Sunday, February 21, 2010

DoD allowing USB thumb drives again

Wired's Danger Room blog has a post announcing that the DoD is allowing USB thumb drives, effectively ending the DoD-wide ban. Ostensibly, the ban has been lifted in certain circumstances, and will not be for everyone. Also, it is not supposed to be easy to get a drive. As an auditor, though, I've been to installations where USB drives were in rampant use.

None of the ACAs that our company does work for has sent out any kind of "official" notification. It will be interesting to see what actually comes out, and when.

Is it me, or is the TSA getting stricter on what we can carry?

After this trip, I will have been testing two of the last three weeks. (And I've already got a trip planned in March.) But, on the last trip, and on this trip, I've had my laptop bag given the extra once-over by TSA. On the last trip, the TSA rep in Kansas City took my bag apart and let me know the problem was with my cable tester. I've traveled many times with the cable tester, and only now did it cause a problem. When I asked what the (specific) problem was, I was told that "it contained a scary image on the x-ray machine."

On this most recent trip, it was the hub that caused the commotion. I didn't get an explanation; I didn't ask. As an incident responder at heart, I like to have everything with me that I might possibly need. The lesson learned is that I'm going to have to check most of the tools that I keep in my bag. I've always packed my tools (snips, screwdrivers, etc.) but it looks like I'll be packing and checking more of the tools in my bag. (Truth be told, I don't mind shedding the pounds.)

My question is, is the TSA getting stricter, or have I just gotten lucky in the past.

Thursday, February 18, 2010

Web App Testing Environment

Since I have been testing more and more networks/enclaves/systems that have web applications as components, I've been trying to get more involved in the web application environment. I was browsing OWASP's site when I came across the OWASP Live CD for testing web applications. Later, I found out that one of my co-workers is actively working on the project. How cool. It's great that there is a group looking at streamlining and making web application testing more efficient. The site is

I'm thinking of taking the SANS 542 class, and then attempting the exam. If you have any feedback on the class, I'd like to hear about it.

Monday, February 15, 2010

Web Application Testing

With the DoD, we've done much more testing of web applications in the last year. When I started with the company almost two years ago, this was not the case. Frequently, we would get on site, test the web and database server, and move on. I can't ever remember testing the content of those servers. Generally, the reason I was given (by the senior testers) was that we couldn't run our tools and DOS the servers or clobber the data in the SQL servers.

Fast forward to last year and we were awarded a big contract to accredit a large quantity of applications; most of their web applications. It would not be acceptable to test the hardware and software without testing the application itself. We came up with a methodology, that included testing the application in a test/staging/or STIG compliant development environment, in order to fully test the application. We used the Application Security and Development STIG and the Application Security and Development Checklist as our guides to frame how we would test those applications. Since that project, I believe we have enhanced our methodology. And now, there is not a testing engagement that I will attend where I will not extensively test the application if I find a web server and/or a database server.

However, I think I can do a better job. Lately, I've been perusing the OWASP web site looking for guidance on application auditing. Clearly, we're not contractually allowed to pentest. Yet, there are aspects of the application and its underlying architecture that we need to evaluate. I've found the OWASP Testing Project and a pdf of their guide to be a great help in giving me specifics to testing/auditing specific controls.

I'm toying with joining the OWASP project. And, I'm looking for certifications that can help me specifically in auditing applications. I know there are certifications with regard to pentesting, yet since we're not allowed to pentest, I feel the courses might go to deep.

I suspect I'll be adding more posts on the subject.