02-05-2010 18:27 Best of Application Security (Friday, Feb. 5)  Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Accuracy and Time Costs of Web Application Security Scanner ReportThe Web won’t be safe, let alone secure, unless we break itWhy don't websites default to SSL/TLS? RFI List in Burp SuiteWeb 2.0 Pivot AttacksBuilding Secure Applications with HTML 5: What is Happening and Where?Mozilla Accepts Chinese CNNIC Root CA CertificateSDL for dummiesXSS, SQL Injection and Fuzzing Barcode Cheat SheetMicrosoft CAT.NET 2.0 - Beta WhiteHat Security is a leading provider of website security services. Blogs :: Feedproxy Security Povezani zapisi: 03-12-2010 0:05 A new version of Safari is out. Looks like for Mac and Windows. Plenty of security fixes (mostly for Windows Safari users http://support.apple.com/kb/HT4070), (Thu, Mar 11th) ISC 03-11-2010 15:29 ModSecurity Handbook shipping soon! It's been an adventurous journey, but we are nearing a major milestone: the official publication of our first book! We've just received a batch of ModSecurity Handbook paperbacks and we're enjoying them in all their glory. Two further batches are on their way to our warehouses (one in the US and one in the UK), from where they will be shipped to early adopters. (If you're one of the early adopters, you will soon get an email from us with more information.) Our work is nowhere near the end, however, because now we need to focus on reaching out to the book's audience and inform them that the book exists. If you haven't purchased the book yet, now would be a very good time: because the official publication date is the 15th, we'll be maintaining the pre-order discount for a little while longer. You only have about 4-5 days to take advantage of the 25% discount. Buy now! 03-11-2010 9:39 Vordel SOAPbox for analyzing Webservices Security Using SOAPbox, you can: Test Web services residing in your internal network, or provided from the Web, or in a cloud environment. SOAP-style and REST-style services and SOAP attachments are supported. Test Web services that require encrypted input. Test Web services (...) - Security Tools / Application Scanner, Connectivity, Configurations checks, SOAPbox security-database 03-09-2010 18:27 Three Steps to a Rational Security Budget Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. A simple three step process to achieving a Security Budget that maps to business reality rather than security silver bullet fantasies is as follows:
Step 1. Gather the relevant data for where the enterprise is investing its dollars in IT. Let's assume our company is Jones Widgets. Step 2. Apply a "flat tax" for security budgeting, for this example let's say 7%, so if Jones Widgets invests $5M in its Customer relationship systems, $2M in Order Management, and $1M in ERP, this is the starting point for assigning priorities on security budgets. This is the part that security people miss, you don't need to do asset valuation - there is a whole group of people in the business that have already done that for you. Your job is to enable the intent that they have already clearly communicated in budget decisions. So applying the flat tax, our Jones Widget's budget look like this IT System IT Budget Initial InfoSec Budget Customer Systems $5M $350k Order management $2M $140k ERP $1M $70kNotice that the starting point in this step is aligning the budget with overall Enterprise IT spending. Its not based on whatever area that infosec happened to invest in last year, or what someone at a conference said, its about starting by aligning with what your business values. Its not about security foo-fa-ra, its about Jones Widgets. Step 3. Efficacy. Let's assume that the Customer Management and ERP systems are behemoth packages that are purchased third party apps, and the Order management system is built in house so you have the source code. The way that you choose to deliver security to third party purchased systems versus the ones where you design, build, and deploy the code will vary. So the next step after initially rationalizing the budget is to assess what's the most effective security I can get for each area. Its not that the business budget should trump the infosec budget, but its a very useful starting point. Moving off of those priorities should require a statement of efficacy that some security dollars are better spent in say the Order Management system, because the company controls the code. So if Jones Widgets' Order Management system is built in house, and the business relies on that to process orders, if that Order Management asset is compromised then its not like Jones Widgets can go and buy another Order system off the shelf from a vendor. Its their core business, their DNA. So let's assume that Jones Widgets wants to scan its code, invest time in threat modeling and so on for its core business asset. This results in pulling 20% in from the ERP and Customer systems IT System IT Budget Updated InfoSec Budget Customer Systems $5M $280k Order management $2M $224k ERP $1M $56kThere's no need to get wrapped around the axle on asset valuation, the business gives you a starting point, use it. Then only move away from that when you can make a concrete case on improving efficacy by altering priorities. Or put another way - its your job. Do it. 1raindrop |
