January 23rd, 2008 by eoinkeary
Wow i’m tired of the lack of quality of everyday things. Tons of crap imported from developing nations, made by children for children, outsourced manufacturing of cheap product which you know is crap.
Futureshock is that soon all the stuff we buy will be made a cheap as possible and will cost very little but will also be tacky, unreliable junk. Everything from consumer electronics, to kids toys, to food to software. Stack it high and sell it cheap is the mantra we follow. Think of the future as an environment sort of like “Bladerunner” but everything is falling apart, we all eat soilent green, all the door handles are broken, kids have super mutant powers from lead paint and toxins in the toys and we all live to be 150 years old as a by-product of food preservatives…..Happy days 
Posted in Uncategorized | No Comments »
January 23rd, 2008 by eoinkeary
The OWASP Code review guide was completed a little while ago. It can be downloaded from http://www.lulu.com for free or purchased as a nice book. This is not release V1.0 yet as a little work still needs to be done.
I’ve had many discussions with clients on risk and what real risk is. I am tired with applications and newbie security peeps looking at tool results and saying all issues found are high risk (coz the tools says so, in red ink!!). I sometimes feel that security consultants need to categorise as many findings as high risk for the reason of making the report look good. This really pisses the CISO/Business off and raises alarmist uncalled-for panic. As mentioned in the code review guide its all about context of the vulnerability. Professional criminals are not bothered with a silly bug on a silly little site which may be SQL injectable but only when the moon is full and planets aligned, there are easier targets than that to exploit and money is money [or information, what criminal element is after]regardless of the website.
Another thing that is a pain in ths ass are chairs with no arm rests, but thats for another days rant
Posted in Uncategorized, OWASP Stuff | No Comments »
September 12th, 2007 by eoinkeary
Well I attended the ISC2 Dusseldorf conf on identity management. Most of the attendees were are German friends, which I personally like the German way of doing things. They also have nice beer.
The confrence itself was not a “life event” by any means.
It had a number of presentations, the most interesting was the presentationsgiven by a guy called Tom Koehler, a director of security @ microsoft, he talked about TRUST. Another presentation was by a guy called Rainer Rehm on federated identity management and the use of the mobile phone to access all of ones accounts.
The Panel discussion was a discussion amongst the panel (boring) with not much opportunity for the audience to get involved, I blame the chair on that count.
Also the discussion was about “Is there a Need for Security Breach Disclosure Law for Data Subjects in the EU?” but the panel interchanged the idea of information theft and security breach too much for my taste.
Dusseldorf = Nice + Beer.
SecureDüsseldorf Conference = Not so nice. They have much to do to get to the RSA/BH/OWASP level
Posted in Uncategorized, OWASP Stuff | No Comments »
March 7th, 2007 by eoinkeary
The Live CD and Testing Guide are complete thanks to the autumn of code interns Josh and Matteo. Matteo is now the Testing guide lead as I have moved onto the code review guide. Josh remains the main man on the Live CD.Links to both the Live CD and Testing Guide are here:
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
Check out the Live CD project its pretty good. The Testing guide is finally in a mature state thanks to the support of all the authors.
Now for the Code review guide, this is one of the final pieces in the puzzle of the OWASP suite of guides. If you would like to contribute a chapter in an area you have expertise in please feel free.
I hope to get some sponsorship via a spring of code to finish this guide.
Later-ek
Posted in Uncategorized, OWASP Stuff | No Comments »
February 21st, 2007 by eoinkeary
So,
just as security is becoming more mainstream and IT people now know no “waving dead chickens over the keyboard” are involved in IT security the UK government have decided to add extra chapters to the famous CMA (Computer Misuse Act). The Act dates back to 1990 and is the UK’s anti-hacking/cyber crime law.
It has introduced a “Denial of Service” paragraph making DoS an offence, which is nice. But…..Distribution of hacking tools (Referred to as Articles in the act), may also be an offence. So YOU could be locked up if you are aUK resident and download WebScarab or NMAP!!!
Also I suppose hosting copies of these tools for download is an offence as well…..
Security by obscurity:
That’s what this law shall enact. It shall in effect put the UK into the Stone Age from a security standpoint as this prohibition shall stifle research and also remove pressure on vendors of IT products to produce good quality output……
Useless law in physical boarded world on a world without boarders:
Seems to me this law is not thinking about its implications….The good guys will also suffer and anyone outside the UK wont give a dam….the internet has no boarders. Stupid laws such as this one do which affects every one residing inside that region, making them weak and unable to defend against individuals who don’t fall within the UK jurisdiction.
