Certificate Revocation Does Not Work!

revocationOne thing that’s very surprising about PKI infrastructure is the fact that a lot of the mechanisms put in place don’t work, or don’t work as they should. Often this is driven by sheer necessity, and the need to keep the internet working no matter what. One example of this is certificate revocation. If you are setting up a domain and requesting a new certificate, you would assume that once issued the certificate can be revoked in the case of a security breach.

But you’d be wrong. Even when you revoke the certificate attackers can still use it to enable MIIM attacks. Read on to see why….

Continue reading

Advertisements

REST -What It’s Good For (Part 2: Semantics and Information Sharing)

rest-api-logo

In my previous post, I detail how REST allows us to utilise the HTTP’s native caching functionality without the need for additional technologies or knowledge. However, this whole ‘using what we know about HTTP already’ philosophy goes much deeper than that.

Consider one of the biggest problems with API design and maintenance: getting your clients to use the API correctly, especially when it’s changing or is constant development. This might be easy if you are integrating with one team that sits next to you (and even then misunderstandings can arise), but what if you have multiple clients across the organisation, or if you API is public? Read on if you want to see how REST can help….

Continue reading

Six Pillars Of Security, #5: Controlling External Risk

Once data leaves your system, your ability to control it rapidly diminishes. However there are steps you can take to mitigate risks:

  • Only giving clients the data they require
    • For example, with a centralized service application this would involve analyzing what each client needs, and applying logic so that they only receive that information.
  • Actively engaging with client teams, asking them about security, guiding them. Even though the data has left your system, it is still your data and you need to ensure others are being careful with it.

Continue reading

Six Pillars Of Security, #2: Configuration, Internal Processes And Human Error

 

  • 1-mistakeCare with configuration. Misconfiguration is one of the top 5 reasons behind companies getting hacked.
  • For sensitive data and functionality, consider incorporating a per-role based permissions system to reduce risk, and help track what happened in the event of an attack.
  • Principle of least privilege again helps secure a system; a leaked password isn’t any use if there is no way to invoke important processes with it.

Continue reading

My Presentation at OWASP London

I recently had the honour of presenting a talk at OWASP London at Bank in London. The talk was originally aimed at my company’s ground troops (developers, product managers), but also clearly presents a way of organising a security team; this may sound trivial, but the way a security effort is organised has a big impact on how effective it is. My current project (about 120 people across seven teams) has approached this by nominating security champions in each team,  who manage risks using their own separate, cross team project (to avoid workflow issues), and having a unified ‘Security Council’.

owasp_2

Watch the video here!

The presentation was warmly received, and a number of good questions were asked, so it’s worth viewing the Q&A!

AppSec: Beat The “It’ll Never Get Fixed” Blues!

We’ve all been there.

We’re busily going about our work, when suddenly we notice something odd. Maybe it’s a badly thought out permission policy, maybe it’s some unprotected URL configuration that could be used to get an EC2 instance to spill its guts , but whatever it is, it smells.

But you’re knee deep in your own task, so you wearily go to JIRA, click ‘Create New’ and enter in the most perfunctory ticket description possible. And off it goes, your new little ticket, to reside deep within the project backlog, collecting crust with the other non-function-requirement tickets. Hey, business is business, and business needs features!

Or maybe you don’t do anything at all. ‘Cause why bother?

Either way, the problem never gets looked at, never gets evaluated and never gets fixed.

Continue reading