Recently in Software Security Category

Scottish Ruby Conference follow-up - 2 - Securing your app.

By Rory2 on April 1, 2010 8:05 PM | No Comments | No TrackBacks

Most of the questions I got after my talk were around how people can look to secure their application. I mentioned a couple of sites and it's probably worth expanding on the points made.

Web Application Security

For people looking to understand how to secure their web applications, in my opinion the best source of free information is the OWASP project . It's an umbrella for a number of web application security efforts.

They've got a wide variety of projects which target management, security testers and developers, but some of the best places to start for developers are the Owasp developers Guide which covers a wide range of topics about secure development in a fairly generic way, and there's also the Ruby on Rails Security Guide here or here which covers rails specific topics.

Both of those documents are relatively large but well worth delving into. For a quick few of the "most serious" web application security issues, OWASP also has the Top Ten project. The latest version, current in RC1 has some good summaries of the top risks, and is a good place to start getting an idea of the areas to be addressed...


There's also a newish book dedicated to the topic of security on rails. I picked up a copy at the conference (I'm a sucker for the O'Reilly stand!), so I've not had time to get all the way through it, but first impressions are that it'll be very good, with concrete examples of broken rails applications and how to fix them.

Interesting new site?

By Rory2 on February 1, 2008 8:32 AM | No Comments | No TrackBacks

There's a post over at the Microsoft %41%43%45%20%54%65%61%6d blog about their new Hello secure world resource.

When I saw this I thought I'd go over to the site and take a look around, as Microsoft have released some great information about developer security in the past and it's an area of interest for me at the moment..

But then I ran into a complete roadblock getting to the site! To view it you have to have the latest version of Silverlight installed! Unfortunately I think that won't work for a lot of users, either due to corporate builds not having deployed silverlight yet (and hopefully decent security policies in place to stop users self-deploying software) or due to platforms issues (admittedly a small proportion of linux fans like myself), although that said it's likely to be an increasing problem for some content, as a lot of mobile devices run Opera which isn't supported by silverlight from what I can see...

I understand that Microsoft are keen to get people looking at some of their new technology, but it's a shame that this kind of resource is limited in such a way that a decent proportion of their target audience won't be able to use it.... Perhaps a limited HTML version could be made available so people without access to silverlight

New Years Resolution - Ask your Software vendors about security

By Rory2 on January 9, 2008 8:09 AM | No Comments | No TrackBacks

It's the time of year for New resolutions, so I was thinking about what security people could do differently to help make 2008 better than 2007 for software security.

One thing I came up with. Speak to your purchasing people (if you've got some) or anyone else who approves software purchases in your company and get a criteria added to your purchasing policy that requires software vendors to explain how they ensure the security of the software they're selling you.

After all, software companies are selling you products to help you run your business, and these days if they're selling you vulnerable products it's quite likely to have a negative effect on your company, either through security breaches which exploit the vulnerabilities or through the time you have to spend patching the software they provide.

Now I'm not suggesting that any software you buy will be perfect, but if you make software security a criteria in whether you purchase "package A" or "package B" you give the vendors an incentive to improve the security of their software.

Of course there's the problem of how you actually evaluate their claims... At one level there's the obvious case of listening to what they tell you and asking some searching questions like
"how many vulnerabilities has your product had in the last year" and "what's your policy towards vulnerability researchers and disclosure". Beware of companies who say that their sofware has no vulnerabilities. It's very likely that their either lying or in denial!

Above that another option would be getting your suppliers to submit their software for an independent 3rd party assessment (like the ones Veracode supply). This probably works best for large companies buying critical applications, but I think it's a good idea, in principle anyway, as it helps validate a software suppliers claims of security.

What 2008 may bring...

By Rory2 on December 8, 2007 4:09 PM | No Comments | No TrackBacks

Well as is kinda traditional in December various security bloggers have started predicting what 2008 will bring (there's some interesting thoughts and and links to more predictions here).

For my 0.02 of your local currency, I think that next years big topic will be Software Security. A lot of the things we're seeing happen in the security market around exploding vulnerability metrics and malware all come ultimately down to poor software design and development.

Now the industries reaction to this so far seems to be "here's another device for your network to help deal with this". Not surprisingly this isn't a tenable long term strategy as you can't just keep layering on boxes before things start breaking.

Also if you look at the Jericho concepts a key message is that systems have to be able to survive on their own without relying on an ever decreasing "perimeter". Well in order to survive you've got to be well designed/written. The model of hiding all your extremely vulnerable applications behind a big set of perimeter security devices won't work in the future.

So what does this software security trend going to look like in terms of markets...? Well I'd say that companies like Veracode, Fortify and Ounce Labs will do well over the coming year although perhaps for different reasons.

Veracodes service sounds like it could be really useful in starting to answer the hard question "How do I know this software I'm buying is secure?". Traditionally the most that was done was a black-box pen test of such software, and as people know black-box penetration testing is a lousy way to assure the security of anything.

Fortify and Ounce make products which can help companies integrate security focused source code analysis into companies development processes. I don't think that many companies have the business model that allows for the cost of a complete manual review of their codebases, so tools are necessary here to help the process scale.

Of course no product is going to solve this sort of problem alone, so I'd hope to see more output along the lines of some of the OWASP projects, giving guidance on the design side aspect of producing secure software...

Software security and Vulnerability Pimps

By Rory2 on January 8, 2007 12:25 PM | No Comments

ryanlrussell: Vulnerability Pimps

Some very interesting commentary which follows on from a posting on Marcus Ranums site here which is in itself very interesting..

All good stuff if your interested in Software security but the piece that caught my eye is right at the end of the comments section


I'm hearing from the vulnerability pimps that, yes, code security is improving. They are reporting that it's much harder to find a remote hole in the current operating systems.

So security on operating systems is getting better... not really a surprise given the battering they've had and the level of resource that people like Microsoft are putting into it.

But... reckon that the hackers will go home now ? Of course not, they'll move on and I reckon that the place they'll go is all those other software applications that people install on their systems that come from vendors who maybe haven't woken up to the necessity of secure coding.

Sure it'll be harder for hackers to get coverage on as many systems 'cause there aren't all that many software monopolies out there, but I'm sure that's where they'll go.

So a good time to be asking the suppliers of all your applications what they do about software security. Do they do security code audits? what tools to they use for those audits? Have all their developers had secure development training?

Analysis of the Vista Security Model

By Rory2 on August 2, 2006 7:57 AM | No Comments

Windows_Vista_Security_Model_Analysis.pdf (application/pdf Object)

Symantec's analysis of the Vista Security Model. Another one to read when I get some time.

By Rory2 on August 2, 2006 7:56 AM | No Comments

A Process for Performing Security Code Reviews


Article on Performing security code reviews, one to read when I get a chance.

« Security Tools | Main Index | Archives | Spam Management »

Categories

Monthly Archives

Pages

Powered by Movable Type 4.32-en

Search

About this Archive

This page is an archive of recent entries in the Software Security category.

Security Tools is the previous category.

Spam Management is the next category.

Find recent content on the main index or look in the archives to find all content.