Blog

All Posts (10)

FREE Training from SAFECode

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

Courses include:

  • Introduction to Cryptography Secure
  • Memory Handling in C
  • 101 Threat Modeling
  • Secure Java Programming
  • Cross Site Scripting (XSS)
  • Product Penetration Testing
  • Auth 101: A Passwords Backgrounder for Everyone
  • DOH: Default, Obscure and Hidden Content for Everyone
  • An Introduction to Windows Access Controls
  • File Permissions Linux and OS X Injections
  • SQL and Beyond CSRF
  • Cross Site Request Forgery for Everyone

Details: https://training.safecode.org/courses

Read more…

We have a position for a mid-level Security Engr/Administrator type working for a strong company with great benefits and in an amazing location in Downtown Austin.  Pls contact me for more info:

Scott Stevens

sstevens@egov.com

                                                                                                                                                                                                                                                          

Our Security Operations Team is currently searching for a Security Engineer.

Description

The Security Engineer is responsible for the security operations and administration of Texas.gov technical controls and technologies, including but not limited to vulnerability management platforms, IPS/IDS/WAF and other measures. The Security Engineer shall also carry a specialist role in performing security assessments on Texas.gov applications and services utilizing multiple tool sets and methodologies, while interfacing with internal and external teams to understand and present associated risks and mitigation strategies.  Security assessment will include an emphasis on application security activities.

Day-to-Day Activities:

    Perform vulnerability scanning of infrastructure, servers and desktops.
    Assist development and operations teams with strategies to remediate and prevent vulnerabilities
    Assist with other day-to-day operation security tasks such as intrusion prevention and file integrity monitoring
    Perform vulnerability scanning of applications in development
    Assist with other day-to-day operation security tasks such as intrusion prevention and file integrity monitoring
    Assist in the management and improvement of security controls
    Assist development and operations teams with strategies to remediate and prevent vulnerabilities
    Provide support in incident response activities
    Develop and write reports in support of security audits, processes and procedures.
    Support internal customers and employees with security related matters
    Ongoing research of information security trends and developments.
    Participate in daily planning/coordination meetings and coordinates deployments with other departmental teams to ensure smooth and successful project launches.
    Provide overall project coordination, communication and management for daily project activities.
    Assist in tracking and planning of project milestones, deliverables and KPIs.
    Accept and complete other duties as assigned by management and leadership.

Required Skills:

    At least 5 years’ experience in the information security field with at least 3 having a security assessment and vulnerability management and application security focus.
    A firm understanding of the OWASP Top 10 and the various mitigation strategies for these vulnerabilities within a corporate enterprise environment.
    Good familiarity with security compliance standards such as PCI-DSS, ISO 27002 or NIST 800-53.
    Basic Forensic and Investigation Skills
    Good working knowledge of Unix/Linux, Windows and Virtualized operating systems
    Solid knowledge of the following:
        Firewalls
        Intrusion detection
        Incident response
        Policy writing
        Vulnerability testing
        Operation systems hardening
        Antivirus
        Security awareness training
    Understanding security issues associated with application development
    Knowledge of vulnerability management at both the infrastructure and software level
    Solid understanding of Networking and OSI model
    Solid communication and interpersonal skills.  Possessing a strong ability to interpret and explain risk is a plus.
    Able to communicate with other technical teams and translate technical issues into business related risks.
    Able to work independently with little over site
    Able to work with teams to find solutions to technical problems
    Some experience or exposure to various commercial appsec testing tools such as BurpSuite and NTOSpider, as well as various open source scanning ISOs (e.g. SamuraiWTF, BackTrack, etc). Experience with other industry recognized open source security testing tools

Desired Skills:

    Experience with Agile-focused IT shops
    Experience with Log Management/SIEMs.
    Penetration testing skills
    Experience working with government entities, especially state and local governments.
    Certified Information Security Systems Professional (CISSP)
    Familiar with intrusion prevention, file integrity monitoring, user management, and other security domains
    Basic understanding of databases and security/disaster recovery issues with them

Logistics:

    Minimal travel

Benefits:

    Chance to work with innovative and forward thinking Security Team
    Opportunity to work with emerging technology
    Highly visible and executive supported security program
    Excellent work life balance and culture
    Competitive compensation program
    No-cost group medical/dental insurance
    Stock purchase plan
    Matching 401(k) contributions with 100% vesting
    Disability insurance
    Life insurance
    Company wellness program

Read more…

This workshop is intended to promote hands-on labs and case-studies in Information Assurance (IA) education to enhance student learning experience, and to foster collaboration among faculty in Information Assurance (IA) field.  Application and registration is free. To apply for the workshop, please email your name, affiliation and application to Xiaohong Yuan (xhyuan@ncat.edu), Li Yang (Li-Yang@utc.edu), and Bill Chu (billchu@uncc.edu).   

