While the cat’s away…

April 13, 2008

It always seems to happen – whenever things get busy great posts come out of the woodwork. If I’m traveling on my own, I often just head back to the hotel and work, but as the wife is along on this one (poor thing – sometimes the only vacation she gets is an “add-on” after a work trip) I’ve been “out and about” more than usual. I can’t complain though as I’m half way around the world again, this time taking some (well deserved) PTO in Hong Kong after heading back from some work in Singapore, so expect a trip report soon and an update to the Flickr account

So, I’m going to have to link and run on these with little of my usual thoughts/commentary, but all these posts below so perfectly say what I would have there’s very little to add.

First up, Bruce Schneier has an excellent post on The Feeling and Reality of Security. I’ve said plenty of times in the past that I love Buce’s writing, and enjoyed his Beyond Fear book, which is a lot more of this stuff. As noted in this post/article, there’s a lot of “feeling secure”-type security going on at the moment which is a shame as it just costs us all more money and doesn’t remove any of the real threats.

Unfortunatly the RSA conference was right in the middle of my trip as I would have loved to have been there and had a good number of people to catch up with. However, it seems that it’s given Jeremiah Grossman a bunch of things to post about. It would have been great to have caught his CSRF presentation (a must read BTW so click on through) because, has we’ve all been taking about for a long time, this is the next (if it’s not already happening already) big vulnerability out there. I don’t think that anyone will correct me if I say it could very well be the buffer overflow vulnerability for the web as it’s so common to the way web applications work.

Not leaving it there, Jeremiah has another post on perhaps a leak from the next PCI-DSS standard. I know a lot of us in the security community are waiting on the next version coming out, and I can’t say that may of the people I’ve talked to are great fans of it – it tries to help, but the general consensus is that it doesn’t really go far enough, especially in the application department. From the article, it seems section 6.6 (the part specifically on application security is “code review”. Previously the standard said

Ensure that all web-facing applications are protected against known attacks by applying either of
the following methods:

Having all custom application code reviewed for common vulnerabilities by an organization
that specializes in application security

Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a
requirement.

There’s two interesting parts here, first that “having applications reviews” doesn’t exactly say how and using what method – it could be a white box code review (either human of via a tool like Fortify), or black box (once again, an audit/pen test or via a tool like WebInspect). This leaves a huge amount of “wiggle room” for quality and security. This is an “or” type requirement, so a company could just choose to slap a WAF in front of everything and call themselves secure as well! The “note” is also good to, ahem, “note” in that none of this is actually required until June 30th.

So, along comes Standards Council General Manager Bob Russo in the article JG linked to and hints that “Personally, I’d love to see everyone go through on OWASP-based source-code review”, perhaps meaning that PCI-DSS is actually going to prescribe the method people have to go through (which isn’t bad), but then backs off any says this certainly isn’t going to happen (most likely the cost factor – source code reviews are time-consuming, not many people can do them, and thus expensive) and then says that it looks like the application firewall is the way to go. As Jeremiah says, whoa!

I don’t know what it is with PCI and their love of reusing existing OWASP documents – certainly in the early days they were the only community outfit around, and not much else out there to springboard off from (the OWASP Top 10 was completely the wrong thing to hang security on, for various reasons, but none-the-less lots of people did so). Several people have offered to help write a new “secure application review” standard on a few occasions, myself included (with a good number of top-people in the community), and Mark Curphey has as well, but there was little interest (in my case, some people from PCI actively didn’t want us even mentioning that what we were trying to do was even along the same lines as the PCI-DSS). Oh well, I guess a lot of us will be waiting with baited breath.

Finally, I love reading Penny Archer’s Totally Unauthorized blog as it sometimes harks back to one of my old jobs This post specifically does. I will admit, being an ex “rock and roll” roadie, we are “all or nothing” when it comes to loading out – there’s no “pissing about” (which is how I’ve heard some theatre and film crew be described) as there’s so little down time everyone want’s to get on the bus as quickly as they can to grab sleep and off to the next venue. Tear-down and load-out is so much easier that load-in and setup though. Nice to see though that Penny, despite seeing us work at “Mach 2″, she appreciates that it’s not shoddy or bad (and certainly not unsafe), but just “fast”. When out on the road you have responsibility for your own gear, and if something goes wrong with that, or anyone underneath it, then it’s your head on the block in more ways than one. As someone that was responsible for a multi-million dollar lighting rig, I can tell you, you don’t do anything to jeopardize the gear or the people. It is nice however to hear about things from the other side of the industry though – ah, good times

Category Posted in Misc, Security, Trip Report