tag:blogger.com,1999:blog-80041758969261483342024-02-06T21:11:46.440-08:00A Journey in SecurityUnknownnoreply@blogger.comBlogger207125tag:blogger.com,1999:blog-8004175896926148334.post-5008094625159196362015-08-03T13:28:00.000-07:002015-08-03T13:28:06.318-07:00Encryption Isn't Enough<span style="background-color: white; font-family: Helvetica, Arial, sans-serif; font-size: 14.0832853317261px; font-weight: bold; line-height: 19.4999980926514px;">Companies need to focus on developing secure coding practices and security education.</span><br />
<span style="background-color: white; font-family: Helvetica, Arial, sans-serif; font-size: 14.0832853317261px; font-weight: bold; line-height: 19.4999980926514px;"><br /></span>
<a href="http://www.informationweek.com/cloud/software-as-a-service/twitter-security-pro-encryption-isnt-enough/d/d-id/1321432">http://www.informationweek.com/cloud/software-as-a-service/twitter-security-pro-encryption-isnt-enough/d/d-id/1321432</a><br />
<br />
I shared my thoughts last week Thomas Clayborn at InformationWeek about the state of security and why encryption is not the answer to all problems.<br />
<br />
You can read the full story at the link above.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.informationweek.com/cloud/software-as-a-service/twitter-security-pro-encryption-isnt-enough/d/d-id/1321432"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1TjG5iZRTlA2ew-Q4oCv8qU8fuMszrAfPW7WcGlM9Nuxya81XwYzZYhlr5sxeRAMvH0EzIqpkgWMrwbdz2kOEXqbd-6kseZE3beOxwW8Yi09VND5w1EcMIY6nYGvrtzYfhGreBEReRc8/s320/infoweek.png" width="261" /></a></div>
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-60611094847725356992014-12-09T15:38:00.002-08:002014-12-09T15:38:41.867-08:00OWASP Bay Area - Now with a meetup groupAre you in the Bay Area and interested in application security? The local OWASP chapter now has a meetup group. Just join the group and you'll be notified of all the great upcoming events. The events rotate throughout the Bay Area so we can attract a variety of attendees.<br />
<br />
<a href="http://www.meetup.com/Bay-Area-OWASP/">meetup.com/Bay-Area-OWASP/ </a><br />
<br />
Also, keep an eye out for what's happening in September. The big OWASP AppSecUSA conference will be hosted here in San Francisco! Mark your calendars now (and buy a discounted early bird ticket) <a href="http://appsecusa.org/">AppSecUSA.org</a><br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-25779887209420159682014-09-15T17:12:00.000-07:002014-09-15T17:12:33.195-07:00OWASP AppSensor Book Signing at AppSecUSA<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS 明朝";
mso-font-charset:78;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-536870145 1107305727 0 0 415 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-536870145 1073743103 0 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
Join me at OWASP <a href="http://2014.appsecusa.org/2014/">AppSecUSA</a> for a free signed copy of the new <a href="http://appsensor.org/">OWASP AppSensor</a> Book. I’ll be at the Shape Security booth in the expo area on Thursday
afternoon at 4pm.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.owasp.org/images/9/9f/AppSensor2_small.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://www.owasp.org/images/9/9f/AppSensor2_small.jpg" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>New to AppSensor? </b></div>
<div class="MsoNormal">
Imagine if your application could detect a
threat before your system and data is breached and automatically ban that user
from your application. In short, this is what AppSensor can accomplish.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
AppSensor is a free and open source project that provides a framework to equip your application with an advanced defense system. This defense system enables your application to understand
malicious activity and respond in
real time to protect your sensitive assets and data.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>How is this different than traditional IDS and WAFs? </b></div>
<div class="MsoNormal">
Generic systems can only detect generic attacks. Your application is unique and needs a defensive system that can detect unique attacks targeting your business logic and access control system. Since AppSensor is built inside your application you have full visibility to any malicious activity or probes attempting to compromise your application.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Stop by the Shape Security both for a free signed copy of
the AppSensor booth!</div>
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-82496483255659722302014-08-12T14:21:00.002-07:002014-08-12T14:21:53.341-07:00Has OWASP Helped You? Retweet and help OWASP<br />
