News and Commentary :: by WadeW and You (09/11/2009)

September 11th, 2009 | by wadew |

newsDisclosure standards and why they’re important (…and ReportSecurityFlaws.com) from HolisticInfoSec
I’m certainly a huge proponent of responsible disclosure, but I feel like I’m an even bigger proponent of good, no, SUPERIOR customer service. The moment you put a product out there that you’re charging people money for, you’re not only responsible for support requests stemming from this product, but you’re also responsible for ensuring that this product does not introduce adverse functionality for those who use it. That being said, the meat of this article lies in the announcement of ReportSecurityFlaws.com! While it seems like Ira and Russ are just getting this project off the ground, it certainly seems like this project can easily gain some legs.

PCI, Compliance, and Security from UncommonSenseSecurity
This is one of my favorite blog posts ever. I’m going to print it out and hand it to every single person who works with or around PCI. If you’re on Twitter, you’ve witnessed the back and forth(s), sometimes at nauseam. The reality of the situation is that both sides are right! Using standards, of any sorts, as the high stick for your security posture is bad. For the simple reason that each and every system, application, and infrastructure is different – simply applying a blanket set of requirements will inevitably leave some holes exposed. Security professionals should be able to take these standards and use them a crutch to convince executives and build an effective security program. Shouldn’t be hard, Mr. Carr thought that checkboxes made his customers’ data secure.

Yahoo!, Paypal, Google, Equifax, AOL, Verisign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government from InformationCard.net
In case you missed the announcement this week, the U.S. Center for Information Technology (CIT), the National Institutes of Health (NIH), and the U.S. Department of Health and Human Services (HHS) partnered with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) to add support for OpenID and Information Card technologies. This partnership follows President Obama’s memorandum instructing Government websites to allow citizens to participate in said websites without having to create additional usernames and passwords. I would specifically like to highlight AOL’s participation in this initiative which has been spearheaded by my colleague George Fletcher (http://practicalid.blogspot.com/). Congrats George, all that hard work and meetings has paid off big!

Good vs. Good Enough from PreachSecurity
This is a really interesting (and simple) approach to scoping. Lets say your site is a mildly interactive blog, like a generic Honda Civic with the bare bones accessory package and a stick shift. Setting your club and locking your doors is really all you need to do, unless you’re one of those really paranoid people. On the other hand, if you drive a Ferrari with every luxury option and a laptop with $20k in cash on the passenger seat, you’re not only going to set your club and lock your doors, you’re also going to install an alarm, lo-jack, and possibly post a very large and menacing looking man to stand guard. Not only that, but if the laptop and the 20k in the passenger belong to me and you’re responsible for keeping them safe, I expect you to post 2 very large and menacing men outside your car. Here’s another great post from @rybolov with a similar tone, but focusing more on motives and opportunities – http://www.guerilla-ciso.com/archives/1312

Interview about AppSec DC with OWASPs Doug Wilson from NoVAInfoSecPortal
GREAT interview by my DC area peers @grecs and @dallendoug…but, I might be a little biased as I volunteer with Doug on the AppSec DC planning committee. The interview covers questions and answers ranging from a preview of the conference training and speaking engagements, the need for volunteers (REALLY, WE NEED VOLUNTEERS, INQUIRE WITHIN!), and who would benefit from attending the conference (spoiler alert! – EVERYONE can benefit from this conference, it’s going to be the best WebAppSec con the DC area has ever seen). Once you’ve read the interview, cruise on over to http://appsecdc.org/ and checkout the training courses and conference speaker lineup, I promise you won’t be disappointed.

Finally, I would be doing myself a disservice if I didn’t give a link to NoVAInfoSecPortal who was kind enough to have me as a guest blogger this week. Checkout “What?! No CI(S)O?*” – http://www.novainfosecportal.com/2009/09/09/what-no-ciso/

Tags: , , , , ,

blog comments powered by Disqus