July 31, 2006

New "Silver Bullet Security Podcast" up - An Interview with... me!

Nothing like stroking your own ego by listening to yourself on the Internet.

Seriously though, I had a lot of fun with Gary McGraw when he interviewed me for his Silver Bullet Security Podcast. You can listen to the interview by going here.

After enjoying that episode, make sure you go to the main page and listen to the other interviews. I am in good company with security gurus smarter than me, such as Avi Ruben, Dan Geer and Marcus Ranum.

Thanks to Gary, Cigital and the folks over at IEEE Privacy and Security for a fun interview!

Posted by SilverStr at 04:20 PM | Comments (1) | TrackBack

July 26, 2006

Bribery to get identity integration into more open source software?

Now this is interesting. The people over at OpenID are offering a bounty of $5,000 to the first 10 open source applications that meet the following criteria:

The open source must be distributed under an OSI approved license

  • Have at least 200,000 users of currently installed public instances or 5,000 downloads a month

    So basically if you integrate OpenID Authentication 2.0 into you OSS project and have the traction, you have a chance of cashing in on it. With sponsors like Verisign and SXIP at the table, you know they are good for it. This is the perfect opportunity for apps like phpBB, mailman or wordpress to get a cash influx into their team. That could buy a lot of beer, or the very least a nice laptop :)

    Working on OSS these days? Nothing like an easy $5,000 to put into your coffers. Make sure you read the Bounty FAQ, and then get coding!

    Posted by SilverStr at 03:17 PM | Comments (0) | TrackBack

    • July 18, 2006

    Congrats Mark!

    Well, well. Congrats to Mark and the gang are in order.

    Microsoft, please don't kill off Sysinternals. And don't kill Mark either ;)

    Posted by SilverStr at 12:48 PM | Comments (0) | TrackBack

    The Six Dumbest Ideas in Computer Security

    While listening to the latest Silver Bullet Security Podcast with Gary and Marcus Ranum I was reminded about an excellent piece of writing by Marcus on "The Six Dumbest Ideas in Computer Security".

    When I first read this last year, I remember thinking it would be SO nice if people actually accepted this. Now a year later, I notice not much has changed. Don't believe me? Consider the six dumb ideas Marcus mentioned:

    1. Default Permit
    2. Enumerating Badness
    3. Penetrate and Patch
    4. Hacking is Cool
    5. Educating Users
    6. Action is Better Than Inaction

    You will have to go read his article if you want more depth into each dumb idea, but even on the surface you can get a glimpse at a commonality... those designing secure software have the opportunity to avoid each and every one of them. Yet most do not. In actuality, many software companies BANK on some of those ideas to make money. ESPECIALLY computer security companies! *sigh*

    If you haven't had a chance, listen to Marcus and Gary talk about this and other fun security topics in the most recent Silver Bullet Podcast.

    Great read, and a great listen. Enjoy.

    Posted by SilverStr at 07:39 AM | Comments (2) | TrackBack

    July 06, 2006

    Microsoft Threat Analysis and Modeling Tool v2 reaches RTM

    I have been using Frank Swiderski's original Threat Modeling tool for some time. If you search for "threat model" on my blog you will see plenty of stuff over the last few years on how Microsoft has matured the whole process, and how I have matured in my understanding of that process at the same time. Well, I am pleased to announce that alongside their maturing in the threat modeling process, they have gone out of their way to make the original threat modeling tool 100x better.

    I am just floored by the release of the RTM version of the Threat Analysis and Modeling Tool v2.0. You would be amazed about some of the features in this version of the tool. Taking the bulleted list from Anil's post over on the Threat Modeling Team blog, check out some of these features:

    • TreeView Navigation with visibility to all nodes at all times
    • Wizard based threat model creation
    • Default Attack library with descriptive countermeasure guidance
    • Automatic Threats and Use Cases generation
    • Consolidated Call Flow (System Flow), Attack Surface, Threat Tree are some of the few visualizations available, which can all be exported to Visio
    • Exportable Analytics and Reports to HTML
    • mport v1.0 Threat Model (models created using Torpedo v1)
    • Export countermeasures and attack test cases to Visual Studio Team Foundation Server (TFS)
    • Import SDM Deployment Reports from VSTA
    • Copy Paste and Drag-&-Drop features
    • Enhanced Find Feature
    • Video Tutorials

    It's the last bullet that just pushed it over the edge for me. When you download and install this tool (and you REALLY should), make sure you go through the Video Tutorials. The Launchpad that starts with the tool has in depth video tutorials ranging from the reason why to threat model to instructions on just how to approach it. You owe it to yourself to spend a bit of time and go through each tutorial.

    On top of that, the UI is beautiful. Compared to the original tool, its just amazingly slick. And a few of the bugs I talked to Frank about are finally fixed! When you build your first threat model using this of the tool, make sure you use the Wizard. Microsoft has done a great job to simplify the whole threat modeling process through that tool.

    Great job Microsoft. Kudos to the ACE Services group for completing an excellent rewrite of the Threat Analysis and Modeling Tool for us.

    Posted by SilverStr at 10:16 PM | Comments (2) | TrackBack