[SecurityRatty] tag: pros

SDL Announcements at TechEd EMEA

Mon, 10 Nov 2008 19:25:00 +0000

Hello all, Dave here…

I am in Barcelona, Spain with Michael Howard and Adam Shostack at the TechEd EMEA: Developers Conference.

In addition to teaching and attending security sessions, we are in Barcelona to formally announce the launch of the SDL Optimization Model, SDL Pro Network and the Microsoft SDL Threat Modeling Tool Beta! For those of you who are unaware of these initiatives here’s a description of each…

SDL Optimization Model: The SDL Optimization Model was created to facilitate gradual, consistent and cost-effective implementation of the SDL in development organizations outside of Microsoft. It allows development managers and IT policy-makers to assess the state of the security in development and create a vision and road map for reducing customer risk.

Specific objectives of the model include the following:

· Enable organizations outside of Microsoft to create more secure and privacy-enhanced software by successfully implementing the SDL

· Allow organizations to self-assess current software development security practices and create a strategy for gradual improvement

· Provide SDL Pro Network service providers with a consistent and effective framework for providing SDL services

SDL Pro Network: The SDL Pro Network is a group of security service providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the Microsoft SDL. SDL Pro Network service providers will guide and support organizations in implementing the SDL into their environments.

The primary focus area for all members, both now and in the future, will be to deliver on the program’s commitment to make the SDL available outside Microsoft, specifically focusing on these issues:

· Protecting the customer - Helping customers adopt the SDL or general secure coding practices.

· Improving the SDL - Leveraging member knowledge to understand how the SDL is used by customers, what needs to be modified and what customer needs must be met in the future.

SDL Threat Modeling Tool Beta: The Microsoft SDL Threat Modeling Tool Beta allows for structured analysis, proactive mitigation and tracking of potential security and privacy issues in new and existing applications. Microsoft developed the tool and we use it internally on many of our products. This tool offers a threat modeling methodology that any software architect can lead effectively — in contrast with other processes, which are more expert-dependent. A few quick notes about the features:

· Automated guidance and feedback in drawing threat diagrams

· Guided analysis of threats and mitigations based on the STRIDE taxonomy

· Integration with bug-and issue-tracking systems like Visual Studio Team Foundation Server

To learn more about these, visit the SDL portal, http://www.microsoft.com/sdl.

By the way, if you are in Barcelona and want to stop by and chat, the session list is below:

SDL Theater Sessions:

· Getting started with the new SDL Threat Modeling Tool

Adam Shostack, Theater 1, Tuesday, Nov. 11, 15:20 – 15:40

· You could do that but it would be wrong – a discussion of pros/cons of threat mitigations

Michael Howard & Adam Shostack, Theater 1, Thursday, Nov. 13, 10:20 – 10:40

General Sessions:

· DVP308 How I Learned to Stop Worrying and Love Threat Modeling Nov. 12, 10:45 – 12:00

· DVP309 How to Review Your Code and Test for Security Bugs Nov. 13, 3:15 – 4:30

· DVP312 Top Ten Strategies to Security Your Code Nov. 14, 10:45 – 12:00

Amateurs, pros vie to build new crypto standard

Fri, 07 Nov 2008 02:00:00 +0000

Peter Schmidt-Nielsen, 15, spent only a month working on his submission, but he thinks it's "unusual and new." But he's up against some of the world's most famous cryptographers.

Amateurs and pros vie to build new crypto standard

Thu, 06 Nov 2008 21:00:00 +0000

Fifteen-year-old Peter Schmidt-Nielsen spent only a month working on his submission, but he thinks he's come up with something "unusual and new." Never mind that he's up against some of the most famous cryptographers in the world.

