Archive for the ‘Software Security’ Category

Do true security product managers exist?  This is the question I began asking myself a few years now since I started to move from a pure security role into leading the effort with a team to build a product.  After a few years, I transitioned into product management and then transitioned back into full engineering.  During this time, I realized there are very few true security product managers.  Many product managers have never really penetration tested, conducted a risk assessment, taken formal security training or even attended a defcon conference.  I found it very interesting that these were the people prioritizing the solution to protect organizations.  Over the past two years I’ve searched to see are there any true security product managers and the result is not really.

The security industry is struggling to find real security people to drive the right priorities into our products.  We need people that live and breathe security.  Without the right skills building our products we will not only be 1 step behind the attackers and accidental breaches we will be several.


Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.

There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

Hands down Day 1 of Recon the Magic Bus by Travis Goodspeed and Sergey Bratus took the show.  Great informational and entertaining presentation!  I encourage anyone to check out the hardware Travis has developed and his papers if you are into understanding key security issues with the Bus.

Next I found the presentation by Rolf Rolles some of the best work I’ve seen in this field.  The presentation was focused on Syntax and Semantic based methods for reverse engineering.

Syntax Based

Under the Syntax based methods Rolf talked about looking for patterns that can help identify signatures such as packers, FLlRT, etc.  It seems like this could be a good idea for an offshoot tool.  However, it important to note that he said an attacker could possibly avert these patterns when a reverser is using Syntactic methods by recompiling or doing complex obfuscation.  Guess this is another reason we should all be doing obfuscation in the commercial world.

Semantics Based

For this discussion Rolf described scenarios for an automated key generator, automated bug discovery, etc.  Most of the talk was explaining the mathematics behind the analysis which overall appear to very basic in nature.  However the way Rolf has applied the math in the analysis is quiet interesting and very intelligent.

Without going into too much detail he simply replaced concrete semantics (i.e. x,y) with abstract semantics (i.e. +(positive), – (negative)).  Then using truth tables on Bits (standard bit analysis either 0 or 1) (unknown bit analysis using 0,1, ½; ½ represents unknown) he is able to map out patterns.

In general the rest of the day was filled with other speakers who were interesting but just didn’t seem to catch my full attention.  With that said Tarjei Mandt did a good job explaining atoms and string based attacks. 

All and all a pretty good first day especially since Montreal had a music festival running with Dissonant Nation, which made a great evening of entertainment.

Wikipedia truly is amazing.  Check out the list of worldwide security conferences.  This is a great place to look for any professionals wanting to speak or attend high profile conferences.  Definitely a good site to add to my links page.

I came across an interesting blog about application risk assessment today, so I wanted to highlight some of the different approaches in response. 

Blog Post:

In the blog Chris’s approach seems somewhat like threat modeling, which is typically used for code reviews.  In general he covers a large part of the important content but doesn’t address the real issues of risk – Cost vs Risk.  Anyway I hope to address that here and explain the two major methods used extensively.  These are threat modeling and the NIST/OCTAVE asset based approach.


Threat Modeling Approach

Threat Modeling is basically the ongoing risk assessment process which covers the entire Software Development Lifecycle.

Strategic Approach

From a managerial risk assessment approach I would take a different view using a strategic NIST/OCTAVE approach.

  1. What are the assets? (i.e. information, applications, hardware, etc.)
  2. What are the threats? (i.e. data contamination, malicious code, equipment failure, etc.)
  3. What are the vulnerabilities (i.e. no security training for developers, lack of formal SDLC, no development standards, no security requirements, no security testing, etc.)

Within the vulnerabilities I would roll up any identified tactical findings into strategic issues.  For example, software code with clear text passwords may result in a poor encryption policy, lack of standard, or a lack of proper classification policy and controls around passwords.


Overall using this strategic approach helps us to determine what assets in the entire application architecture/environment have the highest risk and we can mitigate accordingly.  In the long run this approach should save cost.  We really wouldn’t want to spend $40,000 dollars on a code review for each application when I know that none of the developers have security training nor do we have secure development standards.  This money can be strategically better spent on training since we might have 30 applications across the enterprise.  At that point we can then decide to perform a sample checkup and measure the progress to see how we perform both before and after the training.  This will be the most cost effective approach and produce metrics that can be delivered to executive management.


Attackers can target systems by exploiting ‘insecurely registered applications’. Foundstone has released a free tool called DIRE, which allows users/system administrators to identify “insecurely registered applications” on their systems.  Good for Developers!




Thanks to Neelay Shah and his awesome work.