<blockquote class="twitter-tweet" lang="en">
Has OWASP helped you or your org? RT and spread the word about AppSecUSA conf <a href="https://twitter.com/hashtag/infosec?src=hash">#infosec</a> <a href="http://t.co/XS8ZC6ySMQ">http://t.co/XS8ZC6ySMQ</a> <a href="http://t.co/1zOuKCZp5Y">pic.twitter.com/1zOuKCZp5Y</a><br />
— Michael Coates (@_mwc) <a href="https://twitter.com/_mwc/statuses/499300852897558528">August 12, 2014</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-28211434499136699832014-07-17T08:45:00.002-07:002014-07-17T08:45:29.301-07:00Google's Project ZeroGoogle recently announced <a href="http://googleprojectzero.blogspot.com/">Project Zero</a>, an initiative to “to significantly reduce the number of people harmed by targeted attacks“. Project Zero is inverting the traditional bug bounty program and there are many positive elements to this new initiative. I'm a big <a href="http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web">proponent of bug bounty programs</a> and worked with them closely at Mozilla (Mozilla created the first major <a href="https://blog.mozilla.org/press/2004/08/mozilla-foundation-announces-security-bug-bounty-program/">bug bounty program for Firefox in 2004</a>).<br /><br />In addition to the positive elements I got a chance to also discuss some of the challenges Project Zero may face with Antone Gonsalves <a href="https://twitter.com/antoneg">@anto<span id="goog_1039774378"></span><span id="goog_1039774379"></span>neg</a> at csoonline.com<br />
<br />
<br />
<i><a href="http://www.csoonline.com/article/2455161/data-protection/google-bug-hunting-project-zero-could-face-software-developer-troubles.html">Google bug-hunting Project Zero could face software developer troubles</a></i>,<br />
Antone Gonsalves | CSO | Jul 16, 2014<br /><br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-79872547198672416412014-04-17T13:43:00.002-07:002014-04-17T13:43:24.834-07:00Avoiding The Next Heartbleed - LinkedIn Publish<div class="article-title">
<b>Avoiding The Next Heartbleed</b></div>
<i> </i><br />
<i><b>How should companies learn from Heartbleed to be better prepared for the next major security event?</b></i><br />
<br />
Full story<br />
<a href="https://www.linkedin.com/today/post/article/20140417203003-8374308-avoiding-the-next-heartbleed">https://www.linkedin.com/today/post/article/20140417203003-8374308-avoiding-the-next-heartbleed</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.linkedin.com/today/post/article/20140417203003-8374308-avoiding-the-next-heartbleed"><img alt="https://www.linkedin.com/today/post/article/20140417203003-8374308-avoiding-the-next-heartbleed" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg74K6-_FwCzEuGyaeEwK5Gs00Z7YwyiaHB8JYqzLkXi9SO3UEAaY4MbJaCR8w3GchraKszOLxpDPCn1Tg6Cers5QByTIrYYiI5TxRCcTFfQA811U8Xi7tzesGrPn8exXxTSEYEBKDk4_c/s1600/AvoidingNextHeartbleed.png" height="294" width="320" /></a></div>
<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a><br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-49727675137609174792014-04-16T11:34:00.001-07:002014-04-16T11:34:20.334-07:00Discussing HeartbleedThere's plenty of information out there about Heartbleed. I posted a high level analysis on the <a href="http://blog.shapesecurity.com/heartbleed-bug-places-encrypted-user-data-and-webservers-at-risk">Shape blog</a> and there's also an <a href="https://www.owasp.org/index.php/Heartbleed_Bug">OWASP page</a> up on the topic.<br />
<br />
Over the past week I had the opportunity to speak with several organizations about the vulnerability, what is at stake and how organizations should be defending their applications and users.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.youtube.com/watch?v=S89E0iHfuH4" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAD-MJgXVwLJfmRQTb9WiiWiaC6legsu0jGqUg4xrn6sEasbgsbOJiHhkUwdsHpt_bSk_JS69KrIBzK7mfWlNZkZwVqQAL-l1jr6OnItmS6mBV4brX1W96wVyCCzUqcGAJstjTN7NrEhM/s1600/cctv.png" height="63" width="200" /></a></div>
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/S89E0iHfuH4" width="560"></iframe><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.reuters.com/article/2014/04/09/cybersecurity-internet-bug-idUSL2N0N026420140409" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihnXuQyCEfdgelyzdw219TjoeNKbO9h9zN0MjrowlqC7ptMZsIPel60kkfGA-0uLzt9V63u6zXAEltAxK5nH2kGUUWLD2f0jYclxjW2kISfSLieMe9ZbeUpY2d9o0lap0E01PHZ9F6MjQ/s1600/Reuters.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