Secure the Heritage

Mon, 27 Oct 2008 18:26:08 +0000

Good post by Scott Stender on using the SDL on legacy code (ht Andy), it is always refreshing to see security pros talk about real world tradeoffs. I would also add the following:

1. What most people call "legacy" systems should be called "heritage" systems. Legacy has a negative connotation. Most places I go, the "legacy" is the reason why people get paid and what actually runs the business. I think its more respectful to call them heritage systems a la Krafzig, Banke, and Slama.

2. Most heritage systems have almost no security mechanisms whatsoever. They were designed for benign environments. Most mainframes have no encryption. You talk to a mainframe over MQ Series, yet MQ Series literally has no access control. This is the transactional backbone of 499 of the fortune 500 we are talking about. You still with me? Good. So writing security requirements is important, but you are not going to have anywhere near the security architecture capabilities that you are used to.

3. So one *big* thing to consider with heritage is - don't connect your heritage to hostile environments at all, use an ESB to connect indirectly and/or replicate out to data caches. So the heritage publishes data and subscribes to data, but is not in any way connected to a world it was never designed to deal with. Of course this doesn't always work either, but it is something to consider. The starting point should not be - "how do I connect the heritage to the web?" the starting point should be "how do I share resources and functionality on my heritage with the web", again, often you do have to connect but sometimes not.

Whenever I read something from iSec it is generally thought provoking because they have worked on a lot of interesting stuff. How do we get these folks to blog more?

Presentation on Application Logging, Done Wrong or Very Wrong :-)

Fri, 17 Oct 2008 01:55:00 +0000

A final "automated" post, while I am on a plane back to California. This is a result of my work on defining what is a good log, based on looking at countless bad logs :-)

This presentation "Application Logging Good Bad Ugly ... Beautiful?" would be useful to application developers who create logging functionality as well as security pros who then need to use the logs.

Here it is, embedded below:

Application Logging Good Bad Ugly ... Beautiful?

View SlideShare presentation or Upload your own. (tags: logs logging)

Enjoy!

Links List 10.10.08

Fri, 10 Oct 2008 17:15:00 +0000

You cannot turn around without bumping into another bad news story about the economy. From layoffs (10% of eBay’s workforce, 7.5% of HP’s) to the bailouts to the $7 billion loan the state of California needs to make payroll this month. Really, 7 beeeellllyon dollars? How many people shook their heads and felt sorry for the people working at financial services companies, all the while thinking that the tech sector was a pretty secure place to be (as long as you weren’t in the IT department at a financial services company)? Well, now apparently comes the wake up call for tech. Oh yeah, a bunch of those startups and not-so-young-anymore startups are FUNDED. They’re not making MONEY – or at least certainly not enough to actually be PROFITABLE, given the way they’ve been spending on payroll, sales and marketing to grow as quickly as possible. To get to that visibility and magic number of customers which means a big payoff for the investors and the founders. From the reports, it’s back to basics time, or at least that’s what the VCs are telling their portfolio companies. Cut costs. Layoff people. Focus on selling. And get profitable. Duh.

So can open source weather out the economic storm? Emerging from the dot-com bust, open source has matured, its legal framework and values are established, and serious players are in the game. But as this post on ZDNet points out, consolidation is on the way. “IDC renamed its LinuxWorld Show in San Francisco next year Open Source World – a clear shot across the bow at O’Reilly’s OSCON.” Will open source (from free to lower-cost alternatives to commercial software) flourish in a time of tightening budgets or will projects quietly go away for lack of funding (VC and that pesky business model thing) and, let’s face it, the “extra time” of IT pros tasked yet again to do more with less?

It’s October 2008 and Charles Babcock writes, “CA Embraces Virtualization As Future of Data Center Management”. Beyond keeping up with what competitors are doing, I enjoy this article for the masterful way it depicts the nightmare that is working with traditional frameworks. Too slow, too expensive, too complex, too many modules – it’s all in here. And somehow, I don’t think that was the point of it. So, $154,000 for CA Data Center Automation Manager – which can “consult” the CA CMDB (pricing starting at what do you think, something like $500K to a million – don’t forget those services) plus CA Wily APM (Introscope 8 and Wily Customer Experience Manager 4.2; pricing anyone?) metrics that get fed back into Data Center Automation Manager to help determine the virtual machine resources that are needed. Plus can also integrate info from CA Endeavor’s software change management tracking and CA SysView and in future with CA Management Suite for Mainframe Linux, potentially. I am not kidding about this list. And, we’ve been hearing this for a while – “Unicenter” the brand goes away and is replaced by “CA NSM”. The brand goes away. Why retire a successful brand? Ah.

