SecuRisk Solutions PostsWhat does it mean to be SecuriTRAINED?
Step 1 – Follow Chinese War Strategist, Sun Tzu’ss advice in the “Art of War” “Know Thyself” a.k.a. – Be Aware
Step 2 – Follow Queen Elizabeth II’s advice on “Training” and Be Skilled
Step 3 – Follow Goethe’s advice that “Knowing is not enough, we must apply” and Be Certified
Resource Link – AT&EC Security Solutions Datasheet by SecuRisk Solutions
To be SecuriTRAINED is to Be Aware, Be Skilled and Be Certified in Security … read more
Configuring and maintaining securely is critically important to keep electronic trespassers and eavesdroppers away from your wireless networks and sensitive data.
The following are best practices and standards recommended for wireless security:
Read entire article on Managing Security Risks in a Wireless World (reprinted and better formatted) – Here
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bare Necessities of security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …
The Road Less Travelled by renowned poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.
At the Austin Open Web Application Security Project (OWASP) session on April 29th, 2008, I presented the following presentation that you can download by clicking on the link below.
 |
 |
| Security Management(Managing Elephants)? | Sleep Swimming (Vigilant Software) |
In the current day and age, the chief drivers for software development projects are meeting business requirements and deadlines. Security is generally an afterthought for software development projects. Incorporating security from inception is more cost effective.This session will address the various security controls and activities associated with each phase of the software development lifecycle (SDLC). The controls and activities include but are not limited to; modeling use/abuse cases, threat modeling, security code review, security testing, etc.
I presented at the Texas Regional Infrastructure Security Conference (TRISC) on SD3LC – Secure By Design, Development and Deployment. You can download the presentation by clicking on the link below.
Integral – As part of the SDLC
SD3LC – Secure by Design, Development and Deployment
TRISC was held in San Antonio, Texas from April 21-23, 2008. The key note session by Mary Ann Davidson (Oracle CSO) and Dan Korem’s workshop session on the Art of Profiling (from Rage of the Random Actor) was excellent. Getting to meet Woody (Elwood G. Norris), master inventor and technologist with 47 U.S. Patents and 100 others pending was an honor. Another highlight of the event was meeting DefCon’s ‘Deviant’ Ollam who had a training on Lockpicking (Physical Security) through The Open Organisation Of Lockpickers (TOOOL) and learning how to pick a padlock using an aluminium can.
Robert Hansen’s (RSnake) talk on “Why I dont use Web App Scanners, all the time” was a great talk and Doug Landoll’s case study on ”Why Technology has Failed to Solve Security Problems” was rife with real world examples and extremely relatable. There were other great sessions by DenimGroup and Whitehat Security and all of the sessions, I could attend were informative and useful. In addition to the conference, it was Fiesta week honoring the memory of the heroes on the Alamo and the Battle of San Jacinto, and so the city was extremely festive and my family and I had a fantastic time in the city, especially the River Walk.
Excerpt from the official press release ( Jan 29, 2008 )
(ISC)²® (“ISC-squared”), the non-profit global leader in educating and certifying information security professionals throughout their careers, today announced the launch of a new online self-assessment tool known as studISCope (pronounced “study scope”). The tool aims to enable security staffs and individuals to assess their knowledge of the (ISC)² CBK®, a taxonomy of information security topics that serves as the foundation for all (ISC)² certifications.
“studISCope is beneficial to both certification candidates and employers,” said Eddie Zeitler, CISSP, executive director of
(ISC)². “It helps candidates focus their study efforts more precisely and enhances their comfort level prior to sitting for the official certification exam.”
