I'm really excited about SSLFail which was put together by Martin from tssci-security.com and Tyler Reguly. I've been working with SSL and certs quite a bit recently, the whole thing has me up in arms. So many sites have SSL errors and on top of that, the browsers handle these errors differently! This is a good way to start focusing more attention on the matter.
As we'll probably see with feedback on this site or others, the first major issue will be addressing comments such as "Well why is that warning message even a big deal?" And that's part of the problem in itself. Users are presented with numerous warning messages is a variety of forms. Its difficult to figure out what you should be concerned about.
Consider this for a moment, what if you immediately stopped using a website at the first SSL warning message you received. How many sites could you actually use? Could you use your bank's website?
Saturday, January 24, 2009
Tuesday, January 13, 2009
The Coates Top 3 Root Causes to Poor Application Security
- Lack of Management Support
- Lack of Security Specific Training for Developers
- Absence of Standardized Security Libraries
Wednesday, January 7, 2009
If you're not thoroughly convinced that humans are in fact the weakest link to any system, then take a look at the entry point of the twitter attack.
The [compromised] user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness". full articleReally? The password of someone with admin privileges was the word "happiness"? I can only shake my head in amazement. So there you go, if you think for a second that your internal users are "trusted" or "responsible" in terms of security then just wait, your turn for the front page will come around.