 

Targeted Participants: (a) full-time faculty at a U.S. university who are currently teaching Information Assurance (IA) related courses or have strong interests to teach IA courses and (b) have a strong interest to incorporate case-study and hands-on labs in their courses.   

How to apply for:

Please submit/email the following as part of workshop application:

  • Two-page statement including their interests in teaching Information Assurance, education background, research interests, courses taught, courses to be taught, and how they intend to incorporate workshop training results to their curriculum.
  • Support letter from department chairs or heads indicating institutional commitment to support the incorporation of the workshop materials to their curriculum.
  • Commitment to identify one or two courses to collect control data and report follow-up evaluation when they adopt our materials in their instruction.
  • Commitment to participate in discussion and contribute to improve our workshops and the development of IA hands-on labs and case studies.

 

Deadline of application:

Please submit your application by January 6 (Friday), 2012.     

Time:  June 24-29, 2012

Location: University of Tennessee at Chattanooga, Chattanooga, TN

Desktop computers are available for computer labs. You are required either to bring a laptop or a USB based storage device with at least 25 GB for workshop materials. Wireless connection is available.

How to Get Here: Airport is CHA and address of the Sheraton Read House Hotel Chattanooga is 827 Broad Street

Chattanooga, Tennessee, 37402.  The address of UT Chattanooga is 735 Vine Street, Chattanooga, TN.  

Cost:  Applicants will be awarded $2,000 to cover travel, lodging cost.

Workshop Agenda: http://teaching-ia.appspot.com/labs for more information.

Workshop Topics:

  • Security management: case studies on risk management, security policy, incident response planning, disaster recovery planning, physical security
  • Cryptography: hands-on labs on modes of symmetric encryption and its implication, RSA attacks, hash function properties, key management.   
  • Network security: an animated learning tool for Kerberos authentication architecture, an animated simulation for packet sniffer, a visualization tool for wireless network attacks, interactive SYN Flood simulator, firewall simulation game, stack overflow visualization
  • Web security: hands-on labs on  web application vulnerability assessment, secure programming, static analysis 
  • Access control: hands-on labs and case studies on dictionary access control, role-based access control, mandatory access control, and database security. 

This workshop provides an excellent opportunity to develop instructional excellence and to network with peers. Expected outcome of the workshop is to provide concrete case studies, and hands-on lab material, test questions, and evaluation rubrics that can be applied in teaching information assurance in computing related courses. Workshop will also focus on developing effective evaluation instruments that can lead to peer-reviewed publications in CS education conferences/journals.Flyer

Read more…

Reverse Web Proxy

Hi

 

I am new to this. Hope you will be patient with me. I am an IT security officer at a Goverment department. I was asked to do reseach on  Reverse Web proxy technology

 

My question is:

 

Does a reverse-proxy appliance can protect against the OWASP to 10 application security risks. We use BlueCoat proxies.

 

Thanks

 

Gilles

Read more…

Note: This is copied from my April 4th blog post at http://blogs.catapultsystems.com/BA. My posts are generally about Quality Assurance related issues.

 

In my last post, I mentioned that I was joining my local chapter of OWASP and would write about any interesting presentations. The first one that I attended was called "Supercharged John the Ripper Techniques" and was presented by Rick Redman of KoreLogic Security. His presentation was a real eye-opener to me, especially in my role as a business analyst.

Rules for Generating Secure Passwords

Even before seeing Rick Redman's presentation, I was highly aware of the importance of having good policies for generating secure passwords. The story about Oracle's MySQL.com hack that I mentioned in my last post was just the latest of many stories that I've read about web passwords being stolen. I knew that passwords should be encrypted when stored; that they should require at least one number, at least one capital letter, and at least one special character; and that they should be at least 8 characters long. However, I wasn't aware of just how weak these safeguards could be.