'<a href="http://www.reuters.com/article/2014/04/09/cybersecurity-internet-bug-idUSL2N0N026420140409">Heartbleed' bug in web technology seen as major threat to user data</a> </div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.csoonline.com/article/2142102/data-protection/how-to-defend-against-the-openssl-heartbleed-flaw.html" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7xgBTysujjG6HPAXvYzyY2vbUn1lgKXxZLHPkaBcFj0yGfePfhJsAJpDLxApQfpFfvNQwihmeU0yYtbgfBRSPdx6ZXiHObJmypaVSV5jlJFOP6vj2y1wG9So50apL7StuXO3q4zrqqkI/s1600/cso.png" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div style="text-align: center;">
<a href="http://www.csoonline.com/article/2142102/data-protection/how-to-defend-against-the-openssl-heartbleed-flaw.html">How to defend against the OpenSSL Heartbleed flaw </a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-38830008526644676962014-03-25T02:00:00.000-07:002014-03-25T02:00:07.089-07:00OWASP AppSec Keynote - Security in an Interconnected and Complex World of Software<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS 明朝";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
Last week I delivered the closing keynote at the <a href="https://appsecapac.org/2014">OWASP AppSec Apac conferenc</a>e held in Tokyo, Japan. Riotaro Okada, Sen Ueno, Robert Dracea
and the entire OWASP Japan chapter put the amazing conference together<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The slides are <a href="http://www.slideshare.net/slideshow/embed_code/32685644">posted</a> and a video
recording should be available soon. </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-76951430255991940482014-01-02T17:02:00.002-08:002014-01-02T17:15:32.308-08:00Snapchat Hacked - Aware of Vulnerability for 4 MonthsSnapchat has been hacked and 4.6 million usernames and phone numbers have been exposed. I spoke with <a href="https://twitter.com/emilychangtv">Emily Chang </a>on <a href="http://www.bloomberg.com/video/snapchat-data-breach-exposes-personal-info-9V9sSeFsSvWssezDGKnGQQ.html">Bloomberg West</a> about the compromise and the risk to users.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.bloomberg.com/video/snapchat-data-breach-exposes-personal-info-9V9sSeFsSvWssezDGKnGQQ.html"><img alt="http://www.bloomberg.com/video/snapchat-data-breach-exposes-personal-info-9V9sSeFsSvWssezDGKnGQQ.html" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL0SCMTAssLqz5SlD7MWBW2obZo_hWhhorWdehKhewEQKi7fW9lngQjk85U32jkxQv39jwuHxMrMHS3omRyLi5xDoO0yvX7GR_-mjwnh4SKDWcfyQ6weoB_-8yMxLQem7nI-cQMXU84D0/s1600/MichaelCoates-Bloomberg-Snapchat.png" height="181" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
As a result of the flaw all of Snapchat's users, reportedly around 8 million, are at risk. You can see if your data is part of the 4.6 millions already compromised by entering your username here <a href="http://lookup.gibsonsec.org/">http://lookup.gibsonsec.org/</a>. Even though the last 2 digits of the phone number are omitted the full phone numbers have been breached.<br />
<br />
<b>Timeline of Events</b><br />
<ul>
<li><b>8/28/2013</b> - GibsonSecurity discloses <a href="http://gibsonsec.org/snapchat/">potential security vulnerabilities</a> to Snapchat and <a href="http://www.zdnet.com/snapchat-names-aliases-and-phone-numbers-obtainable-via-android-api-say-researchers-7000019992/">ZDnet covers the story too</a></li>
<li><b>12/24/2013</b> - GibsonSecurity provides <a href="http://gibsonsec.org/snapchat/fulldisclosure/">full disclosure of the vulnerability</a> and proof of concept for <a href="http://gibsonsec.org/snapchat/fulldisclosure/#the-find_friends-exploit">Find_Friends</a> and <a href="http://gibsonsec.org/snapchat/fulldisclosure/#bulk-registration-of-accounts">bulk account creation</a> attacks. Per GibsonSecurity this is in response to receiving little communication from Snapchat and no traction in resolving the security vulnerabilities in over 4 months</li>
<li><b>12/27/2013 </b>- Snapchat issues a <a href="http://www.bloomberg.com/video/snapchat-data-breach-exposes-personal-info-9V9sSeFsSvWssezDGKnGQQ.html">blogpost</a> acknowledging the potential weaknesses and describes the issue as theoretical. They also assure customers that they've added additional controls to prevent such an attack.</li>
<li><b>1/1/2014</b> - An unknown 3rd party unrelated to GibsonSecurity exploits the vulnerability, obtains data on 4.6 million users and provides the data publicly at <a href="http://snapchatdb.info/">snapchatdb.info</a>. The last 2 digits of the phone number are obscured.</li>
</ul>
<b>The Vulnerability </b><br />
