Secure Coding Practices

Here is a list of Secure Coding Standards links from Source Code Auditing, Reversing, Web Security, re-posted here for my own easy reference.  Code review is admittedly not (currently) my strong suit.  I have done some old school reverse engineering in the lab back in the day, and messed around with static and behavioral analysis, even done some 3D game programming, but I am still a n00b.

• http://community.corest.com/~gera/InsecureProgramming/
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
• https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637
• https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
• CERT Oracle Secure Coding standard for Java
• http://www.viva64.com/en/a/0065/ (A Collection of Examples of 64-bit Errors in Real Programs)
• http://www.viva64.com/en/a/0042/ (Seven Steps of Migrating a Program to a 64-bit System)
• http://www.viva64.com/en/l/      (Lessons on development of 64-bit C/C++ applications)
• http://www.oracle.com/technetwork/java/seccodeguide-139067.html (Secure Coding Guidelines for the Java Programming Language, Version 4.0)
• http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
• Apple’s Secure Coding standard
• https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html
• Klocwork’s CERT C and C++ Secure Coding Standard
• https://www.securecoding.cert.org/confluence/display/seccode/Klocwork+Cross+Reference
• http://grouper.ieee.org/groups/plv/
• https://www.owasp.org/index.php/Secure_Coding_Principles
• http://developer.klocwork.com/klocwork-university/security-innovation/secure-coding
• http://www.saferc.com/
• http://stackoverflow.com/questions/4780410/secure-c-coding-practices
• http://www.bits.org/publications/pr/BITSSoftwareAssurance020112.pdf  50-page guide for a mature, strategic secure software dev program.

If you have any more, please add it in the comment.

Metrics. Not Just For Breakfast Anymore

Over the past couple of years, I have found myself being drawn back to my IT roots, looking to solve the same old problems that plagued IT when I was so much younger had a full head of hair, and still had to learn that I hadn’t learned it all quite yet.  Back in the day, my boss asked me how the systems were running, and how IT was performing.

I thought a moment, and responded, “All of the systems appear to be running well, we haven’t had any downtime lately, and the server room is humming along nicely.”  He waited.  I broke the silence with “It’s all good.”  My boss, being the patient and well mannered fellow that he was, reiterated, “So the systems are all up, but how is IT doing?  Are we at capacity on any of the systems, and are our processes working like they should?”  I couldn’t respond honestly, so I admitted it.  He had never asked me before how our processes were working, so it must have been all that golf he had been playing lately that had gotten to him.  We were blind to whether we were doing the right things, and doing them well or poorly.  My engineers and I had put together some fantastic systems and processes for the company, reliable, scalable, capable, but had forgotten to consider how we would be able to measure when we needed to scale, improve, support, or replace them.  DOH!  We did have basic system health gauges, but that was just for monitoring CPU and RAM thresholds.  Time to think bigger, and smaller.

Why do we collect metrics?  Metrics are a critical component of Management, whether it be Information Security, or Projects, and Programs.  If you aren’t monitoring your exposures and measuring your results, how will you know whether you have been successful?  IT is all about strategy.  We implement systems in order to meet business objectives.  IT systems support the objectives of the business.  The business could still run without IT.  Much slower, ineffecively, inefficiently, and at a retarded pace, but the business could still run.  Without metrics, how do you prove the value that your IT or Security team is bringing to the organization?  How do you justify continued spending on improvements, new tools, new technologies? Continue reading →

Six Major Identity & Privacy Trends To Watch

According to Gartner, six major trends will drive identity and access management (IAM) and privacy in 2012.  Businesses will need to increase their focus on projects in that space that can achieve quick value and deliver real benefits to the business.

Organizational boundaries continue to erode due to M&A’s, converging environments, and outsourcing complexities, and IT’s control continues to weaken as mobile devices and cloud services proliferate.  Identity management is becoming more important than ever.

