Eoin Keary

So,

just as security is becoming more mainstream and IT people now know no “waving dead chickens over the keyboard” are involved in IT security the UK government have decided to add extra chapters to the famous CMA (Computer Misuse Act). The Act dates back to 1990 and is the UK’s anti-hacking/cyber crime law.

It has introduced a “Denial of Service” paragraph making DoS an offence, which is nice. But…..Distribution of hacking tools (Referred to as Articles in the act),  may also be an offence. So YOU could be locked up if you are aUK resident and download WebScarab or NMAP!!!

Also I suppose hosting copies of these tools for download is an offence as well…..

Security by obscurity:

That’s what this law shall enact. It shall in effect put the UK into the Stone Age from a security standpoint as this prohibition shall stifle research and also remove pressure on vendors of IT products to produce good quality output……

Useless law in physical boarded world on a world without boarders:

Seems to me this law is not thinking about its implications….The good guys will also suffer and anyone outside the UK wont give a dam….the internet has no boarders. Stupid laws such as this one do which affects every one residing inside that region, making them weak and unable to defend against individuals who don’t fall within the UK jurisdiction.

See:

“Making, supplying or obtaining articles for use in computer misuse offences”

http://www.opsi.gov.uk/acts/acts2006/ukpga_20060048_en.pdf

cya, EK

Gartner published a document titled

“Impediments and Drivers of Application Security” (Feb 16th) ->

It contains the same message OWASP have been talking about for years: “Firewalls/IDS are not enough, Intranet is not as safe as you thought…” (Think of the enemy within: http://www.darkreading.com/document.asp?doc_id=117605&WT.svl=news1_2 )

It also says that the AppSec early adopters are the large e-business corps. Companies which rely on e-business more than “over-the-counter” business.: Mutual fund banks, etc….

 It also mentions that Application developers must accept responsability for security which I think is on the right track but PM’s (Project Managers) and key business units must take this responsibility also. Factor security into development time-lines would be a nice start.

Rely on outsource development is not good. One should require security as part of the functional spec.

Bottom line: Integrate security into the Software Development Lifecycle. Perform security tests as part of unit and functional testing.

Wakey, wakey, If Gartner say it then it must be true!!!

The OWASP Testing Guide was published on Feb 10th

http://www.owasp.org/index.php/OWASP_Testing_Project

It is the most complete open source web application security testing guide on the web.

Thanks to the OWASP Autumn of Code we got some quality contributors and a great tech lead (Matteo).

I’ve handed over the Lead position of the guide to Matteo and have moved on to other things (OWASP Code review guide).

http://www.owasp.org/index.php/OWASP_Code_Review_Project