Snapchat's API is not supposed to be publicly used but that doesn't stop anyone from reverse engineering the protocol to determine how it works and how to initiate various actions. GibsonSecurity, a self reported group of "<a href="http://gibsonsec.org/">poor students, with no stable source of income</a>" from Australia, did just that.<br />
<br />
By design, Snapchat provides a feature for users to locate friends by their phone number. Using the API it was trivial for GibsonSec to leverage automation to initiate numerous requests to this feature. Since phone numbers follow a predictable pattern XXX YYY ZZZZ, the automation simply iterated through each number until the response indicated the number matched a valid user account. When a match was hit the associated Snapchat username was returned for the provided phone number.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaU08l0lX8MDWOd0qv7p9yEvw-dbOdq2eQxrAxibvdypomcxuGpoPBhdUuKeqGvrk0u5mR0kQNEdxVFrGkJQfreiQHgVqXLZea_WUFHPRFqChGp67I277GINAaDYYOurkAUw-aZ0dntMU/s1600/snapchatdb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaU08l0lX8MDWOd0qv7p9yEvw-dbOdq2eQxrAxibvdypomcxuGpoPBhdUuKeqGvrk0u5mR0kQNEdxVFrGkJQfreiQHgVqXLZea_WUFHPRFqChGp67I277GINAaDYYOurkAUw-aZ0dntMU/s1600/snapchatdb.png" height="288" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;">Screenshot from <a href="http://snapchatdb.info/">snapchatdb.info</a></span></div>
<br />
<b>Why didn't Snapchat fix this?</b><br />
Excellent question. Snapchat either didn't understand the issue, put too much faith in their defensive solutions, or deprioritized the issue to focus on feature development. At this point Snapchat has said very little about the issue. Unfortunately startups are increasingly targeted by attackers as they quickly amass a large amount of user data. Although the company may be strapped for engineers, they must realize that once they have valuable data (user data, credit card info, etc) they will be a target.<br />
<br />
<br />
<b>Rate Limiting and IP Blocking</b><br />
The minimum defensive control is rate limiting and IP blocking of malicious activity. Unfortunately even these controls quickly fail when the attack is distributed across a botnet. In those situations you must automatically determine human activity from bot activity. While captures are one approach, they are hugely disruptive to users and provide <a href="http://www.gizmag.com/captcha-beating-ai/29559/">declining</a> defensive <a href="http://www.beatcaptchas.com/">value</a> against malicious bots.<br />
<br />
<b>Working with Security Researchers</b><br />
As someone who has worked with the security research community for many years at Mozilla and OWASP there is a lot for Snapchat to learn here.<br />
<ol>
<li><b>Acknoweldge the security researchers</b> and thank them for providing the security information. It's unclear what response Snapchat provided, but from GibsonSec's comments it appears there was little communication.</li>
<li><b>Keep communication lines open </b>with the researchers. Copy them
into the bug and provide regular updates on progress. Also ask them if
they'd like to take another look at your proposed defensive solution.</li>
<li><b>Work to fix the issue quickly</b>. There are always competing priorities, but if protecting user data is not extremely high on your list, then you should reevaluate whether users should trust you at all.</li>
<li><b>Don't publicly downplay a reported security issue as "theoretical"</b>. At this point you are inviting someone to prove you wrong - often without the benefit of responsible disclosure.</li>
<li><b>Provide the public with honest and frequent updates. </b>Forthright communication goes a long way. A good incident response and communication plan can keep a bad situation from getting worse. A bad plan; however, can be a catalyst for negative press in addition to the issue at hand.</li>
</ol>
The security community can be a wonderful group of talented researchers. In many cases they are working out of intellectual curiosity and want to help companies when they've found flaws. However, dismissing those efforts or pushing them to the back burner can have devastating effects.<br />
<br />
In the end, if you are asking users to trust their data with your company then make sure to hold up your end of the bargain - take security seriously and prioritize efforts whenever a security concern arises.<br />
<br />
<b>*** Update ***</b><br />
Snapchat has recently issued a <a href="http://blog.snapchat.com/post/72013106599/find-friends-abuse">blogpost</a> indicating they plan to allow users to opt-out of the find friends feature, provided they've validated ownership of their phone number. An opt-out approach is unfortunate since users will be vulnerable and exposed by default.<br />
