Software Integrity

Archive for 2007

 

Kapow! Comic book security

Everyone agrees that user education plays an important role in security, but does it really have to be so boring? How many security basics courses droning on about password security must we suffer through before we hit on a better way? Can comics help? Cartoons certainly have popular appeal. They can get important messages across […]

Continue Reading...

Posted in Security Training, Vulnerability Assessment | Comments Off on Kapow! Comic book security

 

The risk of too much risk management

IT controls. Corporate governance. Decision support. Right-sized spending (another phrase I thought I coined, but I see it gets three hits in Google). These are all part of the all-too-nebulous activity often referred to as data security risk management. Let’s put a stake in the ground on what risk management means. I’m not referring to […]

Continue Reading...

Posted in Vendor Risk Management | Comments Off on The risk of too much risk management

 

Mitigate XSS: Why input validation is bogus

Ask any security guy/gal about how to best mitigate cross-site scripting (XSS) and what is the answer? It’s some variation on validating input. Look at my own writings about this topic and what will you find? Variations on the input validation theme. Input validation is a great solution for new applications, but it’s a horrible […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment | Comments Off on Mitigate XSS: Why input validation is bogus

 

From the foreword to ‘Secure Programming with Static Analysis’

This is the foreword that I wrote for Brian Chess and Jacob West’s excellent new book Secure Programming with Static Analysis. I recommend this book for all software security practitioners. Developers, in particular, will find the book extremely helpful.  On the first day of class, mechanical engineers learn a critical lesson—pay attention and learn this […]

Continue Reading...

Posted in Software Security Testing | Comments Off on From the foreword to ‘Secure Programming with Static Analysis’

 

SDLC on the shoulders of giants

Software security veterans have all certainly thought about the idea of ‘securing the SDLC’… I can tell because every consulting firm’s collateral that I’ve seen in the past year has a new bullet under their ‘services’ section referring to something like ‘Secure development process integration’ or ‘Secure SDLC services’. That being said, let’s talk about […]

Continue Reading...

Posted in OWASP, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on SDLC on the shoulders of giants

 

Badness-ometers are good. Do you own one?

Never one to mince words, I coined the term badness-ometer to describe “application security testing tools” like the ones made by SPI Dynamics and Watchfire. For whatever reason, people read more into the term than I intended. I guess they see the term as having only negative connotations. I stick by my nomenclature–black box application […]

Continue Reading...

Posted in Application Security, Web Application Security | Comments Off on Badness-ometers are good. Do you own one?

 

Busting the SQL stored procedure myth

One of the commonly proposed remedies for SQL Injection is to use SQL stored procedures. Use of stored procedures can greatly reduce the likelihood that you’ll code an SQL injection, but it’s not the stored procedure-ness that’s saving you. Stored procedures let you use Static-SQL instead of forcing you to always use Dynamic-SQL. In Static-SQL […]

Continue Reading...

Posted in Secure Coding Guidelines | Comments Off on Busting the SQL stored procedure myth

 

Aspect-oriented service architecture: ‘Built in’ or ‘bolted on’ security?

I’ve been looking at how people have been implementing input validation and entitlement evaluation within service-oriented architectures (SOA). One of the nice properties of an SOA is service composition, so transformation and validation can be implemented as an independent utility service and then composed with other services. But service composition has the drawback that one […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Aspect-oriented service architecture: ‘Built in’ or ‘bolted on’ security?