Why These Safeguards Aren't Enough

Rick explained a number of reasons why these typical password safeguards aren't enough, especially on the web. Most of the reasons have to do with the fact that people can't easily remember a lot of passwords, so they take some actions that reduce the strength of their password.

Users Follow Common Patterns

One of the most well-known password hacks is related to RockYou. This hack made the news because it contained a huge number of passwords, and the passwords were all stored in plain text. SC Magazine wrote an article about the stolen passwords, and the results were surprising. The 10 most common passwords for the RockYou site were "123456", "12345", "123456789", "password", "iloveyou", "princess", "rockyou", "1234567", "12345678", and "abc123".

You may think that by requiring longer passwords and special characters, users would not be able to pick such easy to crack passwords. However, Rick pointed out that this is a false assumption. Many people simply capitalize a first letter and replace another letter with an obvious replacement character such as replacing an "a" with an "@" or an "l" with an "!". Between his presentation and the rules of the KoreLogic "Crack Me If You Can" contest, you can get a good idea of what some common passwords are that follow complex rules but are still easy to crack. Is a password like "June2010!" or "NewYear2010!" really that hard to crack if someone is aware of the common patterns?

All Encryption is not Equal

In the case of RockYou, the passwords were stored in plain text. I would hope that most business analysts, as well as most others involved with software development, would realize that storing passwords in plain text is a bad practice. However, I did not realize the dramatic effects that different types of encryption could have on the ability to crack passwords. The KoreLogic "Crack Me If You Can" statistics page shows that the percent of cracked passwords by hash type ranged from 0% to 100%. For some hash types, there are relatively simple passwords that were left uncracked.

Users Use the Same Passwords at Multiple Sites

Since RockYou is a social gaming site, the consequences of a hacked account really shouldn't be that bad. However, because many users use the same user ID and password at multiple sites, people were able to use the password information to steal real money from people at PayPal and other sites.

What Can I Do?

There are concrete actions that you can and should take to protect yourself and to protect your company from hackers who might steal your password.

Protect Yourself

On a personal level, you can make sure to give yourself a unique, strong password at each website where you do business. Based on the information that Rick presented, this means that you want to avoid any easy to guess patterns in your password. One way that you can do this while still remembering your password is to think of a phrase and use the first letter of each word in the phrase as your password. If you use this method, you would want to also mix in some numbers and symbols and ensure that the password is 10 characters or more. For example, you could use the phrase, "I want a strong and secure password for all sites now," to generate a password of "!w@S@sp4@sn". This is a password that you should be able to remember and would be difficult for a hacker to crack. Unfortunately, I have found that some sites, including some financial sites, don't allow special characters in your password, which I found surprising.

You can also figure out a way to add some information about the site that you are using into the password to help generate unique passwords for each site. However, you don't want to use the site name in your password. It is important to have different passwords at each site just in case one of your passwords gets stolen.

Also, make sure to choose security questions that can't easily be guessed by people. It doesn't make sense to create a secure password with security questions that are easily guessed or discovered.

Protect Your Company

You might be tempted to push the responsibility of generating a secure password completely onto your users. After all, it's clear that even if you put rules in place to help users generate a secure password, they can still generate simple to crack passwords. In addition, when you put too many rules on a password, you may lose business because some users will get frustrated with the rules. However, just one incident of losing users' passwords will result in negative publicity. In addition, there's a growing movement to try to hold software vendors legally liable for insecure software. If you're interested in the potential legal ramifications, you can read "Tort Liability for Vendors of Insecure Software: Has the Time Finally Come?" by Michael D. Scott for a good overview.

Rick pointed out some key ways that a company can help protect their users in his presentation. He said that companies should "encrypt their hashes with stronger formats," "force password complexity," "require/force passwords changes/rotation," and "educate their users." He points out that even these actions aren't failsafe, but they make the passwords a lot safer, which protects both your users and your company.

Your Experiences

I'd like to hear about your experiences with setting password rules. How have you decided on password rules for past applications? What considerations did you need take into account other than security? Do you have any other tips for generating secure passwords or keeping passwords secure?

Read more…

Testing Web Application Security

Note: This is copied from my March 30th blog post at http://blogs.catapultsystems.com/BA. My posts are generally about Quality Assurance related issues.

