May 2007 Archives

Looks like the slides are up for most of the OWASP conference presentations over here

A couple that I thought were particularly interesting were

Alex Lucas on the Microsoft SDL which gave some good insight on all the work that Microsoft are putting into improving the security of Vista. I've never been a huge Microsoft fan but they're definately moving in the right direction on the security issue.

Also Brian Chess on static source code review. This one gives some good insight into what static source code analysis can and can't do for a security review. It looks to me like Fortify and Ounce will be moving into the same kind of space that SPI, Cenzic and Watchfire are in for web application testers. No-one thinks you can just run those tools and call it a day, but they're pretty valuable in improving the coverage of the test and catching certain classes of vulnerability, leaving the tester to focus on things like business logic flaws that automated tools can't find.

Windows Server 2008 Features Address Linux Rivalry

Interesting article which talks about the modular nature of Windows server 2008. From the content of this article I think it's fair to say that Microsoft will have addressed the last big architectural problems with their software security that I can think of, once server 2008 is available.

Previous versions of Windows server have had items like Internet Explorer and Windows Media player installed by default with no easy way to remove them, which led to additional patching and security requirements for the operating system and an increased attack surface, even with the lock down on some of the functionality they provided that happened in server 2003.

Now from this article it appears that Windows server 2008 will reduce the attack surface of the OS by allowing it to be much more modular. And for the first time you can have a windows server without a GUI!!

In the past I've always doubted that Microsoft would do this as from a marketing perspective bundling has always been a strong point for them.

When you combine this with the very strong story that Microsoft has on secure development techniques I'd say that the latest generation of their products are likely to be the best in their fields for security...

Top 15 free SQL Injection Scanners - Security-Hacks.com

Interesting looking list of SQL injection scanners although Justin notes here that at least one of them, sqlbrute, isn't really a scanner.

Anyway I'm planning to run some tests on them to see how they handle some basic SQL injection flaws, so it'll be interesting to see how they go.

Well the OWASP conference in Milan was really great. There was a large number of good presentations and lots of interesting chat. Also got to meet quite a few people I only know from their blogs.

First day was the SOA and Web services Security training from Gunnar Peterson. Whilst there was a lot of information to absorb in one day, it was very good and left me with some key things to take away like the importance of using XML Security gateways in enterprise web services, some risks which apply to webservices that are different to those faced by usual web apps. like XDOS and that MQ only provides authorization not authentication !

On the first evening we got free food and drink courtesy of the nice people at Breach Security and I had some interesting chats with Alex Lucas on cool home computing setups amongst others.

The second day was the first of the conference proper ( agenda) . Hopefully all the slide decks will be up and linked from that page fairly soon... There was lots of interesting stuff, probably the most interesting (or perhaps scary) of the day for me was PDP Architects presentation on advanced web hacking (slides from this one are here) . It was a really interesting look at what some of the new services that are available on the 'net like Yahoo Pipes and tinyURL can be used for by malicious parties. Unfortunately the dark angel of demos was around and Yahoo Pipes was down during the presentation but I imagine it'll be up again soon....

Dinner on the second day was the conference one at Ristorante Why Not and again loads of interesting chat was had. I was sat next to Simon Roses Femerling, lead on the Pantera Project and had some interesting chats about what's next for that project. It actually cleared up for me what the goals of the project are. Pantera (at the moment) seems primarily geared at gathering information on the site under analysis rather than automatically handling XSS testing or the like.

Unfortunately I was pretty tired by the end of the meal (they have quite leisurely dining in Italy) and missed the first appearance by the OWASP band! However there's pictures here

Day Three had some more great talks and more stuff that I really should look at when I get the task. There was information on the newly revamped OWASP testing guide which sounds like a really good basis for web testing methodologies now.

There was also a madcap spin through the expanded OWASP project list from Dinis Cruz where we got a flavour for the variety of projects now undertaken by OWASP. One thing that sprang to mind while I was listening to this was that perhaps OWASP need to enforce some kind of naming convention on their projects as at the moment some of the names aren't really very descriptive of what the project does which can lead to some confusion

Day Three ended up with the panel discussing "What is needed to fix web app sec vulnerabilities once and for all?" . The main suggestions surrounded re-vamping the underlying protocols and technologies (eg, HTTP 2.0) to embed security and also encouraging development framework usage so that individual developers find it easier to write secure applications. Ultimately though it seems that the conclusion was that the current crop of web application vulnerabilities will be with us for some time and there are no easy fixes...

All in all a great conference, I'll definitely hope to get back next year. The talks were all pretty good and also there were loads of interesting people to meet and put faces to blogs...

Well that's the blog back online after more than a week, just before I was off to the OWASP Conference (Of which more later), the power supply in my server blew! after some frustration with moving disks and volume groups in Linux I decided to wait until I got back and re-build on a Virtual machine...

I've been having some fun sorting out some cool new tech. for my house. I've been looking for something to replace the large tower box I've got running my file/print & website for a while. Mainly so I can separate them and not be hosting any extneral services on the same machine as I'm hosting internal services.

So I've been looking for small, quiet, cheap Linux boxes to use for a webserver and I came across the Buffalo Linkstation Pro. It only costs 99 pounds in the UK and is designed as a NAS device, however in common with most of these kinds of devices, it's really a small ARM-based computer running Linux. So following a quick trip to the excellent Linkstation wiki some downloading and following of instructions to re-flash the device, I've now got a debian Linux server with 128MB RAM and a 250GB hard drive all for under a hundred quid!!

The other thing I set-up for the first time the other night was tor, mainly to see how easy or difficult it would be. the answer is (on Fedora Core 6 at least) pretty easy, two package installs and a couple of edits to config files and I'm surfing anonymously. It's a bit slow but apart from that seems to do what it says on the tin. Very handy to test source IP address restrictions if you're using them.