Security Audits - How to Implement Them and What to Look For

If you've been running a business for more than a few days, chances are some sort of malware has squiggled into your network. And if you're bigger than just a few computers, chances are your users have brought in something that's compromising your network, including rogue wireless access points, inappropriate file sharing, and peer-to-peer systems. Plus, application holes and their patches seem to crop up with startling regularity these days.

If you are a small business and interested in learning more on what you can do about this, come join me during a PC Magazine webcast event on April 26th at 2pm EST where we are going to explore this. In this event we will describe first exactly why you should conduct regular security audits, help you develop a check list of key elements to look for, and then walk you through the best practices of conducting a security audit - and then fixing the problems – for small businesses.

And I won't be alone in discussing this. Moderated by John Dickinson from PC Magazine, Jon Clay (Trend Micro) and Cory Scott (Symantec) will join me in taking your questions about security audits and how they can be an effective addition to the security analytics for your business.

You can get more information, including instructions on how to register, by clicking here.

Come join the conversation! I hope to see you there.

Educating grandma on the security of her home computer

This may be old news to many of you, but tonight I tripped over a few excellent videos by Microsoft relating to security of home computers, targeted to the non-techies... you know... the videos you wish your grandma and significant other would watch.

• Virus & Worms: http://www.microsoft.com/athome/security/viruses/video_virusworm.mspx
  
• Spyware: http://www.microsoft.com/athome/security/spyware/video1.mspx
  
• Phishing: http://www.microsoft.com/athome/security/email/phishing/video1.mspx
  
• Updates & Maintenance: http://www.microsoft.com/athome/security/update/video_update.mspx
  

The presenter is articulate and gets the point across; even grandma will understand what she is saying.

Kudos to Microsoft. I like seeing this sort of stuff. A place I can point people to when they want to learn more about security on their home computer.

Book Review: Software Security - Building Security In

I'm jealous. No seriously. If Cigital is actually ran as depicted in the book Software Security - Building Security In, I have to give kudos to Gary and the gang for making an impressive environment for software security.

I'm a fan of Gary's writing. If you are a regular reader, you know I loved both his books on Building Secure Software and Exploiting Software. This latest book is, in my mind at least, a balancing act between the two previous books on the topic. Gary calls it the "Ying and Yang". Which makes total sense, since the book cover is of exactly that, a white hat and a black hat (taken from the other two books), positioned in the chinese ying/yang symbol.

I always thought that my favorite book on software security would be "Writing Secure Code" by Michael Howard. I really liked how it was presented, and it offered security software engineering best practices that I felt could be passed on to others on teams that I worked with. But now, Gary has given me a new book to put in my arsenal of knowledge. Not a practical coding book on the topic like I felt I got from Michael's writing, but a book that I feel managers of that process can use to build better software security processes and systems in a team.

The book touches on a number of critical components for software security:

• Risk management frameworks and processes
  
• Code review using static analysis tools
  
• Architectural risk analysis
  
• Penetration testing
  
• Security testing
  
• Abuse case development
  

I have to admit, it was somewhat of a battle in the first section of the book as it was somewhat dry. The content itself was good and required information to round out this book, but just how do you jazz up discussing risk management frameworks? When Gary sent me the book he followed up with an email warning me about that... but by that time I had already trudged through it. The good news is, its a small pain... as the content gets more exciting as you progress. And to be fair, anyone who is going to manage the software security process in an organization will find they will learn something in that section. So nothing is really lost there.

By the time you get into part two of the book focused on what Gary calls "The 7 Touchpoints of Software Security", you know why he is well respected in our field. He knows what he is talking about. The 7 touchpoints?

1. Code review
   
2. Architectural risk analysis
   
3. Penetration testing
   
4. Risk-based security tests
   
5. Abuse cases
   
6. Security requirements
   
7. Security operations
   

You know... all the exciting stuff!! By the time you get through the 7 touchpoints, if you don't "get it" by then, there is little hope for you. The interesting point here is that each touchpoint is really in a lifecycle, VERY similar to the security development lifecycle Michael has been presenting on behalf of Microsoft for the last few years. I think they both have it figured out, but tainted towards their own company's objectives.

My thoughts on the book? A lof of content in this book isn't for the regular coding geek that needs to learn about software security. Get Gary's other books for that. But if you are the project manager of the team that the forementioned geek works on, or are responsible for software security in your organization, get this book. If you have the responsibility and authority to set the direction and process in your environment, you will find this book useful. Near the front of the book there is a section in which reviewers comment on their thoughts of the book. I think Bruce Schneier said it best:

When it comes to software security, the devil is in the details. This book tackled the details.

I couldn't have said it better myself. Actually, I won't even try.

Great book. Worth recommending to anyone in the software security field. 4 out of 5 stars.

Naner, Naner, Nano.... iConverted

Silly title... I know. But it fits. I resisted the temptation for years to be sucked into the iPod vortex, but yesterday I bought myself an iPod Nano (and all the accessories to go with it). And I'm converted.

God have I been missing out.

So I have had the big ass brick harddrive MP3 players, which were NOT portable (IMNSHO). I got to hating them so much, I instead got a 128MB Creative USB Stick MP3 player. Well, actually I bought it for my wife, but ended up using it all the time when I was working out. At the time (when it just first came out) it was a couple hundred of dollars... pretty much what I paid for the iPod yesterday. Problem was... 128MB gave me MAYBE 15 to 20 songs. I was REALLY getting tired of listening to the same songs over and over again, and I always forgot to put new music on it while rushing to the gym. And NONE of the music I bought on iTunes could be played on it unless I wanted to burn to CD, and then rip back to MP3.

That all ended yesterday. I picked up a 4 GB iPod Nano, an iTrip FM transmitter, charger and case with armbad. I went into iTunes and basically pulled over all my "Greatest Hits" albumns of all my favorite artists. Low and behold 400 songs later, I STILL have room to throw on some of my wife's and daughter's favorite CDs. I think its about half full right now.

But that wasn't the amazing part. I've seen the iPod before and always thought it was sexy, but I never realized just how intuitive the scrolling menu system was until I used it for like 5 minutes. Without having to read anything I was an iPod master in minutes. THAT is what creative industrial design is about. Apple did an awesome job. I only wish the Origami crew would figure this out.

So if you see me in the streets and you call/wave to me and I don't wave back, don't take offense. I'm not ignoring you. Check my ears and see if I have white earbuds in... I'll probably be listening to a favorite podcast or song.

The idiocy of the "Underhanded C contest"

In a world where we are TRYING to get developers to write safer code, Ken over on SC-L points me to the fact that a new "Underhanded C contest" is under way. *sigh*

You can read their introduction to see why I don't like this contest:

We hereby announce our second annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

On the surface, this looks like an interesting contest. But deeper down, its like playing Russian Roulette with a .357 Magnum, with all but one chamber loaded. Odds are, no good will come of this.

Well, maybe it could. I suggest EVERY code audit analyst out their go learn from the results of this contest. Try to find the flaws in the code submitted to heighten your skills. Maybe then we can all benefit from this contest after all.