InfoSec Blog
SSL & Application Security
Just as network devices such as firewalls serve as “excuses” for people to have a lax security posture on their internal network infrastructure, the use of SSL is often “abused” as an excuse for lack of security on web applications. The use of SSL while a good security measure does not mitigate many application vulnerabilities. The only vulnerability that SSL provides some protection against is sniffing, spoofing and man-in-the-middle attacks, depending on the users’ knowledge and gullibility. However, the use...
read moreCausality of bugs
You have this application that has been inherited down the management chains and uses say JSP. You have had a multitude of developers, contractors and testers of varying degrees of skills who’ve touched this code? How do you make sure that in such a fluid scenario you maintain the security of your application? Quite difficult, isn’t it? This is where the use of standards and security practices helps. While it’s easier said than done, Security in SDLC comes at a high price. Moreover, the cost of fixing bugs in the latter...
read moreSecurity / Compliance: Oxymoron?
Organizational Risk Management has a simple goal: to reduce the risk for the organization be it related to information or assets. With information security risks, are associated, compliance mandates. These mandates could be from a privately governed body such as the PCI Security Standards Council or something that is mandated by the government such as Sarbanes Oxley or HIPAA. Non-compliance may lead to fines levied and may be a cause for a significant financial risk. The point where it becomes interesting is – does being compliant to...
read moreMissing the obvious
The “so called” security conscious organizations have millions of dollars that they want to put into information security. The emphasis is simple, make sure that our newest and most used technologies are secure before they are “incorporated” into our “environment”. This approach, while it sounds excellent, and is not wrong in itself, is only one of the two sides of a security coin. This approach has an inherent assumption – our existing environment is secure and we can’t taint it. For...
read moreObfuscation != Security
To continue with the idea of our previous blog post on using different types of obfuscation techniques, we would like to present some techniques of obfuscation and how they have completely failed to provide any kind of security. Digital Rights Management – DRM has been attempted by various companies in the entertainment industry to use encryption for video games, music, movies, etc. however that has failed to curb the proliferation of hacks to still copy such media. In the end, any kind of DRM mechanism has to rely on eventual...
read moreSecurity via Obscurity
Security by Obscurity will never work. Period. However, a lot of times especially during PCI DSS audits there are tendencies in some assessors or trusted advisors to allow the use “binary” encoded protocols that might otherwise not be encrypted but just obfuscated. Especially, since PCI DSS does say that that the data should not be clear text and sampling of systems should verify that. In the good old days, there was steganography which was a technique of hiding data in JPEG or other types of files such that only the person with...
read moreRoad to Compliance
Does it help to have your security audits performed by an incompetent service provider? From the outset, the advantages may look promising – easy audits, not much work to be done, lot of free passes, and in general, a relatively hassle-free compliance assessment, right? Although, the above advantages of choosing an easy (or callous) auditor appear to be cost-saving they are anything but cost-saving. Today, you might feel that your organization passed an audit but did you really “pass” the audit? Or were you given a...
read moreEncryption Mistakes
Many times organizations try to go about implementing their own encryption schemes thinking that the relative obscurity of the encryption scheme might end up helping obfuscation. The senior management sometimes (incorrectly) believes that such obfuscation might provide additional security. There is sometimes also a perception that such “additional security” has no trade-off associated with it if the organization believes it has strong development teams to be able to support such encryption. The reality, however, is that the use...
read moreDefense in Depth
Defense in depth is probably one of those clichés that every auditor loves using and companies struggle to understand why is it necessary? After all, it does cost the extra money. If my risk is already low, why do I need additional security. The “What if” analysis can and does sometime go to the extremes. The quickest and the easiest way to create an analogy is this – even though you have locks outside your house, do you just keep all your valuables in the living room? After all, there is a lock on the door, right? No,...
read moreSDLC – Heart of Security
What does your company do when a compliance requirement forces them to “introduce security in the SDLC process”? Most likely, the management would say let’s get a penetration test done when the software is ready. The penetration test gets done and comes back with loads of “critical”, “high” or “medium” risk issues with words like “cross-site scripting” or “cross-site request forgery” but no one except the penetration tester knows what it means! This scenario...
read more