Archive for Defense
Virtual Infrastructure Security Facts The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical servers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared [...]
Posted by Dre on Wednesday, March 18, 2009 in
Defense,
Hacking and
Security.
There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use. However, WAF is dead and dying regardless. I think that very large-installation, Internet-facing web applications require Anti-DDoS [...]
Posted by Dre on Thursday, February 12, 2009 in
Defense,
Politics and
Security.
Did we learn anything about web application firewall technology this week? I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don't know why. Organizations everywhere think [...]
Posted by Dre on Friday, June 27, 2008 in
Defense and
Security.
[Andre and Marcin]: For today's post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security [...]
Posted by Rohit on Thursday, June 26, 2008 in
Defense,
People and
Security.
This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang: [...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that [...]
Posted by Dre on Thursday, June 26, 2008 in
Defense and
Security.
Web application experts have been asking WAF vendors the same questions for years with no resolution. It's not about religion for many security professionals -- it's about having a product that works as advertised. My frustration is not unique. I am not [...]
Posted by Dre on Wednesday, June 25, 2008 in
Defense and
Security.
Hello, and welcome to the Week of War on WAF's, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application [...]
Posted by Dre on Monday, June 23, 2008 in
Defense and
Security.
We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]
Posted by Marcin on Monday, June 23, 2008 in
Defense,
Security and
Work.
I see that the BlackHat Blogger's Network has a topic of interest. I'll oblige, especially since The Hoff is involved. I think it's a good exercise, so I'll have to thank Shimel for this idea. You also won't want to miss what I've said about [...]
Posted by Dre on Wednesday, June 18, 2008 in
Defense,
Security and
Tech.
I wanted to do a post about "what web application security really is" because plenty of people out there don't get it. They understand that "security attacks are moving from hosts to the Web", but they have no idea what that means. To most people, web [...]
Posted by Dre on Sunday, June 15, 2008 in
Defense,
Hacking and
Security.
Today I am going to cover a topic that is the most important to me: software security. When I talk about "software security", I refer to the process of building applications -- the artifacts, components, and capital that goes into making a polished [...]
Posted by Dre on Thursday, May 29, 2008 in
Code,
Defense and
Security.
Arbor Networks has a blog post up today about Using RPKI to Construct Validated IRR Data. Resource PKI (RPKI) is an extension to X.509 to allow for IP address (prefix) and AS identifiers (autonomous system numbers -- the organization-based assigned [...]
Posted by Dre on Wednesday, May 7, 2008 in
Defense and
Security.
'Lo and behold, CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari -- three secure references for the three most popular browsers. The documentation and links provided are great. I was actually surprised that [...]
Posted by Dre on Tuesday, April 29, 2008 in
Defense,
Privacy and
Security.
You installed Firefox. How do you make it more secure for daily use? How do the Mozilla developers ensure that they are doing all the right things? How do you safely browse the Internet? These are not easy questions to answer, and some of the answers [...]
Posted by Dre on Tuesday, March 25, 2008 in
Defense and
Security.
Let's take some time here to discuss what "secure code review" is and what it is not. I see a lot more people talking about code review. Many people have only the view of the PCI DSS compliance standard, which almost pits code review against the web [...]
Posted by Dre on Monday, March 24, 2008 in
Defense and
Security.
I've downloaded and used the Firefox 3 beta browser software for the past few months and wanted to give a report on the latest of what works and what doesn't. Note that I had to install Nightly Tester Tools to get many of these to work. I am also now [...]
Posted by Dre on Monday, March 24, 2008 in
Defense,
Hacking,
Security,
Tech and
Windows.
Lesson 13: Just this week, in lessons 12 and 13, we've covered -- at least partially -- how to significantly reduce risk and vulnerability to system and network infrastructure. We touched on protecting applications, but we weren't able to go into [...]
Posted by Dre on Thursday, March 20, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 12: Yesterday, I shamelessly recommended to ditch all commercial networking gear. In the same breath, I also made several Cisco configuration recommendations. This is just the way that I work. The idea is that network appliances increase risk, but [...]
Posted by Dre on Wednesday, March 19, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 11: Welcome back! I know that the last few weeks have been a lull, and even before ShmooCon there wasn't a lot going on our security blog. However, you're in for a real treat since I'm back with the daily ITSM Vulnerability Assessment techniques! [...]
Posted by Dre on Tuesday, March 18, 2008 in
Defense,
Hacking,
Itsm and
Security.
Before Mike Rothman posted something about the WhiteHatSec and F5 announcement, I really wasn't going to say anything negative or positive. Integrating web application security scanners with web application firewalls at first seems like a good idea. [...]
Posted by Dre on Tuesday, March 11, 2008 in
Defense and
Security.
Lesson 10:You could say I'm a little late on posting something. However, we've been up to a lot of great research, hopefully much of which we'll publish here over the next few weeks. We had a few posts lately, some of with a change of heart. The latest [...]
Posted by Dre on Wednesday, January 23, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 9:Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I'll try and keep it short and sweet today. Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday's post regarding [...]
Posted by Dre on Thursday, January 17, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 8:Two days ago we covered VoIP assessments, and yesterday we covered Intranets and the use of proxies. Most of last week also covered internal network infrastructure assessments, except for some topics such as PDA phones and WiFi devices. Today I [...]
