The InfoSec Blog

http://www.infoworld.com/d/developer-world/third-party-code-putting-companies-risk-302

This opens:

The use of third-party code in applications represents a big security
risk for companies, according to a study from security vendor Veracode.

but they go on in such a way as to make me wonder what they mean by ‘third party’. Some of what they discuss seems to come from the primary supplier. Now if the primary supplier contracted out work, how are you to know?

Companies often use code libraries that have been developed from either
open-source projects or outsourcing organizations that have been
contracted to create applications…

I wouldn’t be so quick to disparage open source projects. Some of them have demonstrated much better code quality, much better reliability and security than commercial products from first-tier vendors.

“Variable quality“? Well yes, but that goes for the products from first tier vendors. “Ship at the end of the month regardless”. Yes, I’ve seen that. “Release to satisfy the investors/wall street”. I’ve seen that too. Open Source doesn’t have those constraints. Read the rest of this entry »

That’s a very interesting and pertinent presentation by a guy named Grubb from RedHat:
http://www.redhat.com/promo/summit/2008/downloads/pdf/hardening-rhel5.pdf

A few items caught my eye:

Slide 7 points out that the CERTs really don’t do a good job, comparatively speaking, of detecting vulnerabilities. It seems that the “million eyes” of other FOSS parties, developers, other distributors & packagers and individuals are much more effective than companies and organizations targeted at such things.

Slide 15 addresses partitioning. I’m amazed at the number of people I hear on the *IX forums I subscribe to and web sites I read that fail to partition and protect their disks. Its as if they think the way Microsoft’s OEM/consumer systems ship with everything under C: is the way to go with Linux as well. Oh, I do see some separate /home, but it seems only a few of the corporate admins have noted the security bugs possible if /tmp is on the root partition. The advantages of further partitioning I have found to be immense – compartmentalization prevents so many minor problems from becoming major ones. The designers of the Titanic should have realised.

There’s so much more good stuff in that about specifics of configuration. My advice to many less security-experienced sysadmins is “just do it”. Why? In my database of quotes I have

Bullet proof vest vendors do not need to demonstrate that naked
people are vulnerable to gunfire. Similarly, a security
consultant does not need to demonstrate an actual vulnerability
in order to claim there is a valid risk.
The lack of a live exploit does not mean there is no risk.
– Crispin Cowan, 23 Aug 2002

That *I* can’t demonstrate or document an exploit is no reason for the
sysadmin to fail to apply a well known baseline control such as those documented in this slideshow and many other books and articles. Yes, I know that I sound like Donn Parker when I say that, but this is sensible prudence.

“Just Do It”

http://www.bankinfosecurity.com/articles.php?art_id=2914

Fascinating.

I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way. Read the rest of this entry »