[SecurityRatty] tag: commerce

Podcast: Cloud Computing, Software Development, Testing and Security

Sun, 09 Nov 2008 08:57:10 +0000

Last month I was interviewed for a podcast with SearchSoftwareQuality.com.

We talked about some of the advantages Cloud Computing could bring to software development and testing. Notice I say ‘could’ - I continue to see great potential benefits but some of these require us to rethink how we do things as ‘end-users’ and depend on the Cloud Computing ecosystem maturing enough to deliver them (e.g. security monitoring of Cloud API calls).

This was recorded prior to the Microsoft Azure announcement hence the “software + services” model wasn’t covered.

Anyway, the podcast is broken into 3 x 8 minute segments (I think I broke the spoken word count ;-):

General benefits of cloud computing for software development
Cloud computing’s impact on agile development practices, software testing, and e-commerce
Security elements surrounding cloud computing, such as software monitoring, implementing security patches, and the reduction of data leakage.

You can access the podcast segments here.

My thanks to Michelle and Erick over at TechTarget for the opportunity.

What About You?

Apart from general feedback on whether the podcast was helpful or not, I’m interested to hear if you’ve started any Cloud based development projects - please share in the comments.

Links for 2008-11-04 [del.icio.us]

Tue, 04 Nov 2008 21:00:00 +0000

PCI Blog - Compliance Demystified » Blog Archive » E-Commerce Startups deal with PCI compliance

On Small Companies and PCI Compliance

Tue, 04 Nov 2008 08:42:00 +0000

Read this post ("E-Commerce Startups deal with PCI compliance" at "PCI Anwsers" Blog) and weeeeeeep: "I once was talking with a small business owner who was reading through the Self-Assessment Questionnaire (SAQ) and stopped at the first question, which basically said, Do you have a properly configured firewall? The business owner called into the back room and asked the store manager, “Hey, do we have a firewall?” The store manager replied that he thought they had a fire extinguisher which was up to date. I then watched as the store manger checked the “In Place” box on the form stating they had a properly configured firewall in place."

Wonna "sell PCI compliance" to small businesses? One need to get smart in a very special way! :-)

What's Happiness Got to Do With It?

Wed, 29 Oct 2008 07:00:44 +0000

Gartner's own John Pescatore has issued a 12 world post:

The best security program is at the business with the happiest customers.

Happiness? Really? That's the measure of program effectiveness? I would see those 12 words and raise them one word (13 if you're scoring at home):

There's a fine line between happy customers and playing piano in a bordello.

I mean the people running hedge funds and derivative books at AIG, Lehman and friends had lots of happy customers for the last decade!

To me the happy customer is a classic IT copout "we just did what the "business" asked". Like we're just a bystander or something. Its our job to create business value and be business like. We should seek to empower out customers, not make them happy.

Please understand I am not that guy who says IT security has to be the "bad cops" who deny everything the business wants to do. Just saying it is our job to raise the bar where we can. Raising the bar does not always create super happy customers in the short run, but it does empower companies.

Unfortunately, playing piano in the bordello is what a lot of security groups do and even big analyst firms. The path of least resistance ain't always the way. Here is an example. I was at a client many years ago, they wanted to build a big Identity Management solution, so of course they wrote a big RFI got responses from Sun, IBM, Oracle and friends. The bids were in the $3-5 million range. Pretty big projects for an Infosec team. So what do you do? Call up a big analyst firm and get some advice, right?

A week goes by and we get an audience with the "guru" from the Big Analyst Firm. The client has pretty detailed requirements, what systems they want to connect to, what use cases they are looking to solve for, and so on. We anxiously await the knowledge the analyst is about to transfer to us. His response was as follows - "what kind of shop are you? IBM shop? Oracle shop?" "Ummm...we are a huge company we have everything." "Well if you are more of a IBM shop you should go with them. If you are more of a Oracle shop you should go with them." That was the extent of a 30 minute conversation. True story.

Of course, the one value proposition of the Big Analyst Firms is that they supposedly can tell you what everyone else is supposedly doing. There is some value in this I grant you. And it does make for happy customers because even when you force your customers to change, you can say "Well geez, I know its hard but the Big Analyst Firm says that everyone is doing it." But is this security improvement?

Back in 2004, I went to a great security conference, it was Information Security Decisions (they are back in Chicago next week). It was in Chicago, downtown on the river. Tom Davern even took us all out on a boat for lunch one day. Anyway, there was one truly great talk there. It wasn't Fred Cohen debating Gary McGraw on application security which was outstanding (in which Fred uttered the memorable line "I agree with Gary everywhere he agrees with me." (Gary won the debate, his best line - "We know how to win the software security war, but we don't know how to manage the peace" still the problem today actually)) It wasn't Pete Lindstrom showing his security metrics framework (which is still a great starting point). it wasn't Dan Geer's fireside chat.

