Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Leave it to David to be able to use canning and mason jars as an analogy for security and secure coding. Very nice post. Go read it.
    Reusable Code: The Mason Jars of Security | threatpost
    Tags: ( programming general )
  2. Yes, we are the unsung heroes. BTW - you have to read this if for no other reason that the Y2K reference towards the end.
    Securosis Blog | Why Successful Risk Management is Still a Failure
    Tags: ( general risk-management )
  3. I love a good walk-through and Paul provides us one that shows a step-by-step how-to on reversing some Javascript shellcode. Good stuff!
    Paul Melson's Blog: Reversing JavaScript Shellcode: A Step By Step How-To
    Tags: ( reverse-engineering javascript shellcode )
  4. The Offensive Security Exploit archive is alive and kicking. It picks up where Milw0rm left off. Go check it out.
    Offensive Security Exploit Archive Goes live | Security Active Blog
    Tags: ( exploits milw0rm )
  5. This looks to be an interesting series. Adam will be exploring ways to help information security professionals build useful and productive relationships within their enterprises.
    Adam Cardinal: Building Relationships - Internal Audit Team - IANS Perspective
    Tags: ( general )
  6. Woot! Metasploit 3.3 is out. I am hearing good things about this. Go check it out.
    Metasploit: Metasploit Framework 3.3 Released!
    Tags: ( metasploit webappsec pentesting )
  7. Here is a quick how-to describing a method to decompile flash files.
    Carnal0wnage Blog: Decompiling Flash Files with SWFScan
    Tags: ( flash decompile webappsec )
  8. An interesting article that explores some real-life cross subdomain exploits.
    Real-Life Examples of Cross-Subdomain Issues | Social Hacking
    Tags: ( cross-subdomain webappsec )
  9. This is going to be a very cool project. Get involved.
    Securosis Blog | An Open Metrics Model for Database Security: Project Quant for Databases
    Tags: ( metrics databases )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Hi folks.  Yesterday, I included this story in my Bits post. It is about new procurement language that says software vendors must "certify" that their software does not have any of the Top 25 Errors released by SANS/CWE early this week.

I have read several blog posts on the topic since and today the topic came up on The Security Catalyst Forums. (You should check those out it if you haven't already. Great conversations and community.)

One of the questions posed was this; does this approach seem like something that should be encouraged?

Below is the response I posted.

Two main things pop out at me with this type of thing.

The first is this phrase "must certify that they have rid their code of the Top 25 Errors." What about the next 25 or the next one? I read a blog post over the last couple days that talked about this very well. Blocking where I saw it. If I find it I will update the thread. The essential bit was that "certifying" that you have addressed the top 25 errors doesn't mean your software is secure. That "26th" error  can be a show stopper too. Say it with me, compliant does not equal secure. Before people yell at me, I am not implying that we shouldn't address the errors listed in the top 25. (side note: Kees and some others have been pointing out that the 25 may not really be 25)

My second concern is this, sayin' it doesn't make it so. Creating contract language like this can lead an organization to a false sense of security. I can see where orgs might go the route of "the contract says the software is secure so we don't need to test it or perform a risk assessment." Again, that 26th error can hurt a whole lot.

Just my 2 cents worth. It's super cold in Iowa, so flame away Smiley

Like it says above, these are my thoughts. What are yours?



Top 25 Coding Errors Released

by kriggins on January 12, 2009

in Educational, programming, Tools

In today's Bits post, I mentioned that a top 25 coding errors report was going to be issued today. Well, it's happened. From the SANS website:

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.

The web page listing all the information about the project is here.

There is good stuff there that should be looked at by all who are involved in information security, not to mention those involved in developing programs.


, ,

Reblog this post [with Zemanta]


Hello again everybody and welcome to Monday. Below we have tidbits on Orcacle patches, common coding errors, steganography, Security Catalyst, risk assessments using FAIR, financial impact of cloud computing, a little humor about cloud computing, and a tool to help you with your regex adventures.

Have a great day do good!

  1. 41 patches coming from Oracle. Get the patch hammer ready.
    Oracle to issue 41 security patches - Network World
    Tags: ( vulnerability patches oracle )
  2. Top 25 coding errors report supposed to be released today.
    Group to detail 25 most dangerous coding errors hackers exploit
    Tags: ( secure programming coding errors )
  3. Here is free tool if you would like to play around with steganography. Steganography is defined as hiding data by embedding it in other data in such a way as to leave the original innocuous data intact. OpenStego
    Tags: ( tools java steganography )
  4. The 2009 contributors for the Security Catalyst site have been announced. It's a good mix. I look forward to seeing what they produce this year.
    The Security Catalyst >> Introducing the Security Catalyst Contributors for 2009
    Tags: ( general )
  5. Chris has setup a new scenario for trying your hand at a risk assessment using the FAIR (Factor Analysis of Information Risk) methodology. Take a stab at it. He will be posting the rest of the series this week.
    Risk Scenario - Hidden Field / Sensitive Information (Part 1 of 4) - The Scenario << Risktical Ramblings
    Tags: ( risk assessment fair )
  6. A nice post pointing out some financial dangers that need to be considered when using cloud based infrastructure.
    When the Cloud Bursts - Someone Gets Wet... | CloudAve
    Tags: ( cloud )
  7. Christofer has something you really must read. Classic.
    Rational Survivability: Introducing the Next Generation of Cloud Computing...
    Tags: ( cloud humor )
  8. A nifty tool to help you with your regex adventures.
    Hat tip: @mfratto
    The Regex Coach - interactive regular expressions
    Tags: ( tools regex )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin Riggins

Reblog this post [with Zemanta]