For more information, read the entire press release at https://www.isc2.org/PressReleaseDetails.aspx?id=1316
For more information about studISCope and current promotions go to https://www.isc2.org/studISCope
I find myself often having to explain in more detail (than I felt was necessary) when using the following terms – application security, secure software, writing secure code, hack-resilient applications or any combination of these.To some it was debate about it being more than just buying and deploying a bunch of tools, be it scanners (static or dynamic, vulnerability or code), firewalls (network or web app) or anything else that had a hint of security – aka “the technology” To others it was all about policies, standards and procedures, patterns, practices and governance frameworks with little to no relevance on the technical implementation of security – aka “the governance”. Seldom, it would be about the first line of defense – “the people”. Every now and then, it would be about defined processes (policy checking, security requirements generation involving abuse case/threat modeling, security code review, security testing, vulnerability assessments, penetration testing, exception management, and sign-offs) through the life cycle of software development from envisioning to stabilization – aka “the processes”.
So going forward, I plan on using the term – SD3LC, that stands for Secure By Design, Default and Deployment Life Cycle, a term coined from SDLC (Systems Development Life Cycle) and SD3 (Secure By Design, Default and Deployment)
Let me explain – SD3LC
Secure by
Design (complying to governance),
Default (relevant technology) and
Deployment (security aware people)
Life Cycle (defined processes)
In other words, Secure Software = SD3LC
Recently, John Steer who works with a good security friend of mine, Mark Curphey (a.k.a. SecurityBuddha, Visionary, OWASP Founder, ex McAfee VP of application security consulting and now Microsoft ACE Team Leader) wrote a interesting and good article entitle Security Policies in the Application Development Process.
John Steer writes – The role of a security policy is to define what needs to be protected and how it will be protected. In the application development lifecycle, the security policy instructs designers and developers on what the security features need to be and how they must be implemented.
I couldn’t agree more with John, but with just a little to add. Most organizations have a policy but don’t go as granular to defining an Application Security “Policy”. When they do, it is usually a Application Security “Standard” and if you are lucky, they would have, more granular documents that make up the Application Security “Procedures”. In fact, Policy documents are generally very generic with little to any definitive instructions. This is usually the case to prevent rework of the policy upon change in the business or in information systems and technology. Definitive instructions find their place in Standards or Procedures.
An example of an Application Security Policy, Standard and Procedure (when it exists) would be
Policy – Personally Identifiable Information (PII) must be protected
Standard (Application Security) – When transmitting or storing PII, it needs to be encrypted or hashed
Procedure – When storing PII, use NIST approved AES (Rijndael) encryption with at least 256 bit key strength. For more information see link
The fact remains that whether your organization just has a Policy (or) Policy + Standard (or) Policy + Standards + Procedures, they ALL need to address security in application development. The problems lies, when that is not the case.
John’s entire article can be read here and I would recommend that you do.
(ISC)² is dedicated to creating new value-added services for its prospective and more than 50,000 current members worldwide. One of the most exciting of these is studISCope, our online self-assessment tool that helps candidates assess their knowledge of the CISSP or SSCP CBK®. Together with our partner, Express Certifications – a company renowned for developing innovative testing and training techniques – (ISC)² can now maximize your learning experience and focus your study efforts more precisely along whichever information security career path you choose.
What good is a parachute to a skydiver when it is not opened or fails to open? Likewise, what good are security tools/controls/processes to a company when it is not properly implemented or failed to be implemented properly?
Just purchasing more and more tools and establishing multiple security controls and processes without proper implementation may lead one to what one could call “placebo” security.
Implementing security properly would entail a thorough investigation of tools that would handle (mitigate/transfer/eliminate) risk, establishment of processes that would “enable” not “impede” the business(es) that you support, education of your personnel to want to do security because they WANT to, not because they HAVE to and a governance framework to enforce policies, standards and procedures.
So, what are we talking about – What happens when a skydiver’s parachute is not opened or fails to open …
Just wondering, in today’s day and age, what constitutes the DNA of an effective InfoSec Professional -
Is it one who is versatile with a breadth of experience across various technology or is it someone who is super specializes in one area of security? Is it one with an entreprenuerial spirit, a visionary, …
I would like to compile various opinions as to what one thought was the DNA of an effective InfoSec Professional
Merriam-Webster defines effective as “producing a decided, decisive, or desired effect”
