(ISC)²® Launches Online Self-Assessment Tool For Information Security Professionals

Excerpt from the official press release ( Jan 29, 2008 )

(ISC)²® (”ISC-squared”), the non-profit global leader in educating and certifying information security professionals throughout their careers, today announced the launch of a new online self-assessment tool known as studISCope (pronounced “study scope”). The tool aims to enable security staffs and individuals to assess their knowledge of the (ISC)² CBK®, a taxonomy of information security topics that serves as the foundation for all (ISC)² certifications.

“studISCope is beneficial to both certification candidates and employers,” said Eddie Zeitler, CISSP, executive director of
(ISC)². “It helps candidates focus their study efforts more precisely and enhances their comfort level prior to sitting for the official certification exam.”

For more information, read the entire press release at https://www.isc2.org/PressReleaseDetails.aspx?id=1316
For more information about studISCope and current promotions go to https://www.isc2.org/studISCope

Secure Software – A New Term Coined !

I find myself often having to explain in more detail (than I felt was necessary) when using the following terms – application security, secure software, writing secure code, hack-resilient applications or any combination of these.To some it was debate about it being more than just buying and deploying a bunch of tools, be it scanners (static or dynamic, vulnerability or code), firewalls (network or web app) or anything else that had a hint of security – aka “the technology” To others it was all about policies, standards and procedures, patterns, practices and governance frameworks with little to no relevance on the technical implementation of security – aka “the governance”. Seldom, it would be about the first line of defense – “the people”. Every now and then, it would be about defined processes (policy checking, security requirements generation involving abuse case/threat modeling, security code review, security testing, vulnerability assessments, penetration testing, exception management, and sign-offs) through the life cycle of software development from envisioning to stabilization – aka “the processes”.

So going forward, I plan on using the term – SD³LC, that stands for Secure By Design, Default and Deployment Life Cycle, a term coined from SDLC (Systems Development Life Cycle) and SD³ (Secure By Design, Default and Deployment)
Let me explain – SD³LC
Secure by
Design (complying to governance),
Default (relevant technology) and
Deployment (security aware people)
Life Cycle (defined processes)

In other words, Secure Software = SD³LC

Security Policies in the Application Development Process

Recently, John Steer who works with a good security friend of mine, Mark Curphey (a.k.a. SecurityBuddha, Visionary, OWASP Founder, ex McAfee VP of application security consulting and now Microsoft ACE Team Leader) wrote a interesting and good article entitle Security Policies in the Application Development Process.

John Steer writes – The role of a security policy is to define what needs to be protected and how it will be protected. In the application development lifecycle, the security policy instructs designers and developers on what the security features need to be and how they must be implemented.

I couldn’t agree more with John, but with just a little to add. Most organizations have a policy but don’t go as granular to defining an Application Security “Policy”. When they do, it is usually a Application Security “Standard” and if you are lucky, they would have, more granular documents that make up the Application Security “Procedures”. In fact, Policy documents are generally very generic with little to any definitive instructions. This is usually the case to prevent rework of the policy upon change in the business or in information systems and technology. Definitive instructions find their place in Standards or Procedures.

An example of an Application Security Policy, Standard and Procedure (when it exists) would be
Policy – Personally Identifiable Information (PII) must be protected
Standard (Application Security) – When transmitting or storing PII, it needs to be encrypted or hashed
Procedure – When storing PII, use NIST approved AES (Rijndael) encryption with at least 256 bit key strength. For more information see link 

The fact remains that whether your organization just has a Policy (or) Policy + Standard (or) Policy + Standards + Procedures, they ALL need to address security in application development. The problems lies, when that is not the case.

John’s entire article can be read here and I would recommend that you do.

Application Risk Modeling @ CSI 2007

The CSI 2007 conference held in Arlington, VA from Nov 3-9 2007 was a blast. In addition to the conference session being very educational, it was a great networking event affording one the opportunity to network with the brightest minds in the industry apropos security. You can access the conference posting here.

