Following the White Rabbit Blog - All Comments

re: SaaS: The Definitive Cliff Notes on Web Security Delivered

GK — Wed, 22 Jul 2009 06:13:03 GMT

Hi RafaLos,

Enjoyed reading your post. In addition to disadvantages you mentioned, I would like to mention one more-

When you use SaaS model you are trusting one vendor, basically, you are putting all your eggs in one basket. Quality of security review becomes dependent on competency of vendor. Classically, you could use "ring token" topology to get flavor of what other vendors have to offer (by choosing different vendors for different applications).Therefore, it becomes very important to carefully choose SaaS vendor.

Cheers,

re: Input Validation Strategy - Black vs. White -listing

Erik Čerpnjak — Thu, 16 Jul 2009 21:42:27 GMT

I found the article to become a very good guide on how my future input checking will look like. You have made a good point in not be able to detect all possible permutations of bad input and exclude them. As i have read everywhere on the internet, specialist in matters of security are also pending in the direction to use white lists. Some also say that using both approaches is THE most safe way of cheching whether an input is safe to execute or not. But probably everyone should ask themself if the application really needs both approaches - if time,effort and money is not an issue then it is safe to say that integrating both is not a bad idea.

So thank you for this article.

re: The Problem of "Too Many Problems"

patrick — Thu, 25 Jun 2009 20:21:09 GMT

i hate WAF with a passion

but in this particular case, i would have plugged a WAF in fron the said vulnerable website as a compensatory (and temporary) control

re: Raising the Bar? Flash Encryption, Obfuscation

Ammar Mardawi — Thu, 23 Apr 2009 15:32:29 GMT

While your post is great and very informative on many sides, it is misleading in two important points.

First, an obfuscator's main objective is to protect the intellectual property within the code. It prevents decompilers from generating anything useful at all and makes revese-engineering requires longer time making it not feasible. Security through obscurity is a secondary objective. As bad as many may argue this option can be, it is still cheap to implement and does not heart.

The second thing, there is no such thing as de-obfuscation. Obfuscation is (at least should be) irreversible. The Flash Player will run the obfuscated code directly and does not require a deobfuscation step. For example, when an obfuscator renames identifiers in the code to meaningless names, the Flash Player will not mind that.

Again, I think your post is great and very informative.

Raising the Bar? Flash Encryption, Obfuscation - Following the … |

Raising the Bar? Flash Encryption, Obfuscation - Following the … | — Thu, 23 Apr 2009 00:24:08 GMT

Pingback from Raising the Bar? Flash Encryption, Obfuscation - Following the … |

Raising the Bar? Flash Encryption, Obfuscation - Following the … |

Raising the Bar? Flash Encryption, Obfuscation - Following the … | — Thu, 23 Apr 2009 00:24:05 GMT

Pingback from Raising the Bar? Flash Encryption, Obfuscation - Following the … |

Topics about Communitys » Archive » Raising the Bar? Flash Encryption, Obfuscation - Following the …

Wed, 22 Apr 2009 22:30:51 GMT

Pingback from Topics about Communitys » Archive » Raising the Bar? Flash Encryption, Obfuscation - Following the …

re: OWASP, Security Bloggers Finalist and more

Scott Wright — Fri, 10 Apr 2009 03:23:57 GMT

Congratulations! ...and I'm glad you enjoyed your time in Canada. Thanks for making the effort to visit.

Scott

The Streetwise Security Coach

re: News Flash: phpBB Massive Hack

Lauren — Wed, 04 Mar 2009 23:35:53 GMT

I think it's shocking that opensource software has so many vulnerabilities, phpbb especially. More care should be taken from the outset to ensure security in my opinion.

- Lauren

re: QA Lesson - Defect vs. Vulnerability

Clerkendweller — Tue, 24 Feb 2009 15:47:29 GMT

I saw a comment today on an e-marketing website which referred to a defect/vulnerability as a "usability flaw":

econsultancy.com/.../3346-ryanair-freaks-out-at-blogger-disses-wordpress-shoots-foot

It was interesting to see the security problem being defined in a way that marketers could relate to, and reminded me of the discussion here.

re: An Unfortunate Case of Learned Behavior

RafalLos — Thu, 12 Feb 2009 04:28:06 GMT

@arshan:

"chortle"

Origin:

b. chuckle and snort; coined by Lewis Carroll in Through the Looking-Glass (1871)

...that's either an incredibly clever reference on the White Rabbit theme, or ... *shrug*. Either way, I'm not sure I fully understand your comment?

re: An Unfortunate Case of Learned Behavior

Matt — Wed, 11 Feb 2009 19:53:25 GMT

This is what I've been preaching for years. I work at a vulnerability management software company and the prospects I speak with expect my solution to be the end-all beat all for all their network security needs and get frustrated when it's not.

What people need to realize is software won't replace a human, and a human can't necessarily replace software either. The phrase I always come back to is "vulnerability management program." It's not a solution, its not an analyst, it's a combination of both and then some.

Great Insight!

-Matt

re: An Unfortunate Case of Learned Behavior

arshan — Wed, 11 Feb 2009 16:28:03 GMT

> 4. You believe that people are more effective than tools in security vulnerability detection

chortle, legitimacy--

re: An Unfortunate Case of Learned Behavior

Susanna — Wed, 11 Feb 2009 14:41:12 GMT

How true. I so enjoy your posting and comments on webappsec.org. You are providing sensible, practical and implementable (if that's a word) advice.

Thanks again!!

re: An Unfortunate Case of Learned Behavior

Christian — Tue, 10 Feb 2009 23:40:16 GMT

Great post Rafal. The whole people/process/tools approach is almost an underlying principle for everything! A * principle.

This is definitely one of those things that you just have to keep on repeating to yourself and your colleagues and everyone around like a mantra.

Cheers,