How Would You Change App Store/Market Permission Models?

In a shift from my normal informational type posts, today I'm interested in starting a discussion on the topic of App Markets/Stores.

Apple has a more rigid review process and a slower time to market for Apps.  Google allows apps quickly to market and relies on the visibility of requested permissions and shifts security decisions to the users. (Very basic descriptions, there are many more moving parts)

Which model is working better? If you could make changes to either model, what would you change?

Interested in thoughts and ideas.



-Michael Coates - @_mwc

Free Application Security Training Course at Beaver BarCamp 3

At the end of October I will be hosting a free web application security training course at Beaver BarCamp 3.  The conference will be held on Saturday, October 29 from 10am to 6pm at Oregon State University.  Beaver BarCamp is free and open for anyone to attend! 

What is this barcamp conference?

BarCamp is an ad-hoc gathering born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants who are the main actors of the event. — barcamp.org

The list of events aren't fully published yet, but you can take a look at last year's agenda to get an idea what type of topics may be discussed at the conference.

Hope to see you there.

-Michael Coates - @_mwc

Article Published: Creating Attack-Aware Software Applications with Real-Time Defenses

CrossTalk, The Journal of Defense Software Engineering, has just published our article "Creating Attack-Aware Software Applications with Real-Time Defenses" in the September edition.  A huge kudos to the entire team and especially Colin Watson for leading this effort.

Authors:

Colin Watson @clerkendweller
Michael Coates @_mwc
John Melton @carosec
Dennis Groves @degroves

Abstract. Attack-aware software applications provide attack detection and real-time defensive response with a very low false-positive rate. This technique allows an application to detect and neutralize a threat before the attacker exploits a known or unknown vulnerability. The approach is especially suited to soft-
ware applications with high information assurance requirements such as in the defense, critical national infrastructure, and financial service sectors to protect against cyber espionage, fraud, business logic abuse, tampering, and theft. The Open Web Application Security Project (OWASP) has developed a methodology, documentation, code and pilot demonstration which can be freely used to apply the concepts; this project is called AppSensor.

Full Article (pdf)

-Michael Coates - @_mwc

Joining OWASP Board

The 2011 OWASP elections have concluded. I'm thrilled to have the support and backing of the OWASP community as they've voted me to one of the three board positions.

For readers of my blog that aren't already aware of OWASP, this is a worldwide non-profit & open source organization with the mission of improving the state of application security.  This translates to an incredibly talented group of security experts all working towards a common good.

Open source, free from corporate control, free to the world - what more could you ask for?

I've been a long time OWASP supporter, have led and contributed to several projects, spoken at numerous conferences in the US and Europe and now I am excited to continue advancing the mission of OWASP through my efforts on the board.

I'd love to hear people's goals and ideas for OWASP. But as a volunteer community that empowers everyone, I'd more like to see you take those ideas and run with them!  OWASP is a community of action and on the OWASP board I will work to empower individuals around the world with the resources, audience, and tools that are needed to continue producing top notch security materials.

Take a moment and help contribute to the OWASP mission.

How can you help?

• Start or join an OWASP project 
• Expand the OWASP wiki 
• Become a member 
• Attend the next OWASP Conference 
• Stop by at your local chapter meeting 
• Participate on the email lists or the community site

-Michael Coates - @_mwc

Hiring Response to Recent Attacks Is Misguided

Sadly the response to security compromises in the news seems to be a push to buy more firewalls.  Firewalls provide no defense against application security attacks. The article below reminds me of a great chart by Gunnar Peterson 

According to the barclay interim report which is also being referenced in stories on CSOonline.com

The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike. 

If you read through the barclay report you'll notice they are specifically referring to the following high profile events:

Attacks against:

• Visa, Amazon, MasterCard and PayPal
• The multiple Sony compromises
• Nintendo, RSA SecurID, Gmail and CitiBank

Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.

Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.

  



-Michael Coates - @_mwc