SQL Server Execution Plan

It just so happens that I've been charged with doing some dba stuff. I need to brush up on my exection plan knowledge and I found this great blog with a link to a free e-book.

Cookies are bad with strong auth in web apps

Here is a great write up by VeriSign on why using cookies for mutli-factor authentication is a bad idea. I think they obviously have a solution up their sleeves which will make them money, but besides this I think the point is still valid. It's well worth the read.

No Firewall - How to beat Jordan and Kasparov

I read an interesting blog post (http://1raindrop.typepad.com/1_raindrop/2009/08/there-are-no-firewalls-or-how-to-beat-michael-jordan-and-garry-kasparov.html) the other day which I thought was important enough to blog about.  This is good stuff to remember.

 

 

ask the client to draw up their security architecture on the whiteboard. This inevitably contains a firewall as one of the central pieces. Next, I ask them what is "behind" the firewall, describe the assets, their valuable to the business and so on. Then, I say "now imagine the firewall is not there. What would your security architecture look like? What would protect your assets, your data, your users, your apps?" Then I list off a series of attacks that take no notice of the firewall's presence because they were designed to circumvent it from the get go. From an attacker's point of view a firewall is a speed bump, not an immoveable object. Its simply a question of looking at it from a different point of view. Typically, at this point the blood drains from my colleagues' faces.

I call this the Michael Jordan/Garry Kasparov situation.

Question: how can you beat Michael Jordan & Garry Kasparov?

Answer: Get Jordan to play any game except basketball and Kasparov to play any game but chess.

Cross Origin Resource Sharing - Good or Bad?

I recently came across this article

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

.  From a web developers standpoint I think this is a great idea, one can share information more easily.  From a security standpoint I'm weary on the idea.  I'd need to dissect this even further to get a better grasp on the specifics.  It looks like the server must be setup to provide appropriate information as well as the browser.  Adding another head simply adds to the attack surface of web applications, which thanks to AJAX has already grown tremendously.  It will be interesting to sit and watch the evolution of this new functionality.

 

 

Mobile site Best Practices

It's been awhile since my last post, mainly b/c of time and the fact that it's blocked at work now. Anyway here is a very good list of resources and links for what you will need to develop a mobile site. The standards have come a long way since WAP 1.0.

Mobi Web Developers Guide - requires free registration
W3C Mobile Best Practices
Another XHTML Mobile Profile link
Mobile CSS link

Mobile Icon List

Mobile Emulators - good luck trying to get them to work
Getting Win Mobile Emulator working

.NET Mobile browsers file

Hay Day 2009

Here are some pictures from helping out with the hay at Stone Fox Farm.

2009_06_16

Identifying you between your work and home

I was reading the CryptoGram from Schneier and found this pdf which talks about how a persons identity could be determined based on the couple of locations they use to access sites on the internet. I had actually proposed a possible means of stemming fraud on an application at work by tracking IP's and using a GeoLocation database. While it's not 100% if you allow x amount of IP's to access an "order" for a given user then compare that based upon other information and where/when they access the site you can come up with data points outside of the "norm". Then you can throw a flag advising a human to look closer at an order or a set of users accessing the site. While I have read all of this I forsee it possible to take concepts from this to apply to a algorithm of identifying rouge users.

NMap Tutorial

I came across this site that had a tutorial for the tool NMap. I thought I would share.

Twitter worm

Here is an article about the multiple variants of worm that hit twitter. I found it interesting that the worm was created by someone who ran a site which is a competitor to twitter. The article quotes the other of the worm stating "...But I didn't think it would spread as far or as fast as it did."

SQL Injection cheat sheet

I saw this and thought it would be good to keep as a link for the future. Here is a link to what appears to be a good sql injection cheat sheet.

Dir Buster

I thought I would put this post someone else made of DirBuster. I remember playing around with it and tried it on the web applications that I work on. It was impressive how well it did find the directories within our site.

Comment on blog about - Multi-Step Authentication Processes: Lockout Policies

I saw this blog and thought it was a good idea. I'm always on the lookout for new ideas for web application security. What I like about the concept in this one is using session to track failed authentication. It's a good way to stop the not so smart bad guys from trying to play and play with username/pwd's combinations. You can view the blog here. Enjoy!

defect vs vulnerability

In developing applications and working with a QA team as well as dealing with security I see the very good point in this article, defect vs vulnerability. I think all web developers need to worry about security to some point. Part of it will depend on what type of application you are developing and the other is what industry you are in. A good phrase for me to keep things in perspective is "Security is about risk management.". It's nice to know how a specific security flaw works especially as a developer but a developer serves the business so don't lose sight of the risk. Don't get caught up in the technical aspect of all security flaws b/c you will miss the boat on what risk you need to manage for your application.

article on XSS

I just found this article on XSS from OWASP This should be a good one, I plan on reading it and using it with EASPI.

Good points of top n lists

I thought it was only fair to point out the flip side of top n lists, since my last post I pointed out the problems with them in an artilce from Gary McGraw. This one is found here. Here is a good summarizing quote from the blog, "I agree, just the list would be pretty worthless. The best part of each of these lists, however, are the pains they go to providing excellent information on mitigation strategies and tactics. Use this information to whatever advantage you can. It is, after all, free."

The good and bad of the CWE/SANS Top 25

Earlier this week SANS/CWE posted this. The top 25 most dangerous programming errors. This is a good list to know what to watch out for but don't get caught up in the details. As a security professional state "Security is all about risk management", the source can be found with an article by Gary McGraw. Gary does a good job and reminding you that while it's good to know the details, don't get caught up in them. First and foremost know how to prioritize and apply those risks to your responsibilities.