Security Ninja Blog

Hi everyone,

We have agreed on the date for the next chapter meeting and lined up two excellent speakers. Full information can be seen below:

Location: Harcourt Street, thanks to Ernst & Young.

Agenda

Next Meeting 23rd July 2009

Venue: Ernst & Young, Harcourt Street

Time: 18:30

Speakers:

Niall Jordan (Realex Payments)

Evading SQL injection detection through encoding

The purpose of this presentation is to give a basic understanding of how character set encoding can be used to evade common SQL injection detection techniques. It will start with a brief introduction to character set encoding to give the viewer the necessary overview to adequately understand the attack vectors. It will then move on to quickly describe normal SQL injection techniques and their detection and then go into detail on using character set encoding to bypass conventional detection methods. Practical examples will be shown along with methods to prevent these attacks.

Colin Watson (Watson Hall)

Software Assurance Maturity Model 1.0

The Software Assurance Maturity Model (SAMM) is now an OWASP project and in March became release quality. What is software assurance? What is a maturity model? What is SAMM? The presentation will explain how SAMM can be used to assess and improve software development security practices, reducing security risk and increasing software assurance, in all sizes of organisation.

Colin Watson’s initial work was in the production and process engineering fields, but since completing an MSc in Computation at the University of Oxford in 1995, he has been employed in web software development, with an increasing focus on the security aspects. He is now a consultant, based mainly in London, working with developers, testers, auditors and people from a non-IT background to improve security practices. Colin joined the OWASP Global Industry Committee in January 2009.

Time

6:30
Location
Ernst & Young,
Harcourt Centre, Harcourt St,
Dublin 2
Opposite the Odeon Pub

If you have any questions please do not hesitate to ask.

Thanks,

Dave

Hi everyone,

I’m just trying to arrange the next OWASP Ireland chapter meeting for July, if anyone is interested in coming to speak at the meeting please contact me!

SN

I just wanted to post this separately as well as in the previous post, I want to make sure the message about this new website gets out to the people that matter.

To make sure the secure development principles become a useful resource to developers worldwide I have decided to launch a website dedicated to The Principles of Secure Development.

I’m very happy to announce that I’m able to launch www.securedevelopment.co.uk today. I will be adding more content over the coming weeks, subscribe to the Security Ninja RSS feed to get the latest news on the updates to the website until I have a Secure Development feed in place. I look forward to the new site growing and helping developers worldwide develop secure applications.

SN

Hi everyone,

I have been talking for the past couple of months about The Principles of Secure Development that I have created and today they have finally been published. I decided that the initial release of the principles would be better off going into an industry publication to give them the maximum exposure possible, I’m sure that releasing them in the latest edition of (in)secure magazine will give them the exposure they deserve.

I don’t want to repeat the things I have said in the magazine article but I do want to reiterate my reasoning behind the article and the creation of the principles. As someone who is passionate about application security I hate seeing so many web applications being exploited through the same flaws we have known about for many years. The current web application security projects such as the OWASP are very good, they provide some excellent information and resources but I feel they are failing to cover the simple basics of how to develop securely. As attacks such as SQL Injection continue to rise dramatically more and more developers are expected to develop secure applications without the appropriate guidance being available to them. Something has to change because the current approaches aren’t really working, are they?. I’m not trying to say I have the right answer, but I do think it is a good one!

Think of it this way, if a person wants to learn how to drive they will be taught how to drive in a positive way. They will be shown how to drive a car, given information on speed limits, how to change gears etc. If driver education was driven in the same manner as web application security education we would be teaching learner drivers about the different types of accidents they can have in a car and hope that they can figure out how to drive properly from that.

I feel that providing developers with a short list of principles which cover many vulnerabilities is a better approach than providing developers with a short list of vulnerabilities - why tell a developer how to prevent a specific vulnerability when you can tell them how to prevent a whole class of vulnerabilities?

I wanted to thank the following people for their advice on the initial principles matrix, input into the content of the article, proof reading and general support during the principles creation:

David Lowry
Mark Hillick
Brian Honan
Victoria Traynor

To make sure the principles become a useful resource to developers worldwide I have decided to launch a website dedicated to The Principles of Secure Development.

I’m very happy to announce that I’m able to launch www.securedevelopment.co.uk today. I will be adding more content over the coming weeks, subscribe to the Security Ninja RSS feed to get the latest news on the Secure Development website until I have a feed in place over there. I look forward to the new site growing and helping developers worldwide develop secure applications.

All feedback on the article, the principles idea and the new website is more than welcome. You will find them on page 77 of the latest (in)secure magazine.

SN

Hi everyone,

I just wanted to let you all know I have been accepted as a speaker at this years DefCon conference in Las Vegas.

You can find more information about the conference here and my speaker entry will be added to the speaker list soon, you can find that list here.

SN

Hi everyone,

The Center for Internet Security have released their security metrics project today. The CIS has produced a multitude of useful documentation since its inception, I have used many of their system hardening guides. The new security metrics project delivers a lot of very useful information in a clear format. I enjoyed reading through it this afternoon - I can see it being a great asset to me in my continued effort to improve security governance!

You can get the pdf of the metrics here.

SN

I have blogged in the past about how well I think Microsoft are doing in creating free secure development tools (Threat Modeling Tool) and documentation (SDL Optimisation Model) and today they have added another useful piece to this jigsaw.

The Microsoft SDL blog announced that they are releasing the secure development template, in Microsoft’s words:

“The SDL Process Template is a free downloadable template for Visual Studio Team System that integrates the SDL directly into a customer’s software development environment. Because it integrates with the team and process features of Team System, you do need a Team Foundation Server to manage your work. This is our first comprehensive offering that addresses all phases of the SDL from Requirements through Release.

By taking advantage of the rich functionality in Visual Studio Team System and Team Foundation Server, we are now able to offer an SDL solution that reduces the barrier to entry for SDL adoption, provides auditing for satisfying the security requirements, and demonstrates security return on investment. The SDL Template is intended to provide the foundational components of the SDL for every phase of your development project.”

I know it is only for a Visual Studio environment but that’s hardly a surprise, I don’t have access to such an environment at the moment so if anyone else does try this out then please let me know. If no one gets back to me on this before the weekend I will setup an environment (trials here: team system and foundation server) and give a review on this blog.

SN

The OWASP AppSec DC 2009 (Washington DC) and AppSec Brazil 2009 (Brasilia) conferences have now issued their CFP’s (Call For Papers).

I have submitted a proposal to both conferences so hopefully I can get to speak at one of them at least. If you want more information on the conference or submit your own proposal click on the links above.

SN

Hi everyone,

I saw hdmoore had tweeted about some excellent data loss graphs and stats so I decided to have a look myself. I found that once again the datalossdb had created this, these guys really are miles ahead of everyone else when it comes to recording information and reporting on data losses.

The graphs and statistics can be found here.

SN

The OWASP AppSec EU conference has been going on this week (gutted something else I have on clashed with it!) and the presentations are going online now. I haven’t read any yet but some of the presentation titles look good, you can find them on the OWASP website .

SN