Tuesday, March 19, 2013

European Security Bloggers Meetup and Awards

This year will be the second annual European Security Bloggers’ Meetup, and will include the first European Blogger Awards.  The meetup will be Tuesday evening, the 23rd of April, from 18:00-21:00, in Kensington (London) near the Earls Court conference center (the site of InfoSecurity Europe).

BSides London is the following day, so it will be a busy week- join us for a relaxing and conversational evening before the madness gets overwhelming.

If you are a security blogger or podcaster, please sign up at the event’s Eventbrite page to get all the details.

Also, if you are a European security blogger or podcaster, please participate in the blogger award survey, nominate your favorite blogs and podcast now.

And thanks to Tenable Network Security (my employer), who has signed on as sponsor of this year’s gathering.



Sunday, March 17, 2013

ThreadFix, an Open Source tool for software vulnerability management

As many know, I’ve spent the last couple of years in the vulnerability management world- at least what we generally accept as “vulnerability management”.  Although I think what we do at my “day job” (what a quaint concept, “day job”) is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective.  Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code?  How do you share that information, and get the right information to the right people- in the format they want?  How do you leverage the information as quickly and effectively as possible?  For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don’t support.


Enter the good folks at Denim Group, they have created ThreadFix an Open Source “application vulnerability management platform”.  I had a chance to sit down with Dan and John from Denim at the recent RSA conference and take look at ThreadFix, I’m impressed.  Application security is not a major part of my day to day work, but it is still an area I try to keep an eye on- and ThreadFix looks like a great project.  As I mentioned, it is Open Source, but it also has an establish application security company behind it- this means you can grab the code from Google code and run with it on your own, or you can turn to Denim for assistance and support if you need some corporate backing in your environment.  The features of ThreadFix (from Denim’s ThreadFix page) include:

  • Simplified View of Application Test Results
    • Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools, as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.
  • Reports
    • Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s progress over time to pinpoint any process problems.
  • Defect Tracker Integration
    • Help security professionals translate application vulnerabilities into software defects and push tasks to developers in the tools and systems they are already using.
  • Virtual Patching
    • Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.
  • Compatible with Open Source and Commercial Products
    • ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.

Version 1.1 of ThreadFix is available as a release candidate now, and should be available as a stable release very soon; 1.1 adds support for additional scanners, including NTO Spider and IBM AppScan, and numerous other enhancements (and, of course, bug fixes).

If application security is part of your world, take a look at ThreadFix.

Side note and conference tip: if you want to talk with friends at an event like RSA, and know you’ll be crazy busy- go ahead and schedule a meeting, even through their PR folks’ messages in your inbox.  If you don’t, the week will disappear. Just don’t say “I’ll meet you in the lobby” at events the size of RSA, several thousand other people have the same idea and you end up playing cell phone Marco Polo.  If I hadn’t scheduled time with Dan and John I might have waved to them at a party, but couldn’t have had a meaningful conversation.



Friday, March 15, 2013

Improvement: incremental, or excremental?

“We NEED radical change- the only way we can solve the challenges of securing systems and information is through radical change in the way we… blah, blah, blah”.

What we need, and what many people understand, is to allow reality to participate in our pronouncements.  Yes, the state of InfoSec is pretty sad, and many approaches to improving it have sprouted sects which are devolving into bad religions (note that I didn’t say “metrics”, “risk”, or “pentesting”, you thought of those on your own).  To be clear, my objection is not with these practices, it is with irrational and often myopic faith in them.

I’ll tell you what we NEED, we need a cure for cancer.  Sadly, we aren’t likely to “cure” cancer anytime soon, there are too many different diseases under that label, and too many causes to simply “cure” it.  What we are getting, however, is (for many types of cancer) improved treatment, with improved quality of life, and higher survivability.  I truly hope that within a few generations people will look back on chemotherapy as we look back on bloodletting today; if that happens, I believe it will be through incremental gains.  (Note: do not naively dismiss the occasional value of bloodletting, for some maladies it enforced bed rest when that was what was needed most.  For the record, I am not a doctor, and I don’t even play one on Twitter- I am not suggesting a return to it as a mainstream medical treatment).  So, bloodletting occasionally helped people recover, when it didn’t make them worse or kill them.  Sounds a bit like chemo, doesn’t it?

As for InfoSec: we’re talking packets, not people. Having added a bit of perspective, let’s revisit what we need, and what we might get, in InfoSec.

man in yellow field


It would be lovely, like a field of flowers in spring, to make radical changes to infrastructure, code, human behavior, etc.  We could all frolic through the greenfield networks, and rest easy with robust code handling our transactions.  I’m sure we would make any mistakes in design or implementation this time. 

Man suffering from pollen allergy



Just watch out for hay fever in this dream world of yours.



I hate to rain on idealists’ parades (OK, you got me, I love it), but while some people do get to implement rapid radical change, remember that some people also get to win huge lotteries.  If you are reading this blog, I’ll assume that you, like me, are neither of the above.

Most InfoSec professionals, from the trenches to the executive level, are tied to environments with limited and infrequent opportunities for radical change.  We can make things a little better, with the goal of minimizing bad things and gradually improving overall.

