RE: WebAppSec Training Courses in UK

[Craig_Sullivan () Waitrose co uk]

Security Architect,

> > My point is that training should be about educating people about the
right things to do, not recounting or accepting that people don't do that
today. Of course we need to be real but we need to educate executives thats
its not good <<

Of course, this is accepted.  Your job (and others) should be about
identifying risks that are evident to YOU but to the owners or business
sponsors of these sites/services fit within a priority order.  Training is
essential but so is the job of identifying the priority of business related
risks that you can find out when conducting testing (it also serves as a
validation of your efforts).

The point I think you are missing is that for many companies, training is
either not an option or is not considered (app dev is outsourced).

For these companies, a rubbish pentest will accomplish nothing apart from
giving an unrealistic sense of security or worry (depending on what they
find).  Here is where I agree completely with you on the 'scan and charge'
mentality of a lot of security companies.  They are not addressing the core
problem and are probably not identifying the risks that are appropriate to
the business owners of the site/service.

I guess we are going to agree here that education is more important than
useless validation tests.  I call it the same as an 'air guitar' except in
this case the guitar is a flabby appendage attached to the site owners
nether regions <grin>.

If half of the companies I've worked with were so concerned about their
security, the world would be a better place.  If only the money being spent
was better directed, the web would be a more secure place to do
business........

Craig




                                                                                                                        
               
                      securityarchitec                                                                                  
               
                      t () hush com               To:      Craig_Sullivan () Waitrose co uk                             
                     
                                               cc:      dan () idsec com, glyn.geoghegan () corsaire com, webappsec () 
securityfocus com        
                      04/12/02 17:02           Subject: RE: WebAppSec Training Courses in UK                            
               
                                                                                                                        
               
                                                                                                                        
               





I don't disagree with most of what you and Glyn said. It was well put and a
good debate. Thanks.

My point is that training should be about educating people about the right
things to do, not recounting or accepting that people don't do that today.
Of course we need to be real but we need to educate executives thats its
not good enough to test at the end of a projects lifecycle. Thats a
training course that really needs to happen in itself. If we say this is
what happens in the real world (its always late, we never have money, no
time etc) well never tackle the problem strategically and be in the same
place next year.

Fucntional testing was in the same place a few years back but you look at
any good dev shops unit test now and you can see how testing can be
integrated into dev cycles pretty easily.

Of course there is a place for pen testing. But IMHO its nowhere near the
place it is often perceived today. I think we agree on that. This list is
frequentled by more pen test types as well I would muse so the responses
are skewed. If you ask secprog (and the debate is going on there now) they
have a very different focus and if you as CISSP lists I am sure it will be
equally skewed.

My point and I think yours is that good training needs to encompass all
aspects of web application security. It should be about teaching people the
things they need to do, as well as teaching them the things they already do
better.