The truly great talk, though, was by the now departed Robert Garigue. It was called "Its the End of the CISO as I Know It, (And I Feel Fine)." The whole end to end talk was wonderful, there are several things in there that I still use every single day like the separate security models for Infostructure and Infrastructure but the point I want to talk about is the CISO role.

Garigue talked about the two most prevalent CISO models - the jester and the bad cop. The jester CISO

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

The jester has happy customers! At least for awhile.

Again I grant you bad cop is not the way to go either (and while this already long post could read harsh on John Pescatore's pithy summary, I give him a lot of points for saying that security needs to be customer conscious).

We have all seen bad cop CISOs who

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

How long can developers evolve, connect everything and security people not change anything? Herb Stein said, "things that can't go on forever, don't. "At some point these chickens are coming home to roost, there is a yawning gap between rapidly evolution connecting the enterprise and the 13 year old and counting security architecture that "Everyone else is using" and when those chicken come home to roost you may not have happy customers then. Here is my 12 words:

The best security program is at the business with sustainable competitive advantage.

DHS Secretary Chertoff discusses cyber security, highlights supply chain security

Sun, 19 Oct 2008 20:00:00 +0000

I had not seen the Secretary of Homeland Security, Michael Chertoff, speak on cyber security issues at a public forum since he keynoted the industry-wide RSA Conference in April 2008, so I decided to attend a forum at the U.S. Chamber of Commerce on Tuesday, October 15th where he was scheduled to keynote. Titled “Enhancing Cyber Security as Part of Enterprise Risk Management Planning” and held as part of a series of National Cyber Security Awareness Month events, Secretary Chertoff addressed the group of mostly business community attendees to highlight what he dubbed as “one of the most important initiatives that we have ever undertaken as a department or country”...

The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen

Mon, 13 Oct 2008 18:54:37 +0000

From January to August 2008, hackers through an SQL injection flaw were able to access names and credit or debit card information of the persons who placed orders on The Image Group e-commerce website. The Image Group (http://www.theimagegroup.net) is a firm for promotional products and corporate merchandise headquartered in Ohio. The Image Group has notified the [...]

Anatomy of SQL injection attack

Mon, 06 Oct 2008 20:00:00 +0000

While there are a number of security risks in the world of electronic commerce, SQL injection is one of the most common Web site attack techniques used to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy data outright.

Links for 2008-10-01 [del.icio.us]

Wed, 01 Oct 2008 20:00:00 +0000

Zambian gov't warns against e-commerce

Sun, 28 Sep 2008 20:00:00 +0000

The Communications Authority of Zambia has warned against e-commerce, claiming Zambia lacks the skills, equipment and organized systems to fight cybercrime.

Gambling Domains Seized by Kentucky

Sun, 28 Sep 2008 03:32:49 +0000

From reports, it appears that Kentucky Governor Steve Beshear has attempted to seize 141 gambling-related domain names under a state law that allows for seizure of items used for illegal gambling. It appears that the seizure order (click here for a copy of the initial order) was signed by a circuit judge, but later reports indicate that the judge is holding further hearings and seeking further arguments. A hearing will be held Oct. 7, according to TheDomains. See page 4 of the seizure order for a complete list of the 141 domains. Here are some of them:

123bingo.com
777dragon.com
indiancasino.com
jackpotcity.com
powerbet.com
crazypoker.com
vegaslucky.com

That sort of thing. According to DomainNameNews, several of the domains are for popular sites, including PokerStars.com, FullTiltPoker.com, BodogLife.com, GoldenPalace.com, Bet21.com, DoylesRoom.com and IndianCasino.com. It also reports that at least one registrar (Enom) has transferred domains pursuant to the order, including one whose registrant died of a heart attack this summer. The seizure order says that the domains are to be transferred by any registrar to a plaintiff's account at that registrar (the plaintiff being the Commonwealth of Kentucky), but that the domain names' configuration will be otherwise unchanged. This means that any gambling sites run on those domains or, for that matter, anything else on those domains, such as PPC ads, would remain functional. All things considered, this seems like simple-minded grandstanding without any good law behind it. The Constitution vests Congress with power to regulate interstate commerce, which the domain name market clearly is. In fact, these businesses are truly international. And it's a safe bet that none of the gambling companies or registrars operates in Kentucky, perhaps not even any of the domain name holders. That the state argues that residents of Kentucky engage in illegal gambling doesn't give the state jurisdiction. The Internet Commerce Association, a domainer lobby, has weighed in on the matter in opposition to the state's move.