Mature man manual worker in white hardhat near sewage treatment basin



Or, if we are brutally honest, we may admit we’re more like sewage plant engineers, and that “stink less tomorrow” is a laudable goal.



But some changes just aren’t worth the effort.  With our environments continuously becoming more hostile and elaborate, doing nothing means losing ground.  BUT, change does not assure improvement, and change for the sake of change may make things worse.  At the risk of offending some friends in the business, spending weeks or months researching a new anti-virus solution, then spending the time and money to implement it may not be worth the effort and investment.  Some poorly thought out “improvements” will actually make your environment less robust, and a lack of familiarity with new systems can set back your ability to properly manage and secure your environment.  Change for the sake of change is crap.  I would suggest you instead spend that time on filling known holes in your visibility and awareness- such as log aggregation and analysis (Disclaimer: yes, I know- I work for a company which sells this kind of tech. I have advocated this for years, it isn’t about sales), or application whitelisting, or improved patching- something, anything, that can actually move you forward.

Unless you are one of the “lottery winners” who can make big things happen fast, focus on the incremental changes you can make today.  And keep a wish list handy for when you win the lottery.



Tuesday, March 5, 2013

Thank goodness that’s over.

As Dickens once said:

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…”

I am, of course, talking about the week of madness in San Francisco which centers on, and swirls around, the RSA conference. I don’t know where to start, it was a wild week.

Security BSides San Francisco was a great event, a new lead organizer and team of new and veteran crew and volunteers put on a great event at a funky new venue, the DNA Lounge. The event also moved to Sunday and Monday from the Mon/Tues it has been the past two years. A couple of things could have gone more smoothly, but it was an outstanding event, in spite of some challenges. A wide variety of great content and peripheral events, and an unusual but effective venue made this event a success. It is hard to believe that three years ago was the first BSidesSF, which was only the third BSides event. BSidesSF 2013 was the 67th BSides event globally (if my count is correct), and we’ve yet to hit the four-year anniversary of the first one. There are a lot of BSides events coming up, check the BSides wiki for all the details.

The RSA Conference itself was even more “RSA Conference” than usual, record attendance (I heard numbers like 24,000 people, but that’s unconfirmed), and record highs and lows. The expo floor was largely disgusting, the level of hype and chicanery was arguably worse than ever (a record not to be savored). This year brought a couple of revelations about the expo floor, primarily this:

Fotolia_27387829_XSeditThe worst of the expo floor largely offers “InfoSec Homeopathy”, but without the advantages of any potential placebo effect- it simply diverts us from appropriate cures.

I would love to get a documentary (mockumentary?) crew to follow a few folks who’ve played this game for many years as they wander the aisles calling out the age of the “new technologies”, the acquired tech left to languish under the mismanagement of big firms, and the absolute snake oil. In this fantasy, Gene Spafford, Marcus Ranum, and Robert Graham are your tour guides through the show floor. I’m too fond of these folks to actually ask them to do it, however. In between the hype and hyperbole, there are always companies at the expo for the right reasons, to engage customers and prospects in rational conversations about their products and services- you just have to look past the booth babes, cars, and screaming barkers.

Speaking of “booth babes”, this year brought a worsening of the “booth babe” phenomenon. I hate to even mention their name for fear that P.T. Barnum was right, but ForeScout’s “Catholic Schoolgirl” attired booth women represented a new low. Based on comments from friends, it may be that no one is going to buy their product MisogynyShirtbased on its merits, but that is no excuse. Sadly, they weren’t alone in the booth misogyny department. Speaking of misogyny, I did get to wear the latest in Misogyny Networks fashions a couple of times during the week.

Note that we do not have to put up with this, InfoSecurity Europe has updated their terms and conditions to prohibit “booth babes”. I applaud InfoSecurity Europe, and hope others follow their lead.

But it was not all bad, the crowds meant good traffic through the corporate overlords’ booth, and we had many good conversations about what we do and the way we see the landscape. Many others in the industry who were at RSAC to conduct business seemed to have a productive event as well. Unfortunately, the high booth traffic meant I didn’t get to see the talks I wanted to see, and there were several that looked good and had good reviews. But for me RSAC is about the business, so that’s where I focused. It’s worth mentioning that many attendees never visit the Expo floor, and many attendees never see a talk, and many seem to only be interested in the parties. You need to find an approach to RSAC that serves your needs- if you don’t, you’ll probably be mired in misery and frustration.

Speaking of parties, I avoided most of them this year and focused on a few smaller events where I could connect and reconnect with people. I did attend the Security Bloggers’ Meetup, it is a can’t-miss event for me where I can see folks in person I normally only see online. This year’s awards were great, with one notable exception: the judges voted me into the SBN “Hall of Fame” over better and more deserving nominees. I am grateful and flattered by the award, I just think many others have contributed more the security blogging community. Also winning this year was the Pauldotcom podcast, which has won four out of the five years the awards have been given. Since Paul and Larry launched the podcast many years ago, it has grown and evolved- the current crew of Paul, Larry, Mike, Allison, Patrick, and the audio and video team is a pleasure (and occasional terror) to work with and I’m honored to have been a part of it for the past couple of years.

Now, back to work.