Sunday, October 3, 2010

Integration of Enterprise Security API (ESAPI): An Approach


If an application security professional is dealing with 100’s of application, and want to integrate ESAPI in their Enterprise wise SDLC then I must say it will be one of the challenging and interesting tasks in application security. Integrating ESAPI needs a very systematic approach targeting to Development Community. For enterprise wise integration, I have chosen following approach keeping two Goals in my mind:
  1.  Transition must be simple, smooth and accurate.
  2. Vulnerability occurrence must be reduced in future developments as well.  
Here comes:

Preparation Phase:
  • PP1: Understand ESAPI first, you can choose sample applications which have higher number of vulnerabilities; it will help you to understand in depth with less effort. Alternatively, SwingSet application is a good resource for this purpose.
  • PP2: Write secure coding guidelines for your organization’s development community and explain each recommendation code sample using ESAPI.
  • PP3: Write a Mapping document for each application that will clearly tell in detail the use of ESAPI methods.

Implementation Phase:
  • IP1: Organize Application security training-secure coding for development community, demonstrate each vulnerability using vulnerable applications and their code, and then demonstrate the same application/code that is patched using ESAPI.
  • IP2: Demonstrate the application mapping document of that application which you have prepared in PP3.
  • IP3: Publish the secure coding guidelines for the development community and encourage developers to use it.

Audit Phase:
  • AP1: Check the usage of correct API in any application using your mapping document of that application (PP3 can be used as audit checklist).
  • AP2: Help development community in using correct ESAPI methods in correct places.


One last thing, those are equipped with Fortify, effort will be reduced significantly in steps PP1, PP3, AP1 AND AP2.  

All the best!!!
Posted by at No comments:
Labels:

Friday, June 4, 2010

Alert: New Social Engineering Attack




I am reproducing a mail which I received from a information security group. This is a new social engineering attack and these types of social engineering attacks can be minimize by social awareness campaign only. I am contributing my cents through my blog.

It all started when I received a call from someone claiming that he was from my mobile service provider and he asked me to shut down my phone for 2 hours for 3G update to take place. As I was rushing for a meeting, I did not question and shutdown my cell phone. After 45 minutes I felt very suspicious since the caller did not even introduce his name. I quickly turned on my cell phone and I received several calls from my family members. I called my parents and I was shocked that they sounded very worried asking me whether I am safe. My parents told me that they had received a call from someone claiming that they had me with them and asking for money to let me free. The call was so real and my parents even heard 'my voice' crying out loud asking for help. My parent was at the bank waiting for next call to proceed for money transfer. I told my parents that I am safe and asked them to lodge a police report. Right after that I received another call from the guy asking me to shut down my cell phone for another 1 hour which I refused to do and hung up. They keep calling my cell phone until the battery had run down. I myself lodged a police report and I was informed by the officer that there were many such scams reported. MOST of the cases reported that the victim had already transferred the money! And it is impossible to get back the money.

Be careful as this kind of scam might happen to any of us!!! Those guys are so professional and very convincing during calls. 


Be Safe and Stay Alert!
Posted by at 2 comments:
Labels: ,

Wednesday, March 17, 2010

Hackers need your help first to succeed





Many of you may surprise to hear this but in most cyber security incidents it has been found that they succeeded because victims have helped them first. Today I am going to explain how a user may help cyber criminals.

Awareness: Social Engineering attacks are one example where attacker successfully executes attacks and      victim couldn’t prevent it because of lack of awareness of latest attack trends and their countermeasures.   Today knowledge should not limit to using a system; we all need to update our self with the latest security trends and must be aware how to use a system securely. 
Ignorance:  It is being said that “Real knowledge is to know the extent of one's ignorance” and attackers work on same principle to come inside your trusted boundary. Let me explain with one example, it is advisable that user should change their passwords after certain period of time. How many of us are following this? Similarly there are few set of guidelines that one should follow while using this sophisticated system.
Rely: It’s a human nature that we usually rely on someone very easily who care for us or who think about us and most of the times we judge people in day to day interactions but in an Internet platform these classic judgments methodology are one of the soft and useful weapon of cyber criminals. Phishing attack is one example which is executed by using two common human behaviors- Rely and Ignorance. Don't rely too much on labels, for too often they are trap.  

Finally, I would like to say that Awareness is not expensive so do not try Ignorance and must Rely on acquisition of knowledge.

Posted by at No comments:
Labels:

Saturday, March 13, 2010

Application Security Consultant (ASC)-A Technical Dietitian






ASC job is to assess the application from security point of view but from developer eyes who they are actually?

From my experience I can say that a developer sees them only as “Fault Finder” and from developer perspective ASC is the one who raise question on developer capabilities. But what is an actual truth?

Let me explain in simple words, ASC just plays role of a technical dietitian whose job is to guide a developer how to make a healthy code- “A Secure Code”. I always say one thing to all developers, ASCs are not at opposite side of your table, they are at your side and with you only; for achieving one common objective- launch a healthy and secure code. One thing developer should always keep in mind that credit of successful application goes to developer only and vice versa is also true.
So always welcome your technical dietitian, they will only add value to your capabilities. Nothing else!!!

-A Change I Believe In................. 
Posted by at No comments:
Labels:

A change.....................





From quite few days I was thinking to start writing and finally I have given green flag today.

This year I am going to complete half decade in this industry, more specifically in information security and consulting industry. In these years I have learned so many things and now reached at stage from where I can share my knowledge, experiences and thoughts with others. So with this purpose here I am coming with my first belief :

"Change!!!! ...I Believe In........"

Looks very simple but it’s very difficult to make it practical….every change comes with a challenge and consequently an experience.  

With this small thought I am starting my blogging journey,


All comments will be appreciated. 
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)