A while ago I was pointing out some interesting stats about the secure development lifecycle (SDL). Last week, Microsoft made its four core SDL training classes available to the public. The titles are:
- Basics of Secure Design Development Test
- Introduction to the Microsoft Security Development Lifecycle (SDL)
- Introduction to Threat Modeling
- Privacy in Software Development
I would encourage everyone with a bit of spare time to take a look at these courses.
Mar 4, 2010
Mar 2, 2010
The daily /.
A few interesting stories from my daily /.-ing:
1. CAPTCHA troubles
"Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.
But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said."
After having a chat with Aldwin on the topic, it seems like this might be a serious flaw in CAPTCHA (i.e. mapping a challenge to a response via identifying the filename of the CAPTCHA image). After all, CAPTCHA should allow developers to feed arbitrary text that will then get rendered on the fly.
The original article is here.
2. Nearly 60% of apps fail first security tests. Interesting number from Veracode; however, I wonder in what phase of the SDLC were those apps when they were tested. Although I agree with their argument that more work is required in educating the developers, I must also add that more tooling is necessary (e.g. code annotations, code scanning when committing code to the repository, etc.) to enable developers focus on the bigger security problems.
More on the topic here.
1. CAPTCHA troubles
"Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.
But the perpetrators were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said."
After having a chat with Aldwin on the topic, it seems like this might be a serious flaw in CAPTCHA (i.e. mapping a challenge to a response via identifying the filename of the CAPTCHA image). After all, CAPTCHA should allow developers to feed arbitrary text that will then get rendered on the fly.
The original article is here.
2. Nearly 60% of apps fail first security tests. Interesting number from Veracode; however, I wonder in what phase of the SDLC were those apps when they were tested. Although I agree with their argument that more work is required in educating the developers, I must also add that more tooling is necessary (e.g. code annotations, code scanning when committing code to the repository, etc.) to enable developers focus on the bigger security problems.
More on the topic here.
Labels:
security
Feb 13, 2010
Plastic problems
...or Cambridge 2 PCI 0
This past week I landed on two very interesting papers that came out of Cambridge. The papers basically discuss the weaknesses of Chip & PIN and the 3-D Secure protocol for online transactions. Highly recommended read.
This past week I landed on two very interesting papers that came out of Cambridge. The papers basically discuss the weaknesses of Chip & PIN and the 3-D Secure protocol for online transactions. Highly recommended read.
Jan 9, 2010
The Flying Dutchman
Some recent stats about my whereabouts during the past 3 months:
6 countries
7 cities
3 timezones
2 economic areas
5 currencies
21 flights
27 hours of flight time
Yep.
6 countries
7 cities
3 timezones
2 economic areas
5 currencies
21 flights
27 hours of flight time
Yep.
Labels:
daily life
Oct 5, 2009
Martin Palermo... no comment
This is the guy who missed 3(!!!) penalty kicks in the same match for Inter Milano a few years ago. Now he scores a header from 40 meters. :)
Labels:
football
Sep 29, 2009
Sep 7, 2009
The 7 plagues of testing
James Whittaker was running the series of the 7 plagues of software testing on the Google Testing Blog. Since the series are at their last stretch, here is the list of plagues:
1. The Plague of Aimlessness
2. The Plague of Repetitiveness
3. The Plague of Amnesia
4. The Plague of Boredom
5. The Plague of Homelessness
6. The Plague of Blindness
7. The Plague of Entropy
There are also some additional plagues that were suggested by various readers (myself included):
- The Plague of Metrics
- The Plague of Semantics/Assumptions
- The Plague of Infinity/Endlessness/Exhaustion
- The Plague of Miscommunication/Language
- The Plague of Rigidness/Complacency
Out of the suggested bunch, I really like Roussi's notion that complacency can be the result of a product's success.
1. The Plague of Aimlessness
2. The Plague of Repetitiveness
3. The Plague of Amnesia
4. The Plague of Boredom
5. The Plague of Homelessness
6. The Plague of Blindness
7. The Plague of Entropy
There are also some additional plagues that were suggested by various readers (myself included):
- The Plague of Metrics
- The Plague of Semantics/Assumptions
- The Plague of Infinity/Endlessness/Exhaustion
- The Plague of Miscommunication/Language
- The Plague of Rigidness/Complacency
Out of the suggested bunch, I really like Roussi's notion that complacency can be the result of a product's success.
Labels:
productivity,
security,
testing
Subscribe to:
Posts (Atom)