<br />
Snapchat also more clearly documented the method for security researchers to contact them at security@snapchat.com. All companies should maintain security@<theircompany>.com<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-42338068845248207562013-12-30T01:00:00.000-08:002013-12-30T01:00:10.432-08:00The Target breach, Encrypted PINs, and Customer SafetyOn Friday I sat down with <a href="http://www.bloomberg.com/video/target-says-shopper-pin-data-stolen-in-breach-qALYu6QwQtWuS6utn9t8Cw.html">Jon Erlichman on Bloomberg West</a> to discuss the recent Target breach, what we know, and what risks face consumers.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.bloomberg.com/video/target-says-shopper-pin-data-stolen-in-breach-qALYu6QwQtWuS6utn9t8Cw.html"><img alt="http://www.bloomberg.com/video/target-says-shopper-pin-data-stolen-in-breach-qALYu6QwQtWuS6utn9t8Cw.html" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEfY_fgHI-QVtq9Yn3Ar0fVrL1oG0uLUsBArWByxBnfi1Nt3O3MgUwNhC_icOUGHGBJr_J-YLXYI33Oni1B94oxJ5SjSObE10psE0t-vrqoMJoJSply6gK1KBHDk5VZJgMZIH44l8Hx6A/s1600/Michael+on+Bloomberg.jpeg" height="176" width="320" /></a></div>
<br />
<b>Timeline of events & what we know</b><br />
<ul>
<li><a href="http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores">12/19 Target acknowledges breach</a> of credit card and debit card data used in stores between Nov. 27 and Dec. 15, 2013</li>
<li><a href="http://pressroom.target.com/news/target-data-security-media-update">12/20 Target</a> update indicates PINs are not at risk "At this time, there is no indication that there has been any impact to PIN numbers."</li>
<li><a href="http://www.reuters.com/article/2013/12/21/target-jpmorgan-idUSL2N0K00EU20131221">12/21 Chase Bank</a> changes debit card daily limits for impacted customers to $100 cash withdrawals and $300 for purchases. This impacts 2 million Chase accounts</li>
<li><a href="http://pressroom.target.com/news/target-data-security-media-update-4">12/27 Target update</a> reverses initial statement on 12/20 and confirms that additional investigation shows that encrypted PINs were stolen</li>
<li><a href="http://money.cnn.com/2013/12/24/technology/security/chase-target/">12/29 Chase Bank</a> maintains limits on impacted accounts but raises daily limits to <a href="https://www.chase.com/services/target-breach">$250 cash withdrawal and $1500 purchase </a></li>
</ul>
<b>Encryption of PINs </b><br />
On Friday, December 27th Target revealed that the encrypted PINs had been compromised. The press release includes a few important statements:<br />
<ol>
<li><b>Target doesn't have the decryption key</b> - "Target does not have access to nor does it store the encryption
key within our system. The PIN information is encrypted within Target’s
systems and can only be decrypted when it is received by our external,
independent payment processor."</li>
<li><b>Triple DES encryption</b> - "PIN is encrypted at the keypad with what is known as Triple DES"</li>
<li><b>Target claims customers are safe </b>- "We remain confident that PIN numbers are safe and secure" and "debit card accounts have not been compromised due to the encrypted PIN numbers being taken" </li>
</ol>
<b>Are customers safe?</b><br />
I'm not surprised to see Target attempting to calm customers' fears with their statements about the security of the PINs. However, I'm not convinced I'd support their optimism of safety. Triple-DES encryption, when used correctly, does provide strong encryption and it would be infeasible to brute force the encryption key. However, even in an ideal use case there are several weaknesses to Triple DES that could impact the effective strength.<br />
<br />
<b>What could go wrong with Triple DES? </b><br />
But, when used incorrectly Triple DES may only provide the illusion of security for these PINs. Here are two scenarios that could put PIN data immediately at risk:<br />
<ul>
<li>Triple DES encryption is configured with <a href="http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_.28ECB.29">Electronic Code Book (ECB)</a> -or-</li>
<li>Triple DES encryption is configured with <a href="http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29">Cipher-block Chaining (CBC)</a> and uses the same <a href="http://en.wikipedia.org/wiki/Initialization_vector">Initialization Vector</a> for encryption of each PIN</li>
</ul>
