

Vulnerabilities Removed from the OWASP 2010 Top 10

Since two risks were added, the OWASP had to replace vulnerabilities that were already on the list. These vulnerabilities are Malicious File Execution and Information Leakage and Improper Error Handling.

Malicious File Execution has been removed due to the reduction of how prevalent this vulnerability is now compared to 2007. OWASP also states that PHP is being shipped with more default security built-in. This is why it has been removed from the list.

Information Leakage and Improper Error Handling has been removed from the typical low impact of disclosing stack traces and error messages to the user. (Personally, I disagree with this.)

OWASP Top 10 2010 RC1

A1 – Injection
A2 – Cross-Site Scripting (XSS)
A3 – Broken Authentication and Session Management
A4 – Insecure Direct Object References
A5 – Cross Site Request Forgery (CSRF)
A6 – Security Misconfiguration
A7 – Failure to Restrict URL Access
A8 – Unvalidated Redirects and Forwards
A9 – Insecure Cryptographic Storage
A10 – Insecure Communications

We shall see in the next few months what the community thinks of these changes.