How long is too long?
There has been a lot of chatter on social media lately surrounding the topic of public vulnerability disclosure. Doing a quick Google search, I found a ton of resources, discussions and blog posts available, covering different ways to properly disclose a vulnerability. Several are listed below:
#WarStoryWednesday: Quick and Dirty Social Engineering
Every now and then, I work on the assessments that normally Brent White and Tim Roberts blog about. When I’m privileged to get such an assignment, I typically create unnecessary pressure on myself in an effort to compete with the likes of my aforementioned teammates and their overwhelming success on Social Engineering Assessments. I find myself feeding off the pressure and nervous energy, turning it into excitement and focus. By drawing on my past experiences in the Broadcast Television industry, I convince myself that this will only help me succeed on such a project. Then, when I get word of the increased challenge level, whether due to the small size of the company being assessed, a shared work environment or building, or armed guards present, I actually find myself... read more >
The Agile Movement
In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.
Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >
#WarStoryWednesday: so many hosts, so little time
Every now and then, while performing a penetration assessment, we’ll get a large set of hosts considered in scope. This is often a nice change of pace from the compliance-based penetration assessment where the scope is smaller and more focused on the Cardholder Data Environment (CDE). With the larger scope, we can come a bit closer to simulating an actual attacker from the perspective of the internal network. I say closer because as security consultants we are still limited by time, often only having a week to perform an assessment. If the scope is big enough, we will typically send two or more consultants. This blog will detail just one of those assessments and will hopefully give insight into effective time management for large scopes that offer more than one method of compromise.Background
Let me set up the scenario a bit. My co-worker Adam Steffes and I were tasked with performing an assessment with... read more >
As a Security Consultant for NTT Security (US), Inc. Professional Security Services, I have the privilege of witnessing many application security programs. I see programs that work great, are healthy, and handle risk management very well. Then there are programs that have either missed the mark completely, or are healthy but have some maturing to do.
In this blog I’ll be focusing on organizations or development teams that use a more traditional “waterfall” style approach to application development. I’ll attempt to identify traits of a healthy application security program in order to provide ideas for programs that could use some maturing. If your organization uses a more modern “agile,” “iterative,” or “kanban” style of development we will address those specific challenges in Part 2 of the series.
I’m sure many of us have heard that successful... read more >