On behalf of September 14, 2015 (:

by Süleyman Petek 15. September 2015 21:52
As i promised last night on #developersTube, i think i have to give some little information for our

As i promised last night on #developersTube, i think i have to give some little information for our friends who are interested in Software Security...

First of all, the links to be followed below :

  • https://www.owasp.org
  • http://www.webguvenligi.org
  • http://www.scmagazine.com
  • https://packetstormsecurity.com
  • http://www.tripwire.com/state-of-security/topics/latest-security-news/
  • https://www.fireeye.com/blog.html
  • http://null-byte.wonderhowto.com
  • http://www.securityweek.com
Then the tools;

For static analysis:
  • HP Fortify
  • Checkmarx
  • IBM Appscan
For dynamic analysis:
  • Netsparker
  • HP Webinspect
  • Nikto

I would like to thank again Burak Selim Şenyurt for this kindly conversation
and for those who have missed it, enjoy...


IT Security | Awareness | Secure Coding | Web Security

The Security Mindset

by Süleyman Petek 17. July 2015 21:00
Everyone in your organisation, all the time should keep security in mind. Remember that you are as s

Everyone in your organisation, all the time should keep security in mind. Remember that you are as secure as your weakest link in the chain. Whatever latest technology you use, your firewalls, IDS, IPS, antivirus etc. your level of protection is as high as your weakest link.

Everyone may not have the same level of mindset however the developers and IT staff should be careful about this. Of course having a company-wide mindset is not easy and it requires continuous education. Education comes with the cost of money and time. Top management should also have the mindset in order to approve these expenses.

Let's consider a project manager or a business analyst or a scrum master. While planning for the project, nearly none of them allocates time and human resource for security issues. Being aware of these issues requires allocating time plan for fixing the security issues and also aligning with the secure coding standards. The majority of the developers concantrate on learning new technologies but unfortunately they are not keen on security or they are not aware of the seriousness of the topic. 

In general there are some principles that should be kept in mind:

Least Privilege
Sometimes used as POLP (Principle of Least Privilege) is
 limiting access to the minimum level that is necessary to complete the job.

Simple is More Secure
Simply getting rid of unnecessary functions, unused features as possible as it is.

Do Not Trust Users
When we tackle about user actions, being paranoid is a good security behaviour. Even if your administrators are not 100% reliable for you (An unhappy employee may be very harmful). Sometimes offline actions such as phone calls can be considered as an attack.(Social Hacking)

The Unexpected Always Happens
Preventing the attack before it happens is vital. People generally see the "Happy Path" in projects but the edge cases should be considered also.

Defense in Depth
Slowing down the attacker via layered defenses. "If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system." - OWASP

If you read the CEH preparation book, hacking starts with reconnaissance process. The more information you give the more hackers benefit. Limit the information you give as minimum.

Blacklisting & Whitelisting
"A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.

A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct conditions."

Tags: , ,

IT Security | Awareness | Web Security | Web Attack

Secure Software Development Lifecycle

by Süleyman Petek 13. July 2015 23:00
Security should be a part of your DNA while building  a software system.

Security should be part of your DNA while building a software system. Here below a short list for acronyms.

Information Security Risks: The probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur.

Software Security: A way to defend against software exploits by building software to be secure.

Application Security: A way to defend against software exploits  after deployment is complete.

Return Of Security Investment in Security (ROSI): The total amount of money that an organization is expected to save in a year by implementing a security control.

The core components of Secure SDLC process are:

  • Clear and detailed requirements of business
  • Security requirements 
  • Threat modelling (Early in the security design phase, threat modelling should be done in order to identify the potential threats that exist specific to the application.)
  • Design
  • A policy for secure coding
  • A framework for secure coding (OWASP may be a resource here)
  • Segregation of environments (Dev/Test/Staging/PreProd/Prod)
  • Static and Dynamic Analysis of the code
  • Change management
  • Release management

To mitigate the probability of writing insecure code, a few steps should be included in the SDLC. Since writing secure code is vital for minimizing the occurrence of vulnerabilities, it is worth elaborating on this topic for the benefit of executives. This step in development is too often misunderstood or deemed to be of secondary importance compared with production deadlines. It is worth to review the basic steps of writing secure code and at some point it may look as an attractive return on investment.

