Tuesday, October 7, 2008

The security ninja has left the building

Well as usual things have happened much sooner than I had planned!

The new blog and forum went live over the weekend and now the new Security Ninja website is live. I'm happy with the way it looks at the moment and work is ongoing but from today onwards I will not be posting to this blog anymore.

The Security Ninja website can be found here.

I look forward to seeing everyone on the new site!

Dave
Posted by at 5 comments:

Friday, October 3, 2008

News from the ninja

Hi everyone,

I just wanted to keep everyone up to date with what is going on with Security Ninja. I've been crazy busy with my company being close to our annual PCI audit but of more interest to you guys is the changes coming to Security Ninja.

As I have been working away on the various tutorials I'm writing I think the blog format isn't quite right to host everything I plan to produce. I love my blog and its going to stay around but Security Ninja is expanding to provide more than just a blog!

I have a few ideas which I plan to put on the new site, for example I would like a wiki for application security, a security forum, a whitepapers section and a tutorial section. On top of that lot I will of course be keeping the blog going!

The new blog can be found here.

I plan on bringing the forum online over the weekend and the rest of the site over the next month.

If anyone has ideas for the new site then give me a shout on the blog or my cool new email address - securityninja at securityninja.co.uk :-)

Dave
Posted by at 1 comment:

Thursday, October 2, 2008

PCI version 1.2 released

Everyone who reads my blog and has spoken to me knows my feelings on the lack of real changes in the new version of the PCI DSS standard, those feelings aside I feel people should read the new version of the standard available here.

For those of you who feel the standard is sufficient or don't understand my issues with the standard I have listed three examples below that I feel the standard should address:

Virtualisation

Almost every company seems to be implementing virtualisation technologies within their infrastructure without understanding the new security issues this potentially raises. More and more researchers are attacking virtualisation technologies which means more and more vulnerabilities will be found (for example, Blackhat USA07 had 2 presentations of virtualisation security issues compared to 20 at Blackhat USA08).

I think the standard needed to include specific requirements for this technology.

Cloud Computing

Maybe not such a hot technology right now but it will continue to rise in popularity because of the low cost of ownership this technology can deliver. Cloud computing makes even virtualisation look expensive!

In the current economic climate companies will aim to save as much money as possible and cloud computing will deliver serious savings. So what is my problem? With cloud computing you don't actually know where your data is, well you know its in the cloud......

I can't see how cloud computing can be PCI DSS compliant but companies who need to be complaint may just go down this route. I get the feeling that before the next version of the standard is released this may become an issue the council needs to address.

Secure Application Development

Considering secure application development is my niche I will always look for more on this particular topic. I have always had a problem with requirement 6.6 and I still do. I'm not really keen on the idea of using only a WAF (Web Application Firewall) instead of a really good secure development process. I don't care what the marketing departments of the WAF vendors say you cannot prevent attacks such as CSRF (Cross Site Request Forgery) with these devices.

Let me know what you think!

Dave
Posted by at 6 comments:

Thursday, September 25, 2008

My (IN)SECURE Magazine Article

Hi everybody,

The September edition of (IN)SECURE Magazine has been published and contains my article on Secure Web Application Development.

You can download the magazine here.

As always feedback is more than welcome!

My Burp Suite tutorial is still work in progress, I have had a few requests to include more content than I originally planned so hold tight everyone!

Dave
Posted by at No comments:

Saturday, September 13, 2008

Burp Suite Tutorial

Just a quick note to say the tutorial for Burp Suite is in progress.

I have been in contact with Portswigger who is the developer behind the Burp Suite so the tutorial will have his input as well as mine.

Dave
Posted by at 4 comments:

Tuesday, September 9, 2008

SCADA system vulnerability and exploit code

For those of you who don't know what a SCADA system is think core backbone systems for a country or countries. Power grids, water systems and defense systems to name just a few. A brief overview can be found here.

Often these systems have operated on very old (Win 3.x and OS2) systems which people are to scared to update. The defense has always been "oh we don't connect this core systems to the internet so we are fine". That isn't always the case anymore, more and more SCADA systems are getting internet access whether it is authorised or not. A penetration tester friend of mine recently told me how he was auditing a SCADA infrastructure that had 5 connections to the internet that had never been authorised. Normally I wouldn't have paid much attention but these are systems which control almost everything we use and rely upon delay, cyber warfare anyone?

So why should I write this post now? Well a recent vulnerability discovered by Core Technologies has had exploit code written for it. This exploit code has been made available as a module for Metasploit for anyone to download. I do not encourage any kind of unlawful hacking but surely someone will take advantage of this and take something very important down?

I won't reproduce someone else's work so here is the paper written by the exploit writer Kevin Finisterre.

As always if you have any questions or comments then fire away.

Dave
Posted by at No comments:

A few updates....

A bit apology for the amount time that has elapsed since my last post. Moving house took up more of my time than I had planned!!

I'm moved and settled so back to business as usual from today on.

Whilst I have been away I have agreed to become a columnist with bloginfosec and my first article should be posted in the next couple of weeks. I recommend anyone who reads this blog to also take a look at the content over at bloginfosec.

Secondly my article I have written for (in)secure magazine which discusses secure web application development and integrating security into a dvelopment lifecycle will be published this month. You can subscribe to the magazine for free at net-security.

Last but not least on the updates. OWASP have announced that an EU Summit will be held in Portugal this November and will be discussing many important issues! More information can be found here. I will be going along to the summit so if any readers on going along then drop me a line and we can hook up.

I thought I would let you all know what content I plan to add to the blog in the coming weeks. Some of it is based on my own interests and some of it is based on the search queries that people are using to land of my little corner of the web!

Burp Suite Tutorial

Grendel Scan Tutorial

Metasploit Tutorial

Samurai Live CD Review

Backtrack 3 Review

SQL Ninja Tutorial

Those will be the more technical posts that are coming up in the short term. I will be posting my usual comments on the news and security vulnerabilities.

Dave
Posted by at No comments:
Subscribe to: Posts (Atom)