Posted by Dre on Wednesday, January 16, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 7: Today I wanted to bring the real meaning behind these techniques into the spotlight. Learning about how IT groups do real security is only part of this. I'm also talking about what I've seen that IT security shops don't do. What [...]
Posted by Dre on Tuesday, January 15, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 6: Last week was great as I started out talking about a variety of topics including -- Day 1 -- Physical network segmentation / Browser tools Day 2 -- Kernel protection in network drivers / Crawling tools Day 3 -- Sandboxing / HTTP tools Day 4 -- [...]
Posted by Dre on Monday, January 14, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 5:After the first week, many of these assessment techniques don't all fit together or seem congruent. Mid next-week, I think a lot of these pieces will start to come together to form a big picture. The recommendations I've given so far are not [...]
Posted by Dre on Friday, January 11, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 4: We've touched on some of the critical-path ways to assess and protect your infrastructure including network segmentation and OS/application sandboxing. Often, the weakest area of technology is what you can't segment or sandbox effectively, [...]
Posted by Dre on Thursday, January 10, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 3: After the first few days, we've covered securing WiFi, as well as basic software assurance tools to get you started with a web browser and crawler. This is just the beginning. Part 1: Information assurance vulnerability assessment — Sandboxing [...]
Posted by Dre on Wednesday, January 9, 2008 in
Defense,
Hacking,
Itsm,
Linux and
Security.
Lesson 2: We hope that you are enjoying the format of these, as well as the content. Yesterday, I talked about how rogue AP's/clients can be scanned for without adding infrastructure or spending active time walking around the office. I also introduced [...]
Posted by Dre on Tuesday, January 8, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 1:These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on [...]
Posted by Dre on Monday, January 7, 2008 in
Defense,
Hacking,
Itsm and
Security.
Office collaboration services look like 1985 Microsoft Outlook and Exchange server have been the staple for office collaboration for over 10 years, with a model that has been around since Novell and Lotus in the mid-80's. Collaboration services are [...]
Posted by Dre on Thursday, December 13, 2007 in
Defense,
Hacking,
Security and
Work.
An audit framework for evaluating structured security program frameworks How many readers implemented a new security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were involved? Possible frameworks [...]
Posted by Dre on Monday, December 10, 2007 in
Defense,
Hacking,
Intelligence,
Politics,
Security,
Tech and
Work.
Chris Hoff published his 2008 Security Predictions, which offer a very dim future for the security industry. His first attack vector is regarding the virtualization hypervisor attacks. Didn't Ptacek prove that this vector is useless? I'm starting to see [...]
Posted by Dre on Wednesday, December 5, 2007 in
Defense,
Hacking and
Security.
Pen-testing is an art, not a science Penetration-testing is the art of finding vulnerabilities in software. But what kind of an "art" is it? Is there any science to it? Is pen-testing the "only" way or the "best" way to find vulnerabilities in software? [...]
Posted by Dre on Sunday, December 2, 2007 in
Defense,
Hacking,
Security and
Tech.
Most information security practices, whether system, network, application, software, or data -- come from original sources such as the Orange Book. Most people assume that the Orange Book is no longer valid for use in security today. If we had built [...]
Posted by Dre on Friday, November 23, 2007 in
Defense and
Security.
Last year, a colleague pointed me to an article by Roland L. Trope in September/October 2006 IEEE Security & Privacy, Immaterial Transfers with Material Consequences. From the abstract: The need for such regulations is clear, but many firms underestimate [...]
Posted by Marcin on Wednesday, August 22, 2007 in
Defense and
Security.
Expanding on my previous blog post regarding export control and how it is defined, there are several other factors to take into consideration to help ensure compliance. Record Keeping All export records must be kept for five years after license [...]
Posted by Marcin on Wednesday, April 4, 2007 in
Defense and
Security.
ITT was fined $100 million for illegally exporting classified technical data relating to night vision equipment overseas. In addition to being fined, they must "invest $50 million over five years to accelerate development of night vision technology, and [...]
Posted by Marcin on Saturday, March 31, 2007 in
Defense,
Politics,
Security and
Tech.
The JSF (I like JSF better than F-35 Lightning II), has completed all its taxi tests this week. I had the incredible opportunity of interning at Pratt & Whitney, the manufacturer of the F-135 turbofan.. and I have to say I'm a fanboy. I love these two [...]
Posted by Marcin on Wednesday, December 13, 2006 in
Defense.
Information Week is reporting a story involving a family of five, who await a hearing for charges of conspiring to export U.S. defense information to China. Chi Mak, 66, of Downey, Calif., was an engineer with Power Paragon, a Navy contractor. He [...]
Posted by Marcin on Monday, November 6, 2006 in
Defense and
Intelligence.
From attacking our cyber information infrastructure, People's Liberation Army writings in recent years have called for the use of all means necessary, including -or particularly- information warfare, to support or advance their nation's interests.[`DoD's [...]
Posted by Marcin on Monday, September 25, 2006 in
Defense and
Intelligence.
Alright, so the US Navy is marking this week as the end of line for the F-14 Tomcat. The Tomcat has been showing its age, becoming more expensive to maintain, and slowly being replaced by F/A-18 Super Hornets. As sad as it is to finally see the Tomcat [...]
Posted by Marcin on Saturday, September 23, 2006 in
Defense and
News.
