When Security Guys Ask You About Authentication – This Is What They Actually Mean

31 בדצמבר 2006

When you scheduled for security review meeting be prepared for the above question. Security guys are concerned of Identity Theft/Spoofing Threat. My suggestion is to go there prepared with the following question list thus saving lots of How do your end users identify yourself? User and Password pairs Digital Certificates? Other? How credentials sent over the wire (if any)? Clear text? Hashed? Over protected wire (SSL, IPSEC, etc)? Binary encoded? How does your system authenticate your end users? IT based Windows Integrated Digest Basic PKI Custom mechanisms (not the best choice) How does your application manage credentials that it uses to authenticate itself with downstream servers? Hard coded...
תגיות: ,
אין תגובות

This is How They Will Discover Secrets You Hide

29 בדצמבר 2006

If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog": http://www.google.com/codesearch?q=%22initial+catalog%22&hl=en If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio Like this: Ildasm.exe secureapp.dll /text | findstr ldstr IL_000c: ldstr "RegisterUser" IL_0027: ldstr...
אין תגובות

Wrong Way To Do Penetration Testing

Security pro pleads guilty to USC breach "Security professional Eric McCarty plead guilty in United States District Court in Los Angeles on Tuesday, admitting that he intentionally exploited a flaw in the online student application Web site of the University of Southern California, federal prosecutors said. " "There is a right way to do penetration testing, and there is a wrong way," Zweiback said. "And Mr. McCarty's way was the wrong way, and hopefully this plea sends that message."
2 תגובות

Security and ROI

I think it is nonsense. These two should not be put next to the other. To me it is the same like "show me the ROI for car insurance", "show me ROI of military and defense budgeting". I definitely like the following which is not about ROI rather about keeping the business: http://www.enterprisestrategygroup.com/ESGPublications/ReportListings.asp?ReportType=briefs The Security Development Lifecycle (SDL). Advantage, Microsoft11/3/2006by Jon OltsikWhen it comes to Microsoft and security, few people ever mention Microsoft’s Security Development Lifecycle (SDL). ESG believes this is an unfortunate omission. The fact is that Microsoft’s commitment to SDL is an area of stealthy security leadership. ESG...
אין תגובות

Building More Secure Apps is Not [only] Writing Secure Code

Just finished two Application Security Awareness workshops for major customer. The audience is developers and major idea behind the workshop (two halves days) is to emphasize the security fights one need to manage throughout development lifecycle - NOT just before app deployment. So we had some presentations and then practices where we tried to plan our security for imaginary applications - one Internet and the other intranet, then we've done some code inspections looking for vulnerabilities and best practices. I think it went pretty well - great evals I got back from attendees prove it Enjoyed a lot.
תגיות: ,
אין תגובות

This is How They Will Hack Your Wired Network

26 בדצמבר 2006

First They will get some network sniffing tool. I am extremely proud MS recently released shiny new NETMON 3 that can be downloaded for FREE here https://connect.microsoft.com/availableconnections.aspx and the team manages very nice blog here http://blogs.technet.com/netmon/default.aspx that explains in very detailed manner how to capture, filter network traffic and even automate all this. After studying all this, first thing I believe They try to sniff HTTP traffic applying proper filter: and looking for juicy information like passwords or business critical information between the frames They've captured: How to get protected? Avoid sending sensitive information over the wire....
אין תגובות