Poor Scoping Disastrous for Security

[Gregory Hicks <ghicks () hicks-net net>]

Poor Scoping Disastrous for Security
The limited scope afforded to your security staff and contractors could
harm your business, writes Metlstorm...

By metlstorm

April 14, 2009 -- 

Building security testing into your project lifecycle is one of those
critical growing-up points for a business.

All enterprises must eventually accept that security is just one more
part of software or system development lifecycle. Both designs and
implementations must be reviewed, developers need security training and
infosec teams need the power to veto go-live dates.

Lots of businesses have arrived at this point. But what often happens
as a result is security gets siloed per project. The project scope
determines where security people will see, where there is budget, and
critically, where the incentive to fix the problems lies.

This means that the way that project siloes interact -- the reefs
between scope islands -- are never in scope. And as we all know, scope
is for project managers, auditors and security consultants. Hackers
don't care about your scope.

Let's look at how scoping can create some pretty peverse outcomes.

So I owned this bank system. Hard. Pentesting externally, I managed to
go from no auth to complete customer account compromise. I could reset
passwords, transfer money, whatever. Pretty bad as customer facing
banking system deployment projects go, right?

I head to the wrapup meeting, held in a typical bank meeting room. You
know the type -- poorly cleaned motorised-printy whiteboard that no
longer motors, acoustic tiled ceiling the colour of institutional
gravy, one glass wall out into the post-carpet-cubicle humanist
refurbishment.

The cubicles are slightly curvy now, less beige, lower and more modular
and hip, but still festooned with the trademark flotsam of the
corporate slum; a thousand colour laser printed pictures of funny cats,
babies, daughters with ponies, movie posters with someone's head
photoshopped -- no hang on, MS paint.exe'd -- on and captioned with
some tepid project in-joke.

This is the meeting where I explain what's going to be in the report,
discuss the technical remediation options with the developers and the
impact on project go-live signoff with the project manager. Normally
what you're aiming for here is dismissive-defensive-disbelief-dawning
horror from the developers, and something approaching open weeping from
the PM. A grimace is good, but actual sobbing is better.

[...snip...]

More at:
http://risky.biz/news_and_opinion/metlstorm/2009-04-14/poor-scoping-disa
strous-security

---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
                                        | Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.