Testing Web Application Security

Over the weekend, hackers got into Oracle's MySQL.com using SQL injection. I was surprised that a big technology company like Oracle would be vulnerable to a SQL injection attack, especially because they are a database company and SQL injection is a well-known attack.

The quote in the article that really caught my attention was, "'It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites,' Chester Wisniewski, senior security adviser at anti-virus firm Sophos, wrote in a blog post Monday. 'Auditing your websites for SQL injection is an essential practice, as well as using secure passwords.'"

Software Testers' Role in Web Application Security

In my experience, most software testers focus on testing the functionality of an application and do not focus on security. The websites that I've worked on that are especially sensitive to security breaches, like financial websites, have generally brought in a separate security expert to review the site.

I think that bringing in an expert is important for highly sensitive sites; however, in many cases, this extra resource is not available. As I've read about more breaches of security, I've come to realize that it would be good for software testers to, at a minimum, test their websites for the most common security vulnerabilities.

Unfortunately, learning the details of even the most common hacker attacks via the Internet can be a shady and sometimes virus-prone pursuit. After talking to a Web Application Security expert, I found a good starting point for learning about Web Application Security testing online.

The Open Web Application Security Project (OWASP)

The Web Application Security expert who I spoke with recommended looking into OWASP. I spoke with a couple other experts, and they all endorsed OWASP as a great place to safely and legally learn about Web Application Security.

There is a lot of great information on the site including an OWASP Testing Guide. However, the area that looks like it would be the most fun to start is the OWASP WebGoat Project. OWASP describes this as "a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons."

I've just started setting up WebGoat and attending meetings at my local OWASP chapter. I plan to write about some of my experiences as I gain new skills related to Web Application Security.

Your Experiences

I'd like to hear about your experiences with Web Application Security testing. Is it something that you currently have your test team focus on? Have you had any problems due to lack of or despite practicing Web Application Security testing?

Read more…

Demanding Secure Developers

Pulled for discussion from my blog at http://www.webadminblog.com

 

Much like many other companies these days, National Instruments hires many of our developers straight out of school. Many times when engaging with these new hire developers, I will ask them what kind of security they learned at their university. In almost all cases I've found that the answer hasn't changed since I graduated back in 2002. Occassionally I'll get a developer who mentions one particular professor or class where they discussed secure coding practices, but most of the time the answer is "I didn't learn security in school". This absolutely kills me. It's like asking an architect to design a building without them knowing anything about support structures and load distribution. The end result may look awesome on the outside, but the slightest breeze will knock it over. With computers being embedded into literally every aspect of our society, do you really want code that crumbles the moment a user does something other than what was explicitly intended?

This leads me to the conclusion that security should be considered a fundamental part of code development and not an afterthought. We should be teaching security to students at a University level so that when they graduate, corporations don't spend valuable time re-training them on proper development techniques. I've heard rumors of large companies like Oracle actually being able to impact college curriculum by telling universities they simply won't hire developers without security training. Unfortunately, most companies aren't in a position to make demands like that, but it certainly wouldn't hurt to develop relationships with faculty at your local university and tell them what you'd like to see out of their students. I did some poking around on the internet and it seems like some professors are already starting to get the memo. For example, I found a great paper written by three professors at the USAF Academy Dept. of Computer Science called Incorporating Security Issues Throughout The Computer Science Curriculum where they say:
While the general public is becoming more aware of security issues, what are our universities doing to produce graduates ready to address our security needs? Computer science as a discipline has matured to the point that students are regularly in tructed in software engineering principles--they learn the importance of life cycle issues in the development and maintenance of software. Where are they receiving similar instruction on security concerns in the software life cycle? The authors propose that security should be taught throughout every computer science curriculum--that security should always be a concern and should be considered in the development of all software just as structured programming and documentation are.
Gentlemen, I couldn't agree more. Security needs to be a foundational piece of every Computer Science program in the country. Not one class. Not one professor. Secure programming techniques need to be a consideration in every CS class in every university. Universities teach students how to write functions, create object-oriented code, and do proper documentation, but when graduates don't know the basic tenets of input validation, then we have a real problem. If you agree with me, then I challenge you to write to the Dean of your local CS program and ask them what they are doing to ensure graduates are familiar with secure coding practices. I'd be very interested in hearing back from you as to what their response was.
Read more…