An interesting download to come out of the OWASP camp — books are now available for your reading pleasure. The initial group of books are:
- OWASP CLASP v1.2
- OWASP Top 10 – 2007 Edition
- OWASP Top 10 – Testing – Legal 07′
- OWASP WebGoat and WebScarab
- OWASP Code Review – 2007 (RC1)
- OWASP Evaluation and Certification Criteria
- OWASP Top 10 – Ruby on Rails Version
- OWASP SpoC 2007
- OWASP World (Nov2007)
- OWASP Guide 2.0 (2005)
All are available free of charge (download versions) from LuLu.com/owasp.
So you don’t consider yourself to be XSS savy, but you would really like to do some free testing? Well look no farther…you just might have a solution. Introducing the XSSDB by GNUCitizen. The XSSDB (i’m assuming) is heading in the direction as the Metasploit Project, however, soley based on Cross-Site Scripting checks.
A couple of the nice[r] features (IMHO) of the database:
- Ability to perform both GET and POST-based XSS
- Ability to add or submit your own vulnerability checks to the DB
So how could this be improved? Personally, while I do have several methods of testing for XSS, I would find it invaluable to have an offline solution where I could test non-internet connected applications. GNU? Perhaps some type of offline solution with a update capability? The solution does take a bit of getting used to (for example, if you aren’t terribly familiar with how GET, POST and Parameters work in web applications), but overall …. a very nice solution.
Billy Hoffman and Bryan Sullivan released a new book on AJAX Security this last month (or so). For those of you who aren’t familiar with Billy and Bryan, they are/were involved in the SPI Dynamics group before being acquired by HP Software in late 2007. I would highly recommend that you grab a copy of this book for your library.
AJAX Security Book
[Ripped from Amazon]
Billy Hoffman is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes.
Bryan Sullivan is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review.
It’s simply amazing to me that folks will fall for the marketing literature. Hacker Safe? I think not….
http://www.cioinsight.com/article2/0,1540,2246925,00.asp
My friend and coworker Douglas Haider is going to be speaking at the ISACA New Orleans chapter meeting on Valentine’s Day (Feb 14). So for any New Orleans-area readers, or for anyone that is going to be in the area on that day, you need to go see the talk. Douglas is a great security and wireless guy. I have worked with him quite a bit since I have been at Accuvant, and I am always impressed. Below is a short blurb about the talk and a link to register. It is open to non-members as well, and it is only about $40 to register.
Today, it’s all about mobility! Companies continue to expand their use of wireless technologies to improve productivity, transmit voice and data, and use new mobile applications. Mr. Haider will discuss the importance of finding the right equipment, project team, and methodology to deploy wireless technologies. In addition he will discuss common deployment errors and mitigation techniques.
Luncheon attendees will be able to:
- Discuss emerging wireless technologies and their common uses.
- Identify best practices to mitigate common risks associated with wireless deployments.
- Identify key skills for the deployment team and steps that should be included in a wireless deployment
You can register at http://www.isaca-nola.org/Events_Services/events.htm.
Also, Douglas is going to be speaking at the ISACA North American conference. Congratulations to Douglas for that one.
Vet
Here’s another law (trying to get passed in New York) to try to stop sex offenders from getting on social networking sites, and in particular those sites where they might contact minors. I haven’t seen the bill yet, but from what I am reading, it is essentially useless. Just like all of these laws, it is really just political posturing.
Here are some of the details I have:
- The bill is called E-STOP, which stands for Electronic Security and Targeting of Online Predators Act (very witty).
- According to InformationWeek, the bill “requires paroled sex offenders to submit their e-mail addresses and online identities to a central registry that will be used to deny them access to social networking sites. The bill also would forbid sex offenders, on parole or probation, from communicating online with anyone under the age of 18 if the offender is classified level 3 (high-risk of re-offending) or if the offender’s crime involved the Internet or a minor.”
- According to cnet: “It would be a violation of parole for a convicted sex offender to change e-mail addresses without notifying authorities within five days.”
So from those last two points, we see that sex offenders must register their email, online ID’s etc., then the sites will deny access based on that database. And also, it is a violation of parole if they CHANGE their email and don’t notify authorities within five days.
First, notice the all caps above. I sincerely hope there is a provision for adding emails and not just changing emails. Second, it really doesn’t matter anyway because a criminal is a criminal. If they are not reformed, then they are going to continue to do what they do. Drug dealers BREAK laws. Car thieves BREAK laws. And sex offenders BREAK laws.
I applaud the fact that this law is trying to be proactive and will probably stop a few people. But for the most part, this is useless. Sex offenders are going to get around this easily. It is just too simple to fake your ID on the web. But politicians have to justify their paycheck, so this won’t stop anytime soon.
Vet
