Friday, May 14, 2010

Smart Application Smart Score Card

There are several instances where application stakeholders struggle hard to identify necessary security SDLC activities for their applications and products. Apparently cost has always been a key deciding factor while engaging security activities at various stages of SDLC. Hence, most stakeholders with budget constraints tends to engage security activity that comes cheap and falls within the limited budget essentially to satisfy internal compliance needs.

C&S Smart score card intends to help application (or product) stake holders to self determine whether a specific application requires security assessment or not. Additionally it also helps assign weightage for individual security activities necessary for the application which in turns helps application stakeholders priorities those activities keeping the cost factor in mind.

Download here

Friday, January 22, 2010

Last Minute Security Tradition and Side-Effects

Having driven Secure SDLC in multiple organizations, one of the common challenges I have always faced is dealing with last minute security assessment request and sign-off.

"We have a deadline for application release. The Quality Auditor (QA) needs security assessment team's approval to allow our application release. We need a quick assessment done to get your sign-off on this activity to move it to production" – This may be familiar for many security professionals.

Such last minute request results in – Lots of pressures on the assessment team to perform a quick and limited assessment within the limited time frame. In most cases it may not be adequate to ensure thorough security assessment coverage.

Assume in such last minute situations where security assessment reveals serious security risks and have immediate catastrophic issues to be addressed, which increase the chances of delaying the release dates by few days or weeks beyond the date committed to the customer. Eventually it results into two-folded actions: (a) Apply a band-aid fix and get the application/product release on time, (b) Apply appropriate fix (irrespective of the release delays) and run it through a round of post-fix security validation before release. However, in the former case application team will run the risks of deploying a weakly fixed application which at anytime may get broken by malicious hackers. In the later case, the application team might make the customer unhappy by slipping the release deadline and loses some credibility. Additionally in this case costs might significantly exceed the project budget.

Cut costs. Save money. Maintain the status quo. With that mantra in mind, many application managers work today. Although a sour economy is certainly to blame for some IT budget woes, but much of it also comes from an "ask and ye shall receive" mindset left over from the dot-com boom days. That's all gone. If you want the money today you've got to show value first.

In most organizations, security sign-off has always been a last minute activity. Today although we have good number of application teams having fair amount of knowledge related to application security but sadly we still see obvious and easy to control security issues still exists in various application.

With the vast majority of software, especially Web applications, becoming blatant targets for hackers everywhere there's really should not be any excuse any more for deploying insecure software. Ideally no software should be deployed without first being assessed for known security issues. There might be cases where software comes under some new attack, but by and large there is no reason that known security issues should not be addressed before a piece of software is deployed.

Hence we can avoid the band-aid like penetrate-and-patch approach to security only by considering security as a crucial system property. Eventually it will results in a happier business customer, no cost overruns due to late security activities.

Friday, October 24, 2008

Adobe Reader Download/Exec Exploit Demo Video

Adobe Reader (CVE-2007-5659) Download/Exec Exploit Demo video
Acrobat Reader Download/Exec Exploit Demo

Due to hosting space/bandwidth constraint, I'll not keep the original version for long....so grab your own copy before it is gone. :) Don't forget to seed it....

Wednesday, September 17, 2008

SwordFish - MS Access Password Recovery Tool

SwordFish is a free MS Access password recovery tool. Presently it can only recover passwords for MS Access 97/2003/XP on Windows XP/2000. This tool was wrote by the author nearly five years back but was never before publicly released. Althought there were no specific reason behind the late release however it is always better late than never. The tool can be downloaded here.

Friday, September 12, 2008

[Whitepaper] Defeating Virtual Keyboards

Around mid of year 2005 I was bit intrigued to write a proof-of-concept keylogger to capture texts emulated using virtual keyboards. The PoC keylogger was publicly released on 5th Aug, 2005 to demonstrate the hack for a particular banking site however the fact that remains same is any site which uses similar VK or OSK can be defeated. As you read this whitepaper, you’ll understand how this particular approach of defeating OSK and VK cannot be easily tricked unlike ordinary keyloggers. This paper was public released by Hakin9 magazine in their Nov, 2007 issue and as per the copyrights contract I am allowed to publish the free copy after six months of their release. Downlaod this whitepaper here.