Saturday, March 28, 2009

SANS Application Security Summit

Since we have a huge contract to certify and accredidate a bunch of web applications (like 90) before they move to their new site, I thought this SANS summit might be a good idea. Traditionally, we test tactical systems or networks; but because of this contract we've had to adapt to application security testing.

We're getting a process down, after our first couple of applications. Since we're not too worried about the hardware and operating system (we don't have any control over where they are moving to) we've been concentrating on the databases, the web server (site based,) and the Application Development STIGs. We test the actual database with a tool, and we crawl the code with a tool. The deadlines are insane, and the clients are not the most helpful. But I don't have to travel and the work is different.

Thursday, March 26, 2009

Information Security Magaznie - What Happened?

Quite a while ago, I subscribed to Information Security Magazine; mostly after hearing that one of my class teachers wrote for the magazine. Then, towards the end of last year, I moved my office. In doing so, I notified the magazine that I was changing my address. Ever since, I have not received a single copy of the magazine. I called after two months and was told I could get one back issue free, and that the magazine would be delivered as normal. Since then, nada. I liked the articles, the authors were great, and I always learned something new.

Has this happened to anyone else? Did the magazine eventually start being delivered. I'm just curious.

Wednesday, March 25, 2009

Facebook Security/Privacy

Ok, so I'm probably the only person on the Earth who has not signed up for Facebook. At least, if you listen to my friends, it would seem that way. I've just been reluctant. I maintain a bunch of other blogs, am starting to study for the CISSP, and am trying to manage my own company. It's not like I have a lot of extra free time. I've heard a bunch about possible security/privacy issues, and it is one less headache I've wanted to mitigate.

Really, I'm not into the applications, the wall, posting pictures, etc., etc. I try to keep as low a profile on the web as possible. However, the ability to connect with some old friends would be great.

So far, I've only found one really good site for Facebook Security:
(edit: found another buried deep in my feed reader)
Are there other good sites?

Wednesday, March 18, 2009

Open Source (or free) Web Application Vulnerability scanners

We're experiencing some issues with our web scanning tool; it seems to be dying on some types of applications. Either that, or it will finish the scan, but not generate the reports. So, a co-worker and I are looking at some Open Source or Free web application vulnerability scanners. If anyone has a comment on any of the products, I'd be interested in hearing them.

  • Wikto
  • Acunetix
  • N-Stalker - it looks like the free version has a limited number of checks and will only scan 100 pages within the target application.
  • Sandcat - it appears that the professional edition includes session resume support, full vulnerability information, report generator, and auto updates.

I wanted to mention Jeremiah's post where he mentions two reviews on App scanners.

Tuesday, March 17, 2009

How Undersea Cables are Repaired

I've mentioned undersea data cables being cut before. Here's an article I found on Slashdot that discusses the repairing of those cables. Pretty neat stuff.

Wednesday, March 11, 2009

Web Application Testing

Swamped. That's what I've been. I can't believe my last post was February; mid to late February at that. I've finished one engagement, and I'm in the process of writing that up. And, I've been thrown onto another engagement. This one's big, and of course has an end date of early May. The funny thing is, once we're done testing the system and writing the documentation, it's a 30-60 day wait for the decision on an ATO. We have almost 100 systems/applications to test. That said, we don't have enough time.

I remember this happening when I was a full-blown project manager working in the private sector. There would be some regulatory announcement that the company would have to adhere to. Instead of figuring out the requirements, figuring out the estimates, and doing the work; we worked backwards. Here's our end date....what are the milestones and when do they have to occur in order to get there. I'm finding the government is worse.

Anyway, I've been getting acquainted with NTOSpider, a web application vulnerability tool. Because of the crush to get this project done, we've already started testing. The PMs just gave us URLs, not system owners. We can't find anyone to own up to the systems, and, when we try, we get our hand slapped by the PMs. Of course, today, an app I was testing was a help-desk type of app. Every submission of one of the forms generated an email. Hundreds of them. Probably more. So, now I'm trying to dig into NTOSpider to see what I can learn in order to fine tune our testing.