See:
“Making, supplying or obtaining articles for use in computer misuse offences”
http://www.opsi.gov.uk/acts/acts2006/ukpga_20060048_en.pdf
cya, EK
Posted in Uncategorized | No Comments »
February 19th, 2007 by eoinkeary
Gartner published a document titled
“Impediments and Drivers of Application Security” (Feb 16th) ->
It contains the same message OWASP have been talking about for years: “Firewalls/IDS are not enough, Intranet is not as safe as you thought…” (Think of the enemy within: http://www.darkreading.com/document.asp?doc_id=117605&WT.svl=news1_2 )
It also says that the AppSec early adopters are the large e-business corps. Companies which rely on e-business more than “over-the-counter” business.: Mutual fund banks, etc….
It also mentions that Application developers must accept responsability for security which I think is on the right track but PM’s (Project Managers) and key business units must take this responsibility also. Factor security into development time-lines would be a nice start.
Rely on outsource development is not good. One should require security as part of the functional spec.
Bottom line: Integrate security into the Software Development Lifecycle. Perform security tests as part of unit and functional testing.
Wakey, wakey, If Gartner say it then it must be true!!!
Posted in Uncategorized, Ireland Stuff, OWASP Stuff | No Comments »
February 19th, 2007 by eoinkeary
The OWASP Testing Guide was published on Feb 10th
http://www.owasp.org/index.php/OWASP_Testing_Project
It is the most complete open source web application security testing guide on the web.
Thanks to the OWASP Autumn of Code we got some quality contributors and a great tech lead (Matteo).
I’ve handed over the Lead position of the guide to Matteo and have moved on to other things (OWASP Code review guide).
http://www.owasp.org/index.php/OWASP_Code_Review_Project
Posted in Uncategorized, OWASP Stuff | No Comments »
January 11th, 2007 by eoinkeary
Hello again, Eoin here,
The New OWASP testing guide has been completed and shall be on official release on the 10th Feb.
You can get a sneak preview on the OWASP site:
http://www.owasp.org/index.php/OWASP_Testing_Project
SO it has taken a ling time to get this far. Kudos to the AoC initiative as without the AoC we (OWASP) would not of have as much energy to complete this massive task.
The AoC technical Lead was Matteo Meucci (Italy) and fair play to him for digging in, but also fair play to everyone else, you know who you are.
-ek
Posted in Uncategorized, Ireland Stuff, OWASP Stuff | No Comments »
January 3rd, 2007 by eoinkeary
Hi,
We are trying to ramp up the OWASP code review guide, in other words, get people involved. the guide currently has plenty of good stuff in it mostly written by me but we (OWASP)need more heads to add content about how to review code for potential vulnerabilities.
If you would like to write about reviewing/detecting common mistakes in PHP, AJAX, Web Services, Java, .NET, C/C++ or any other web dev framework or language you are welcome.
thanks,
ek (PS. you can find me on the OWASP site if you wish to contact me).
Posted in Uncategorized, OWASP Stuff | No Comments »
January 3rd, 2007 by eoinkeary
Just to round up a discussion I was having with some AJAX developers regarding the use of the eval() function and innerHTML function in javascript.
These functions are comminly used to populate dynamic sections of a web page without reloading the page itself (Web 2.0 as the spindoctors call it).
so if we have a simple javascript function that rewrites text displayed depending on what the user typed in:
<HTML>
<script type=”text/javascript”>
function changeInput()
{
var userInput = document.getElementById(’userInput’).value;
document.getElementById(’elementXYZ’).innerHTML = userInput; }
</script>
<p>Welcome to the page <b id=’elementXYZ’>dude</b> </p>
<input type=’text’ id=’userInput’ value=’Enter Text Here’ />
<input type=’button’ onclick=’changeInput()’ value=’Change Text’/>
</HTML>
So a few problems here, innerHTML shall display the existing sub-tags of the input received also. To make this post short and sweet (I actually need to do some real work) if we input script using the evil eval() method we can commit XSS; Such as
<a onmouseover = eval(’alert(”hi”)’)>mouse over me </a>
The javascript method eval(STRING) causes the string inputted to be evalusted as script. The takes care of the need to use “<” ,” >” and the likes.
Posted in Tech Stuff | No Comments »