Secure coding needs some key factors:

  • Top level management buy-in
  • Security architect engagement
  • Segregation of duties
  • Backups
  • Monitoring and logging of events
  • Patch management
  • Password management (authentication-authorization)
  • Session management
  • Input validation
  • Output encoding
  • Exception management (Fail safely)
  • Developer training (Create awareness, educate)
As you see the cost of a bug during SDLC, the security issues should be considered and fixed as early as possible.

What can you lose if you don't ?
  • Reputation
  • Data
  • Money
  • Time
And never forget that risks are for managers, not for developers !

Tags: , ,

IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

Web Application Security 101

by Süleyman Petek 11. July 2015 14:25
Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis ha

Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis has been increasing day by day. At first we adopted to read newspapers from web, then we started to make our basic financial operations over web from our banks' web sites. The shopping a.k.a "e-commerce" madness followed these. Buying your plane tickets, betting, dating etc. there has been a huge cyber world over there. This is nice until here however you should be aware of your security and privacy in this cyber world. Nowadays mobile applications are very popular, we can not say they will replace web applications but we should notice the power of mobile also. 

Web applications have brought with them a new range of security vulnerabilities. There is a rising awareness that security is an important issue for web applications. Most of web sites say that they are secure because they use SSL. Increasingly, organizations also cite their compliance with Payment Card Industry (PCI) standards to reassure users that they are secure.  In real life, unfortunately the majority of web applications are insecure, despite the widespread usage of SSL technology and the adoption of regular PCI scanning. Here is an example saying that "Half of firms hit by web application security breaches".

There is a non-profit world wide organization called OWASP (Open Web Application Security Project). There are many materials there to learn about application security. Especially OWASP Top 10 may be a very meaningful start for the newbies. It is about the most critical web application security flaws. The latest one was released in 2013.

Web applications face a fundamental problem in order to be secure. The client is outside the application’s control, users can submit arbitrary input to the server side application. The application owners/coders must assume that all input is potentially malicious. The majority of attacks against web applications involve sending crafted input to the server to cause some unexpected event.

Unfortunately SSL can not stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker’s data in transit. 

Some key factors to the problems are

The developers are not aware of the issue, they should be educated for secure coding.

  • The executive management generally care on the dead-lines, not the security of the application. So the developer just try to be as fast as he can do, bypassing the security issues.
  • The resources and the time is limited, the market is too aggressive, executives are somehow right. But security is not an issue  to underestimate. The company can lose money and prestige because of insecure applications.
  • The threats are evolving rapidly.
  • To sum up;

    World Wide Web has evolved from basic static information repositories into highly functional applications that process sensitive data and perform powerful actions with real-world consequences. Most web applications face the core security problem that users can submit arbitrary input. Every aspect of the user’s interaction with the application may be malicious and should be regarded as such unless proven otherwise. All the signs about the current state of web application security shows that although some aspects of security have indeed improved, entirely new threats have evolved to replace them. The overall problem has not been resolved on any significant scale. Attacks against web applications still present a serious threat to both the organizations that deploy them and the users who access them. 

    Tags: , ,

    IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

    Check your "Short URLs"

    by Süleyman Petek 22. June 2015 11:56
    Very popular recently, for long URL addresses we use URL shorteners like bit.ly, goo.gl etc. We can
    Very popular recently, for long URL addresses we use URL shorteners like bit.ly, goo.gl etc. We can also create short URLs via API's but this is not our issue for now. Sometimes these URLs are being compromised by bad guys. They use it to hide their infected URLs. So i can advice you to check a short link before click, think twice ! But how ? Go to www.checkshorturl.com and keep yourself secure.

    Tags: , , ,

    Awareness | Web Security


    <<  June 2021  >>

    View posts in large calendar