On Wed, 04 Dec 2002 07:39:40 -0800 Craig_Sullivan () Waitrose co uk wrote:
> Hmmm,
>
> Methinks that security architect has possibly not had to work for
> a company
> that is the recipient of these services.
>
> > > Firstly there is little accountability. Its perceived as an art
> and not a
> science and therefore you really have little confidence that all
> of the
> things that should have been tested were<<
>
> Yes, but we accept these limitations when engaging a security firm
> to cover
> those areas where we may have limited experience or time.  People
> accepting
> poor quality output from a security assessment are themselves to
> blame as
> much as the 'market' is for foisting solutions that may have limited
> applicability to reducing 'real risks' they are likely to encounter.
>
>
> > > Someone once used a great analogy. If you're testing for cancer
> would you
> take someone's temperature? <<
>
> This is a poor analogy for security and risk asessment.  We don't
> test for
> temperature but instead try to reduce the patients desire to smoke,
> drink
> or otherwise ingest stuff that would increase the risk of cancer.
> If they
> have cancer, you are too late pal.....
>
> > > Assess strategically not tactically. Asses how security is baked
> into the
> development process and not just in a deployment scenario.<<
>
> It would be wonderful if I had the chance to build security in from
> the
> start of every development project.  Whilst continuing to educate
> developers (who are often churning through new staff) about security
> best
> practice, I still have to rely upon assessments to catch transgressions.
>
> The usability industry is no stranger to this scenario;  In many
> cases,
> clients ask usability consultants to find problems with an interface
> that
> has *already been developed*.  The same situation exists with web
> application security - in many cases, I'm asked to identify problems
> that
> shouldn't have arisen in the first place.  Whinging about this doesn't
> address the problems though - I have to educated developers but
> this
> doesn't obviate the need to perform some level of app security testing,
>
> often late in the development cycle (for late, read 1 week before
> release).
>
> In the abscence of security conscious developers, we have to rely
> upon
> education AND compliance testing during a project.  I personally
> think that
> many of the services offered to 'assess' security from established
> companies are pretty lame these days.  They cannot possibly understand
> the
> background that the developers have, understand 'bad practice' that
> has
> established itself within a company or provide assessments that
> leverage
> internal knowledge of where vulnerabilities may lie.  We accept
> these
> limitations of any assessments that may be provided and direct them
> appropriately towards areas that we know are weak.  It isn't that
> we
> suggest that you do only one or the other - there is a place for
> education
> and a need for verification.
>
> What I'm worried about is that many companies will seek to exploit
> app
> vulnerabilities to clients without addressing the underlying problems
> with
> the platforms and development approach.
>
> Craig.
>
> This is a poor analogy for security and risk asessment.  We don't
> test for
> temperature but instead try to reduce the patients desire to smoke,
> drink
> or otherwise in
>
>
>
>
>
>
>
>                      securityarchitec
>
>
>                      t () hush com               To:      dan () idsec com,
> glyn.geoghegan () corsaire com
>
>                                               cc:
webappsec () securityfocus com
>                      03/12/02 19:08           Subject: RE: WebAppSec
> Training Courses in UK
>
>
>
>
>
>
>
>
>
>
>
>
> With respect I think your description of security assessment training
> is
> woefully inadequate in todays world. Penetration testing is a snapshot
> at
> best and a time trial at worst. Having ran some teams for some well
> known
> consulting companies in the past I know all to well the business
> model and
> why its pushed so hard by them. Now working in corporate America
> I also see
> why we the clients (yeah we as in my company and others at like
> minded user
> groups who surprisingly do talk) are getting very frustrated with
> some
> security consulting companies and training companies.
>
> <rant>
> Firstly there is little accountability. Its perceived as an art
> and not a
> science and therefore you really have little confidence that all
> of the
> things that should have been tested were. Secondly with 78% of attacks
> being from insiders (see FBI reports) , looking at the hard crunchy
> outside
> is of little value. Too many companies reports read  "High Vulnerability
> ?
> Parameter tampering". After the sticker shock you read between the
> lines
> and find out you can change the page color and they have made an
> incredible
> leap of faith from that to saying you "may" be able to login in
> with
> another users username. An indicator of parameter tampering in one
> place
> can lead to it in another. It's the consulting fluff syndrome. You've
> all
> heard it before I am sure. "These sessionID's don't look random".
> Well test
> the randomness if you have a math degree! If not look for the source
> of
> randomness and if /urandom is used then call it out.
> </rant>
>
> Someone once used a great analogy. If you're testing for cancer
> would you
> take someone's temperature? Would you look at their eyeballs? Hell
> No! Get
> them on the cat scan machine. Even if the eyeballs are dilated and
> you can
> tell theyre ill, you still need to locate the problem (offending
> code) to
> treat it.
>
> One of the things I liked when I spoke to the OWASP testing people
> was how
> they are going to cover what I think should be included in a web
> application security testing methodology. In a structured meaningful
> test
> you need to firstly sit down and understand the security requirements.
> How
> can you ever say there is a problem unless you know the requirements
> and
> how it should be? Secondly you need to understand the application
> architecture. That's an assessment in itself! How are people using
> JNDI,
> LDAP JMS <insert architecture component of choice here>. People
> are finally
> realizing that XSS is easily cured with a proper architecture;-)