Six IAM Trends:

• Tactical identity: The scope and budgets for identity management projects will remain constrained.  A major cause of failure for these projects has been an overly broad scope combined with a lack of focus on business value.
• Identity assurance: Demands for stronger authentication and more mature practices will intensify.  Organizations need to know who they are trusting, why, and for what.
• Authorization: Authorization requirements will grow more complex and urgent in response to regulatory pressure and more complex IT and business environments. the real magic of IAM lies in authorising access and in the creation of logs used to hold people accountable for their actions. Authorization and enforcement of access control policies is less mature than other processes in many organizations.
• The identity bridge: Identity management must span the chasm between organizations. A new architectural component will be needed to manage identity information flows between cooperating companies.
• The sea of ID tokens: Identity information frequently has to be adapted by each domain that receives it, and pass it to downstream domains. Identity information is transmitted via tokens.  These tokens may be carried in protocol headers or in protocol payloads.
• Policy battles: Concerns over identity theft and privacy are alarming the public, and having a serious impact on operations.  The business community, privacy lobby, law enforcement and national security communities will continue to wrangle over laws and regulations continuing to drive changes in the identity infrastructure.

As usual, gartner is right on the money.  Read the entire article to get the deatils.

Global Security Defence Agenda Report

McAfee and the Security and Defence Agenda (SDA) have revealed their findings in a report that attempts to paint a global view of the current cyber-threat, (sigh* Cyber?  Really?) defensive measures, and an assessment of the road ahead.  The report was created to identify key areas for discussion, highlight trends, and to help governments and organizations understand how their security defense posture compares to others.

This report involved a survey and interviews with roughly 250 leading authorities worldwide with over 80 security experts in government, international organizations and academia.  It is aimed at the “influential layperson”, and deliberately avoids technical jargon.

Some Key Findings:

• 57% of global experts believe an arms race is taking place in cyber space.
• 45% of respondents believe that online security is as important as border security.
• 43% identified damage or disruption to critical infrastructure as the greatest single threat with wide economic consequences.
• 36% believe information security is more important than missile defense.
• US, Australia, UK, China and Germany all ranked behind smaller countries for their state of incident readiness. Continue reading →

Advice On Healthcare Breach Avoidance

Interesting and fairly good recorded interview on HealhCareInfoSecurity blog from the perspective of a lawyer who has been involved in many a breach invetigation.  Listen to hear attorney David Szabo’s top three tips for breach prevention and detection.  Be aware of and learn from other organizations’ mistakes.

“There’s a huge risk area around laptops and other portable devices that carry a lot of data.  Organizations, even when it’s not legally required, need to be looking at, say, encryption of all laptops that leave a facility with protected health information or personal information.  Organizations also should re-assess exactly what kind of information should and should not leave the premises on mobile devices”, Szabo says. “That’s another factor of risk.”

In this exclusive interview, Szabo discusses:

• The three most important steps to take now to prevent and detect breaches;
• What healthcare organizations can do now to prepare for the final version of the HIPAA breach notification rule;
• The most important steps healthcare organizations can take to prepare for this year’s HIPAA compliance audits.

I enjoyed the interview, thought you might too.

13 Rules of Intelligence

I came across this post on the “Intelligence War” blog site.  The original 13 rules were written by Admiral Sir John Godfrey, Royal Navy, Director of Naval Intelligence, 1939-1943.  These rules written decades ago have stood the test of time fairly well.

1. Fighting commanders, technical experts and political leaders are liable to ignore, under-rate or even despise intelligence.  Obsession and bias often begin at the top.
2. Intelligence for the fighting services should be directed as far as possible by civilians.
3. Intelligence is the voice of conscience to a staff.  Wishful thinking is the original sin of men of power.
4. Intelligence judgments must be kept constantly under review and revision.  Nothing must be taken for granted either in premises or deduction.
5. Intelligence departments must be fully informed about operations and plans, but operations and plans must not be dominated by the facts and views of intelligence.  Intelligence is the servant and not the master.
6. Reliance on one source is dangerous; the more reliable and comprehensive the source the greater the dangers.
7. One’s communications are always in danger; the enemy is always listening in, even if he cannot understand.  Intelligence has a high responsibility for security.
8. The intelligence worker must be prepared for villainy; integrity in handling of facts has to be reconciled with the unethical way they have been collected.
9. Intelligence is ineffective without showmanship in presentation and argument.
10. The boss, whoever he is, cannot know best and should not claim that he does.
11. Intelligence is indivisible.  In its wartime practice the divisions imposed by separate services and departments broke down.
12. Excessive secrecy can make intelligence ineffective.
13. Intelligence is produced from files, but by people. They require recognition, continuity, and tradition, like a ship or a regiment.

