Miscellaneous Security

Reading time: 2 – 2 minutes

Today, I thought I would post great resources for information. If you want to be good at security, it means you need to be well read.

Here are the top five web application security blogs in no particular order.

• Jeremiah Grossman – Probably the most read web application security blogger. Jeremiah reads all of the material so you don’t have too.
• Rsnake / Robert Hansen - The other most read web application security blogger. Interesting Note: Graduated my alma mater.
• Holistic InfoSec – Russ McRee’s blog. Russ puts people on the stove. He posts are controversial and exciting. According to ISS, Russ was one of the Top Vulnerability Discoverers in 2008. Keep an eye on him, it is interesting to see what he will do next.
• Billy Rios – Also known as the XS-Sniper! Billy is behind some of the most innovative research as of late. He is the man behind Gifars and URI overflows. He is also known to smuggle olives on occasion.
• Nitesh Dhanjani – Although he covers a wide range of topics outside of web application security, Nitesh continually blogs about topics that are thought-provoking.

Reading time: 2 – 3 minutes

Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the “5 Key Factors of Complexity.”

He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are “resistant to human frailty.” He goes on to state, that designing these systems (by reducing complexity) is difficult.

According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:

1. Threats
2. Compliance
3. Technology
4. Economics
5. Business Needs

Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors… Threats. He argues, If an enterprise doesn’t focus on compliance, they are fined. If a business doesn’t focus on business needs, the business can’t change.

“It’s like building the titanic. The ship’s designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn’t get out of the way of the iceberg. The Titanic’s designers focused on size, strength, resilience, and luxury but not on maneuverability.”

I think Mr. Truskowski’s talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.

The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)

http://media.omediaweb.com/rsa2009/webcast.htm?id=3_1

Reading time: 2 – 2 minutes

Marcus Ranum, credited with the invention of the firewall, publishes very interesting articles on security. He is currently employed as the CTO of Tenable Security. He also will contribute to his own page from time to time also.

Mr. Ranum reminds me of Maddox if Maddox only talked about security and was much more articulate. My first introduction to Mr. Ranum was a rant entitled, “The Six Dumbest Ideas in Computer Security.” One of the key points in this paper was the that penetration testing is not needed (Penetrate and Patch). As a penetration tester I was outraged, but Mr. Ranum made a good point. Ever since reading that posting I have attempted to follow Ranum’s postings. Note: There is also a funny topic that states, “Hacking is Cool”, which Ranum argues isn’t.

Mr. Ranum recently published an article entitled, “The Anatomy of Security Disasters”

Some of the ideas in the paper are:

• Ideas that are bad for security can get legs and then be hard to stop.
• The person in the room who can articulate their idea is always the one who wins the argument, regardless of whether it is the “right” thing to do.
• Management typically blames the security team for not informing them adequately enough even after emails from the security team to that manager are discovered.
• At the end of the day, no new processes are developed to prevent the problems from happening again.

It is a great read and you should take 30 minutes out of your day to read it.