I presented on Application Risk Modeling as an integral part of the SDLC (System or Software Development Life Cycle) introducing the Tic-Tive^TM Risk Spectrum.

A preview of the presentation contents is given below.

Figure 1. The SecuRisk^TM Methodology of Application Risk Modeling

Figure 2. The Tic-Tive^TM Risk Spectrum. Where does your organization/company fall in this spectrum?

You can download the entire presentation by clicking on the link below.
Application Risk Modeling; An Integral Part of the SDLC – By Mano Paul

Session Abstract -
The methodology introduced in this session is designed to provide proactive risk analysis and modeling techniques for applications. It addresses obstacles experienced by security professionals due to lack of automation and objective risk modeling fundamentals. Attendees will understand how application risk management results in reducing overall risk within an enterprise and transferring risk to the appropriate business segment.

Two Application Security Catalysts – SQL Injection & Cross-site Scripting (XSS) @ Burton Group Catalyst EU 2007

Two of the most prevalent application attacks in this day and age are SQL Injection and Cross-Site Scripting (XSS). Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer no protection against such attacks. The risk of sensitive information theft, alteration, insertion of data along with other effects such as URL redirection, website defacement and authentication theft are high and will be demonstrated. This session would demonstrate the effects of SQL Injection and XSS attacks and provide insight into the control measures to successful mitigate the risk against such attacks. It will also provide insight into the different process control measures that are necessary across the systems development life cycle to harden the code from within, so that such susceptibilities are addressed. Session takeaways include a complete understanding of the anatomy of SQL Injection and XSS attack, their effects when exploited and the mitigation control measures to stop SQL Injection and cross over XSS.

(ISC)2 Official CISSP Practice Exams and (ISC)2 Official SSCP Practice Exams

(ISC)² is dedicated to creating new value-added services for its prospective and more than 50,000 current members worldwide. One of the most exciting of these is studISCope, our online self-assessment tool that helps candidates assess their knowledge of the CISSP or SSCP CBK^®. Together with our partner, Express Certifications – a company renowned for developing innovative testing and training techniques – (ISC)² can now maximize your learning experience and focus your study efforts more precisely along whichever information security career path you choose.

Read More

Top 3 Questions in the Board Room …

Are there other questions (than the ones listed below) that take more precedence that an Information Security Professional/Leader/Executive needs to be able to answer in the board room? If so, please respond …

1. What is the Revenue to the company?
2. What is the Cost to the company?
3. What are the Risks to the company?

Additionally thoughts on how these questions can be answered from an information security perspective is welcome.

Ham and Ham Sandwich

While attending the Computerworld 100 Premier IT Leaders conference in March, James Dallas, CIO and SVP of Medtronic Inc., in his keynote address expressed that as a CIO, he is interested in a Ham and Ham sandwich, not a Ham and Egg sandwich in which the chicken is only participating while the pig is taking all the risk.

Extrapolating the idea to risk management within organizations, if we are to liken ‘Ham’ to IT and the Business – what are some proven methodologies that information security professionals and leaders can do to “SHARE the RISK” with the businesses they support, so that the ‘Business’ is not just participating.

Additionally, are there additionally analogies that reflect a similar scenario?

WANTED – Sponsors, Speakers and Volunteers for the Austin Chapter

The Austin Chapter of the ISM-Community is looking for the following -

1. Hosts Sponsors / Companies to host and sponsor upcoming events
2. Speakers to speak in these ISM-Community hosted events
3. Volunteers to assist in the various ISM-Community projects and activities

We are currently compiling the event calendar for this year. If interested, please contact Mano Paul

Note: ISM-Community requires that all events that are conducted are vendor-neutral.

2007 – The Year of …

1982 Machine of the Year was the Computer and the 2006 year end issue of Time magazine has ”You” - the IT Professional as the Person of the Year.

With the continued focus and increased attention on information security, many information security professionals find themselves to be in constant demand. What makes these InfoSec Professionals to be sought after? (See DNA of an effective InfoSec Professional) and the real question would be will 2007 be not just the Year of “You-the IT Professional” but also the Year of the “InfoSec” Professional?