Disclosure standards and why they’re important (…and ReportSecurityFlaws.com) from HolisticInfoSec
I’m certainly a huge proponent of responsible disclosure, but I feel like I’m an even bigger proponent of good, no, SUPERIOR customer service. The moment you put a product out there that you’re charging people money for, you’re not only responsible for support requests stemming from this product, but you’re also responsible for ensuring that this product does not introduce adverse functionality for those who use it. That being said, the meat of this article lies in the announcement of ReportSecurityFlaws.com! While it seems like Ira and Russ are just getting this project off the ground, it certainly seems like this project can easily gain some legs.
PCI, Compliance, and Security from UncommonSenseSecurity
This is one of my favorite blog posts ever. I’m going to print it out and hand it to every single person who works with or around PCI. If you’re on Twitter, you’ve witnessed the back and forth(s), sometimes at nauseam. The reality of the situation is that both sides are right! Using standards, of any sorts, as the high stick for your security posture is bad. For the simple reason that each and every system, application, and infrastructure is different – simply applying a blanket set of requirements will inevitably leave some holes exposed. Security professionals should be able to take these standards and use them a crutch to convince executives and build an effective security program. Shouldn’t be hard, Mr. Carr thought that checkboxes made his customers’ data secure.
Yahoo!, Paypal, Google, Equifax, AOL, Verisign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government from InformationCard.net
In case you missed the announcement this week, the U.S. Center for Information Technology (CIT), the National Institutes of Health (NIH), and the U.S. Department of Health and Human Services (HHS) partnered with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) to add support for OpenID and Information Card technologies. This partnership follows President Obama’s memorandum instructing Government websites to allow citizens to participate in said websites without having to create additional usernames and passwords. I would specifically like to highlight AOL’s participation in this initiative which has been spearheaded by my colleague George Fletcher (http://practicalid.blogspot.com/). Congrats George, all that hard work and meetings has paid off big!
Good vs. Good Enough from PreachSecurity
This is a really interesting (and simple) approach to scoping. Lets say your site is a mildly interactive blog, like a generic Honda Civic with the bare bones accessory package and a stick shift. Setting your club and locking your doors is really all you need to do, unless you’re one of those really paranoid people. On the other hand, if you drive a Ferrari with every luxury option and a laptop with $20k in cash on the passenger seat, you’re not only going to set your club and lock your doors, you’re also going to install an alarm, lo-jack, and possibly post a very large and menacing looking man to stand guard. Not only that, but if the laptop and the 20k in the passenger belong to me and you’re responsible for keeping them safe, I expect you to post 2 very large and menacing men outside your car. Here’s another great post from @rybolov with a similar tone, but focusing more on motives and opportunities – http://www.guerilla-ciso.com/archives/1312
Interview about AppSec DC with OWASPs Doug Wilson from NoVAInfoSecPortal
GREAT interview by my DC area peers @grecs and @dallendoug…but, I might be a little biased as I volunteer with Doug on the AppSec DC planning committee. The interview covers questions and answers ranging from a preview of the conference training and speaking engagements, the need for volunteers (REALLY, WE NEED VOLUNTEERS, INQUIRE WITHIN!), and who would benefit from attending the conference (spoiler alert! – EVERYONE can benefit from this conference, it’s going to be the best WebAppSec con the DC area has ever seen). Once you’ve read the interview, cruise on over to http://appsecdc.org/ and checkout the training courses and conference speaker lineup, I promise you won’t be disappointed.
While I think that Jeremiah Grossman is absolutely on to something with his theories of alignment of interests in Web Security, I would argue that attaining the goal would go against human nature. Since the dawn of time, human have been in competition with one another and the only thing that’s really changed is the prize for being “best”. In pre-historic times, it was food, fire, and a safe place to sleep. In the middle ages it was land, crops, and livestock. In modern economies, it’s all about the money. For those actively participating in society, money virtually defines who you are in society. Actors, sports professionals, and CEOs of fortune 500 companies rake in hundreds of thousands of dollars and their quality of life shows it with nice cars and lavish housing. While middle class and below are barely making ends meat and most are working very hard for every dollar they spend.
Things aren’t much different in the business world. Companies who perform well go public and have millions of investors, companies who perform poorly go out of business, and once again, the measure of success is money. The examples cited by Jeremiah (SSL for web traffic, data encryption, and getting rid of IFrames) just further illustrate my point. While these practices would do a great deal for protecting their customers, they cost money and affect the bottom line profits, and therefore are not implemented. Yes, I know that security incidents end up costing the company more money in damage control than it would have cost for the safeguards to be implemented in the first place. This is the line security professionals have been giving senior executives for years. Has it worked? It doesn’t seem like it: Ask any of the 60% of the top 100 most popular websites who’ve hosted malware in the first half of 2008. (Websense security Labs™ (State of internet security -Q1 – Q2, 2008)
At this moment, the greatest asset that has been given to security professionals are regulations. Whether they be industry (PCI-DSS, SOX, etc) or Government (FISMA, NIST standards, etc) these regulations on IT Security have proposed to fine/hold legally responsible companies who do not attempt to enforce a minimum level of safeguards to protect their customers. By no means am I saying that these standards are perfect, there is far too little enforcement, the rules are not always described clearly and there are many cases where auditors are coerced into giving a passing grade to infrastructures which do not meet the requirements. What I am saying is that the idea of fining companies for failing to protect consumer data is the right way to go when you’re dealing with executives who’s primary driver is making money for the company.
I propose the following to answer Jeremiah’s question “How do we get the owners of 187 million websites, 17 million developers, browser vendors, universities, governments, ISPs, compliance auditors, and security researchers all to pull in the same direction towards a more secure Web?”:
Establish more laws and industry regulations defining how companies should conduct themselves.
Admittedly, this is a double edged sword. More checkboxes != more security, but it does give the professionals in the field some solid backing when presenting security concerns to executives.
Academics and researchers must collaborate to change the education system.
Remember the old saying “work to make the world better for your children”? We have an army of little tech savvy kids coming through the education system. Lets teach them about information security and privacy issues so that as they move into consumerism, they will instinctively demand security from the products they consume.
Figure out a better way to demonstrate the value of IT Security services.
This seems to be the Achilles heel of the IT Security world. How do you demonstrate the value of preventative counter measures? Yes, I know, another question VS. an answer.
Offer better security solutions and products.
As stated in Jeremiah’s article, “Security vendors love strongly enforced compliance standards as it frees up budget for their solutions, which may not reduce risk, but have to be purchased to satisfy a checkbox”. We don’t need more checkbox solutions, we need tools that actually empower companies with the right information so that they can easily get a snap shot of the current security posture. White Hat Security has a great tool/service hybrid where vulnerability data collected during automated assessment is pre-vetted by WhiteHatSec security engineers before being presented to the customer. As a quick disclaimer, I don’t work for WhiteHatSec, but have had the opportunity to see their product in action.
Greater focus on outreach and communications.
As the final, and perhaps most important solution, I propose a greater focus on outreach and communication. Security is still a field where only those who have the history and passion for computers truely understand what’s going on. This needs to change. The average web consumer must be educated to understand the personal ramifications of the “laiser faire” attitude that plagues the web application security world.
Please feel free to share you thoughts in the comments, I’m very interested to hear what my peers have to say on this subject.
Disclosure standards and why they’re important (…and ReportSecurityFlaws.com) from HolisticInfoSec
DandyID
Friendfeed
claimID
Disqus
Facebook
Twitter
myOpenID
Google Profiles
Linkedin