Any Vulnerability Management or Incident Response process could benefit from knowing, understanding, and applying these 13 rules.

Job Search Responses

Interesting discussion over at TechCrunch regarding potential employer response (or lack thereof) to hiring candidate submissions.  (Please, prospective employers, don’t get your knickers in a bunch, I’m not complaining, really I’m not.  Everybody updates ME.)  Most of this diatribe is based on the article, but I recommend reading and posting your own comments at TechCrunch.

There are plenty of job search engines, recruitment vehicles and so on out there on the Web.  If you’ve ever been on the job hunt, you know how frustrating and time consuming it is to manage the job hunt process.   </Start Griping>  You spend hours filling out forms and fields, manually recreating your resume in yet another database, adding more and more “action verbs” to your resume, etc.  You fire off application after application.

Then you wait.  Your prospective employer doesn’t respond.  You send a follow-up email.  Nothing.   Another follow-up after a couple of weeks, still nothing.   Maybe you get an interview.  You send a thank you and a follow-up email.  Nothing…….

Job searchers absolutely hate this resume black hole.  This deficiency impacts the relationship that the company may have with potential employees, who may also be potential customers.  It can damage your company’s reputation.  In a recent study 72% of respondents said they would be less likely to recommend companies’ products or services or write a positive review online if companies don’t respond to their applications.  All people want is a response or an update.  </End Griping>

This is the pain point a startup called StartWire is trying to solve.  Their value proposition lies in being a sort of project management tool for the job search process.   StartWire launched in early 2011 and had attracted 50,000+ registered users by January 1st of this year. Continue reading →

Quantifying Reputational Risk

Trying to explain, measure and report on reputational risk has always posed a challenge for every IT organization that I have encountered.  IT understands technology, and most of the risks associated with technology.  They struggle for the most part with business risk, and although they will agree reputation is important, can’t seem to figure how to factor it in, or what it means to the organization.

Reputational risk is defined by The Federal Reserve System’s Commercial Bank Examination Manual as “the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.”  Reputational risk is one of the Federal Reserve System’s categories of safety and soundness and fiduciary risk (credit, market, liquidity, operational, legal, and reputational) and one of three categories of compliance risk (operational, legal, and reputational). While it may be a defined risk, reputational risk remains difficult to identify and quantify.

Michelle Dennedy has a good article on McAfee’s Privacy Matters blog that scratches the surface of reputational risk, and suggests a simple method for estimating and tracking it.  Although not an accurate measurement of an organizations specific reputational risk, it does provide a yardstick, which is better than just ignoring it.

Michelle’s proposed workflow is to: Continue reading →

Poor Problem Management

Waiting...

CA’s Rich Graves posts “Problem Management sits alone in the corner and cries and cries. It’s the loneliest ITIL process as it’s always the last one picked to play on the Service Operations team. Poor little Problem Management sits and watches while Incident and Change Management get to play. And Configuration Management gets to play too, even though it is a complete mess and isn’t even wearing shoes.”

So true.  Problem Management is a misunderstood process, even moreso than Configuration Management.  Without it though, so many issues will go unresolved, or be closed with an inconclusive response.  No lessons will be learned, and the problems won’t just go away.

“And let’s be honest: root cause analysis is boring. Who wants to deal with that all the time? I’d rather just restore service and move on. What’s that you say? Eliminating the root cause could prevent further outages and free IT from dealing with critical incidents? OK then. We need to do Problem Management.”

Check it out and make a resolution to improve your IT and business processes in 2012.  Shoot for the moon, that way, even if you just miss, you still stand a chance to fall among the stars.

Cisco Reports 70% of “Young Workers” Violate Policy

There is a growing threat looming to corporate computer security in the attitudes of younger workers to technology, according to a report issued Wednesday by Cisco Systems Inc.  The solutions as I see them are written between the lines below, as the article describes the “reasoning” of those “young workers” surveyed.  In my incident response experience, it isn’t just the young folks, either. Continue reading →