November 1, 2011

Security Conference List – Wikipedia Rocks

Posted in Prevention, Risk Assessment, Security Awareness, Security Governance, Security Program Development, Software Security at 3:35 pm by jtbevis

Wikipedia truly is amazing.  Check out the list of worldwide security conferences.  This is a great place to look for any professionals wanting to speak or attend a high profile conferences.  Definitely a good site to add to my links page.

 http://en.wikipedia.org/wiki/Computer_security_conference

April 17, 2009

Application Risk Assessments

Posted in Risk Assessment, Software Security at 9:13 pm by jtbevis

I came across an interesting blog about application risk assessment today, so I wanted to highlight some of the different approaches in response. 

Blog Post:

In the blog Chris’s approach seems somewhat like threat modeling, which is typically used for code reviews.  In general he covers a large part of the important content but doesn’t address the real issues of risk – Cost vs Risk.  Anyway I hope to address that here and explain the two major methods used extensively.  These are threat modeling and the NIST/OCTAVE asset based approach.

 

Threat Modeling Approach

Threat Modeling is basically the ongoing risk assessment process which covers the entire Software Development Lifecycle.

Strategic Approach

From a managerial risk assessment approach I would take a different view using a strategic NIST/OCTAVE approach.

  1. What are the assets? (i.e. information, applications, hardware, etc.)
  2. What are the threats? (i.e. data contamination, malicious code, equipment failure, etc.)
  3. What are the vulnerabilities (i.e. no security training for developers, lack of formal SDLC, no development standards, no security requirements, no security testing, etc.)

Within the vulnerabilities I would role up any identified tactical findings into strategic issues.  For example, software code with clear text passwords may result in a poor encryption policy, lack of standard, or a lack of proper classification policy and controls around passwords.

 

Overall using this strategic approach helps us to determine what assets in the entire application architecture/environment have the highest risk and we can mitigate accordingly.  In the long run this approach should save cost.  We really wouldn’t want to spend $40,000 dollars on a code review for each application when I know that none of the developers have security training nor do we have secure development standards.  This money can be strategically better spent on training since we might have 30 applications across the enterprise.  At that point we can then decide to perform a sample checkup and measure the progress to see how we perform both before and after the training.  This will be the most cost effective approach and produce metrics that can be delivered to executive management.

November 5, 2008

New Foundstone Free Tool DIRE – Software Security

Posted in Software Security at 7:29 pm by jtbevis

 

Attackers can target systems by exploiting ‘insecurely registered applications’. Foundstone has released a free tool called DIRE, which allows users/system administrators to identify “insecurely registered applications” on their systems.  Good for Developers!

 

Tool:

http://www.foundstone.com/us/resources/proddesc/diredetectinginsecurelyregisteredexecutables.htm

Whitepaper:

 

http://www.foundstone.com/us/pdf/whitepapers/fs_wp_securely_registering_applications.pdf

Thanks to Neelay Shah and his awesome work.

Follow

Get every new post delivered to your Inbox.