> You don't
> fix it tactically, you fix it strategically.
>
> Then there is a technical assessment which is where most people
> think the
> pen test comes in. But think of this. My requirements have shown
> that
> sessions timeout after 20 mins and my architecture review shows
> I use the
> servlet container config (server.xml) to do it and the controller
> servlet
> to enforce it. I can sit there with a perl script and make a request
> every
> 21 mins to each url (dumb in my opinion) or I can parse web.xml
> and
> server.xml for the config. Ones a much more effective way to technically
> test the requirements have been implemented IMHO. A pen test may
> have a
> place in ensuring that stuffs functioning as it should be that's
> where it
> belongs again IMHO, flamesOff(security, architect).
>
> And then there's a security source code review, a web application
> security
> management review (what happens when it goes down, who reviews logs,
> what
> policy exists to manage the security of the application).
>
> Web application security assessment is far more than a pen test.
> They are
> prevalent because consulting companies can pull the wool of clients
> eyes
> with buzz words and hacker speak, not to mention the business model
> that
> works well for the consulting companies. If you pay 40K for a hit
> and run
> that's good business. But if you fix the first hole and have to
> pay $40K
> for the next then its not economical and the client will soon feel
> ripped
> of.
>
> And why does this relate to training? Well people IMHO need to be
> trained
> that web application security assessment consists of many things
> not just
> how to own a web server in 20 mins or how to test for XSS from the
> outside.
> Assess strategically not tactically. Asses how security is baked
> into the
> development process and not just in a deployment scenario.
>
>
> On Tue, 03 Dec 2002 01:54:14 -0800 Glyn Geoghegan
> <glyn.geoghegan () corsaire com> wrote:
> > You also need to determine whether the training you want is
> > 1/ Architecting secure applications
> > 2/ Building secure applications
> > 3/ Application Security Assessments (pentesting)
> >
> > Each has a very different target audience, and its own set of concerns.
> >
> >
> > Secure application architecture can involve broad concepts (e.g.
> > using
> > proper input validation, building a tiered structure of least privilege)
> > or
> > specifics (e.g. secure .Net design).
> >
> > Building secure apps could start with pseudo code examples of important
> > programming concepts and drill down into specific languages with
> > their pros
> > and cons.
> >
> > Application Security Assessments could take an application slant
> > on more
> > typical ethical hacking type courses.
> >
> > I believe @Stake, ISS and Defcom provide Application courses in
> > the UK.
> > http://www.atstake.com/services/education/courses.html
> >
> > Glyn.
> >
> > > -----Original Message-----
> > > From: Dan Cuthbert [mailto:dan () idsec com]
> > > Sent: 02 December 2002 21:57
> > > To: phuc4 () hushmail com
> > > Cc: webappsec () securityfocus com
> > > Subject: Re: WebAppSec Training Courses in UK
> > >
> > >
> > > i think the problem is finding a trainer that understands the
> >
> > > problems associated with web applications and security. also
> > > the trainer that is providing the training would need to have
> >
> > > one helluvah understanding of security\building applications
> > > and the whole process
> > >
> > > its a lovely idea... hmmm yeah i can see a owasp opportunity
> here
> > > * phuc4 () hushmail com (phuc4 () hushmail com) wrote:
> > > > I have unsuccessfully been looking for any decent WebAppSec
> >
> > > training
> > > > courses in the UK.
> > > >
> > > > It seems that courses are more on the networking side of things
> > or
> > > > when restricted to either specific technologies like J2EE
> > > or .Net but
> > > > I have yet to find a useful technology independent course
> > > that takes
> > > > in the wider picture as well as the grimey details.
> > > >
> > > > Any ideas?
> > > >
> > > > Maybe OWASP could start doing training courses?
> > > >
> > > >
> > > >
> > > >
> > > > Concerned about your privacy? Follow this link to get
> > > > FREE encrypted email: https://www.hushmail.com/?l=2
> > > >
> > > > Big $$$ to be made with the HushMail Affiliate Program:
> > > > https://www.hushmail.com/about.php?subloc=affiliate&l=427
> >
> >
> > ---------------------------------------------------------------
> -
> > ------
> > CONFIDENTIALITY:  This e-mail and any files transmitted with it
> > are
> > confidential and intended solely for the use of the recipient(s)
> > only.
> > Any review, retransmission, dissemination or other use of, or taking
> > any action in reliance upon this information by persons or entities
> > other than the intended recipient(s) is prohibited.  If you have
> > received this e-mail in error please notify the sender immediately
> > and destroy the material whether stored on a computer or otherwise.
> > ---------------------------------------------------------------
> -
> > ------
> > DISCLAIMER:  Any views or opinions presented within this e-mail
> > are
> > solely those of the author and do not necessarily represent those
> > of Corsaire Limited, unless otherwise specifically stated.
> > ---------------------------------------------------------------
> -
> > ------
> >
> > Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey,
> GU23
> > 7EF
> > Telephone: +44(0)1483-226000  Email:info () corsaire com
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
>
>
>
>
>
> *********************************************************************
>
> Notice:  This email is confidential and may contain
> copyright material of the John Lewis Partnership.
> If you are not the intended recipient, please
> notify us immediately and delete all copies of this
> message.  (Please note that it is your responsibility
> to scan this message for viruses).
>
>
> *********************************************************************
>
> John Lewis plc               Registered in England 233462
> Registered office            171 Victoria Street London SW1E 5NN
>
> Websites: http://www.johnlewis.com and http://www.waitrose.com



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
 https://www.hushmail.com/about.php?subloc=affiliate&l=427