I love this post on EMC, “Eleven Things You Didn’t Know About the World’s Largest External Disk Storage Company.” Although I guess I really don’t know much about Joe Tucci, since #11 says:

“Contrary to conventional thought, it is not true that the EMC President/CEO is the older, gentler brother of the fictional patriarch of HBO’s hit television series.” Hunh. I just googled him, thinking maybe it was a resemblance thing. Nope."

And on a much lighter note. A funny from Dell. 2 years later, I just stumbled across this Proprietaryville , Jibjab-ish video, called Dell the Journey. Legacy systems being escorted onto the Retirement Home bus. Michael Dell as knight in shining armor, singing no less. Joe Tucci and Larry Ellison showing up as heroes leading the charge against Proprietaryville (yes, funny in and of itself). And my favorite, “Now let’s go kick some proprietary apps.”

Why some security pros hate SharePoint

Fri, 10 Oct 2008 00:00:00 +0000

Some SharePoint customers are finding that it's difficult to automate user administration, among other woes.

Managed Fast Flux Provider - Part Two

Thu, 02 Oct 2008 08:39:01 +0000

We're slowly entering into a stage where RBN bullet proof hosting franchises are vertically integrating, and due to the requests from their customers are starting to offer that they refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of RBN-alike purchased netblocks, and naturally, botnet infected hosts.

Managed fast-fluxing is only starting to go mainstream, for instance, in July I found evidence that money mule recruiters were using ASProx's infected hosts as hosting infrastructure, and in November, 2007, an infamous spamming software vendor was also found to have been offering fast-flux services in the past.

In this most recent fast-flux service, we have a known spammer and botnet master that in between self-serving himself on is way to ensure his portfolio of scammy domains remains online for a "little longer", is commercializing fast-fluxing and is offered a DIY service :

"Finally after hardwork and great appreciation from our normal bullet proof hosting/server clients we are able to launch Mirrored hosting. What is Mirrored hosting ?

================
Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual servers to host website with 100% uptime. Mirrored hosting is a combination of two things, which are:

1. Specially Designed Virtual Servers
2. Powerful Automated Control Panel

How does it work ?
===============

Mirrored hosting uses specially configured Virtual Servers making them link with the Mirrored hosting Control Panel which is then controlled by our own control panel allowing us to provide smooth streamline hosting with no downtime. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime. This is achieved by unique customisation of our Virtual Servers.

Actually, it takes ips around the world and our powerful control panel just rotates the ips every 15 minutes. though all these ips you will see will be fake no one can trace the orignal ip where files are hosted. Sometimes the ip is from China, Korea, USA, UK, Japan, Lithuania etc."

The concept has always been there for cybercriminals to take advantage of, but once it matures into a managed service it would undoubtedly lower down the entry barriers allowing yesterday's average phishers to take advantage of what only the "pros" were used to.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Five mistakes security pros would make again

Sun, 28 Sep 2008 20:00:00 +0000

Ten years ago, Michael Riva was network administrator for a top-five American consultancy. Employees were downloading graphic pictures and videos onto the network. Riva told his boss a proxy server with content filtering might be in order; his boss laughed and suggested they put in a bigger file server instead.

Security pros offered new 'CSSLP' qualification

Wed, 24 Sep 2008 20:00:00 +0000

Software developers are to be offered a new qualification from next year, the CSSLP, designed to certify their competence in the increasingly troubled world of security design.