funsec mailing list archives
Poor Scoping Disastrous for Security
From: Gregory Hicks <ghicks () hicks-net net>
Date: Mon, 13 Apr 2009 23:42:13 -0700 (PDT)
Poor Scoping Disastrous for Security The limited scope afforded to your security staff and contractors could harm your business, writes Metlstorm... By metlstorm April 14, 2009 -- Building security testing into your project lifecycle is one of those critical growing-up points for a business. All enterprises must eventually accept that security is just one more part of software or system development lifecycle. Both designs and implementations must be reviewed, developers need security training and infosec teams need the power to veto go-live dates. Lots of businesses have arrived at this point. But what often happens as a result is security gets siloed per project. The project scope determines where security people will see, where there is budget, and critically, where the incentive to fix the problems lies. This means that the way that project siloes interact -- the reefs between scope islands -- are never in scope. And as we all know, scope is for project managers, auditors and security consultants. Hackers don't care about your scope. Let's look at how scoping can create some pretty peverse outcomes. So I owned this bank system. Hard. Pentesting externally, I managed to go from no auth to complete customer account compromise. I could reset passwords, transfer money, whatever. Pretty bad as customer facing banking system deployment projects go, right? I head to the wrapup meeting, held in a typical bank meeting room. You know the type -- poorly cleaned motorised-printy whiteboard that no longer motors, acoustic tiled ceiling the colour of institutional gravy, one glass wall out into the post-carpet-cubicle humanist refurbishment. The cubicles are slightly curvy now, less beige, lower and more modular and hip, but still festooned with the trademark flotsam of the corporate slum; a thousand colour laser printed pictures of funny cats, babies, daughters with ponies, movie posters with someone's head photoshopped -- no hang on, MS paint.exe'd -- on and captioned with some tepid project in-joke. This is the meeting where I explain what's going to be in the report, discuss the technical remediation options with the developers and the impact on project go-live signoff with the project manager. Normally what you're aiming for here is dismissive-defensive-disbelief-dawning horror from the developers, and something approaching open weeping from the PM. A grimace is good, but actual sobbing is better. [...snip...] More at: http://risky.biz/news_and_opinion/metlstorm/2009-04-14/poor-scoping-disa strous-security --------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Poor Scoping Disastrous for Security Gregory Hicks (Apr 13)