Saturday, January 24, 2009

SSL is out of control

I'm really excited about SSLFail which was put together by Martin from and Tyler Reguly. I've been working with SSL and certs quite a bit recently, the whole thing has me up in arms. So many sites have SSL errors and on top of that, the browsers handle these errors differently! This is a good way to start focusing more attention on the matter.

As we'll probably see with feedback on this site or others, the first major issue will be addressing comments such as "Well why is that warning message even a big deal?" And that's part of the problem in itself. Users are presented with numerous warning messages is a variety of forms. Its difficult to figure out what you should be concerned about.

Consider this for a moment, what if you immediately stopped using a website at the first SSL warning message you received. How many sites could you actually use? Could you use your bank's website?

-Michael Coates

Tuesday, January 13, 2009

Top 3 Root Causes to Poor Application Security

The Coates Top 3 Root Causes to Poor Application Security
  • Lack of Management Support
  • Lack of Security Specific Training for Developers
  • Absence of Standardized Security Libraries
After you address the Coates Top 3, then you can start to tackle the OWASP Top 10 or SANS Top 25

-Michael Coates

Wednesday, January 7, 2009

If you let them, humans will mess it up

If you're not thoroughly convinced that humans are in fact the weakest link to any system, then take a look at the entry point of the twitter attack.

The [compromised] user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness". full article
Really? The password of someone with admin privileges was the word "happiness"? I can only shake my head in amazement. So there you go, if you think for a second that your internal users are "trusted" or "responsible" in terms of security then just wait, your turn for the front page will come around.

-Michael Coates