Monday, April 20, 2009

Twitter Your Security Away

As social networking takes over our lives, much like the Borg, we are freely giving away our personal information. Its information devaluation. Twitter, facebook, MySpace, Flickr, Linkedin, etc are all pretty much conditioning us to be one with the Internet universe. Why shouldnt every person we know have the latest update on what you had for lunch or what your favorite color is or your dogs name or your highschool?

Interesting that these are the same questions your online back account asks you as challenge questions. How long until some really cool tool gets released by the underground that can scan a Profile, and ctageorize data into all the fields a bank usually asks as a challenge question? (I should trademark the concept)

Stop the madness. That includes all these Blogs! Down with Blogs!


Managed Security Services


Gartner have published a document (in PDF format) on their analysis and recommendations on the above subject:

Twitter's recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site's business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are "sprinkled on."

This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are "business-strength." Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work.


All enterprises:
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies
The document can be downloaded from;ref=g_homelink

Monday, April 6, 2009

Well it is really about time that firms figure out that is you look at the development cycle, you might find the vulnerabilities before you place you applications into production. An ounce of prevention is truly worth more that a pound of cure.

Having a third party review you app really does make sense. Its a bit more expensive on the front end, but you save a lot down the road by not being hacked, not having to spend money on testing a production environment and keeping you name out of the paper. Secure coding is such an obvious fix yet most companies do not spend nearly enough on dong this.

Gary Bahadur
Managed Security Services

More companies seek third-party Web app code review, survey finds
By Robert Westervelt, News Editor
24 Mar 2009 |
Companies are paying closer attention to secure software development to reduce shoddy code, which often results in gaping holes that expose sensitive information, according to a new survey conducted by the OWASP Foundation.
The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security at Wireless Generation Inc., who organized the report with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. Gelbord said the predominant thinking has been that companies are conducting code review in-house if they're doing it at all.

"One thing that cuts across all the statistics is a growing approach toward secure coding," Gelbord said of the survey.

It's OWASP's first survey on secure software development budgets. Gelbord said the organization is trying to measure spending habits and over time gauge whether companies are placing an emphasis on building applications with more secure software code. The goal of the project is to establish an industry accepted benchmark for justifying overall Web application security spending, Gelbord said.

About half of the respondents consider security experience as at least somewhat important in hiring new developers. The figure is a positive sign that companies are trying to place a greater emphasis on secure software development, Gelbord said. The majority of those surveyed also said they provide software security training both internally and externally.

Spending on Web application development is expected to be flat or rise slightly during the economic downturn. But the survey results were somewhat inconclusive. The survey found that Web application security represents 10% of security spending in 36% of the companies surveyed. Another 33% of firms surveyed did not know what portion of security spending is on Web applications.