In these situations the encrypted output would be the same if the input (i.e. the PIN) is the same. This allows attackers to perform analysis of the encrypted PIN data and compare the results with <a href="http://gizmodo.com/5946582/the-20-most-common-pins-are-painfully-obvious">frequency analysis of PIN selection</a> to make reasonable guesses about which encrypted value matches to what original PIN. In other words, if the most common encrypted value is "<b>51 91 ca 27 be 68 c2 21</b>" then there's a really good chance the original PIN for those users is <b>1234</b>.<br />
<br />
<br />
<br />
<b>Other indications of concern</b><br />
Another reason to be cautious about the safety of breached users is the actions taken by Chase. In the height of the Christmas season Chase bank changed limits for all impacted customers. This may be a cautionary move by Chase with memories of the <a href="http://www.wired.com/threatlevel/2009/11/rbs-worldpay/">2009 RBS WorldPay attack</a> that resulted in the loss of $9 million in a matter of hours. However, such a decision made in the prime spending hours of Christmas must have been thoroughly discussed and had supporting information justifying their concerns.<br />
<br />
Lastly, we don't know what other information will be uncovered during the investigation, or worse, won't be uncovered because the investigation can't detect it. Target themselves initially reported that PINs were safe and unaffected only to later find out, as their investigation continued, that the encrypted values were stolen.<br />
<br />
<b>Advice to Customers </b><br />
My advice for customers involved is to proactively request new debit cards. Credit card fraud can be easily reversed but debit card fraud can result in inaccessibility to lost funds <a href="http://consumerist.com/2013/01/17/bank-employee-explains-why-it-takes-so-dang-long-to-process-debit-card-fraud-claims-disputes-and-other-fun-stuff/">for a period of time during the dispute</a>.<br />
<br /><br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-61941875108852902392013-12-12T16:13:00.001-08:002013-12-12T16:13:49.947-08:00Gmail Changes Enables Tracking of User Email Activity<h4>
Changes to Gmail Image Handling Enables Tracking of User Activity with Emails </h4>
Google has just modified Gmail so images<a href="http://gmailblog.blogspot.com/2013/12/images-now-showing.html"> automatically load within emails</a>.<a href="http://gmailblog.blogspot.com/2013/12/images-now-showing.html"></a><br />
<br />
An important privacy element was omitted from discussion with this change. The change to image handling in gmail creates a reliable method for companies and advertisers to track if a user opens any email sent by the company/advertiser.<br />
<br />
This is accomplished since the image within the email can be accompanied with a unique URL parameter that acts as a tracking beacon. If a user opens the email then the image will be automatically loaded and the beacon will be sent back to a web server controlled by the sender. This provides an alert that the specific user opened the email.<br />
<br />
Previously Gmail blocked images by default and required users to take a specific action to display the images. So while this beacon based email tracking has always been possible, the default handling in gmail previously made it an unreliable tracking method that wasn't worth the effort.<br />
<br />
<b><br />
</b> <b>How Does The Tracking Work?</b><br />
In this example the company sending the email would own site.com<b> </b><br />
<ol>
<li>Company crafts an email and includes an image with a tracking beacon number within a url parameter<br />
http://site.com/picture.jpg?beacon=0001234</li>
<li>User opens the email within gmail and the browser automatically requests the image included in the email</li>
<li>Google has modified the email so the image new resolves through the new proxy service. This means the url from step #1 now looks like this in the source<br />
https://ci4.googleusercontent.com/proxy/wLmL7aeWQ5zwvPCbo5nG=s0-d-e1-ft#http://site.com/picture.jpg?beacon=0001234</li>
<li>The browser automatically requests the image</li>
<li>The google proxy service at ci4.googleusercontent.com receives this request and makes an outbound request to http://site.com/picture.jpg?beacon=0001234</li>
<li>The sender of the email returns picture.jpg and records that user 0001234 has opened the email</li>
</ol>
<br />
<ol>
</ol>
Here's a screenshot of my webserver showing the request which includes the URL parameter and also a mention to google's domain ggpht.com<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgDrbdAmhj2JF0r4b4FnUFdTUiK8qdqAPOe9zkw_QWF48scuo-NU5hIzbbvP2wbZJQ3N-fT9TrrFAmZJcsX7Wj7Q-VolBD0ShwNfw7OXydvWahOlcviEmNSb4fiuLTTeHYG3vLOQAOg60/s1600/Log.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgDrbdAmhj2JF0r4b4FnUFdTUiK8qdqAPOe9zkw_QWF48scuo-NU5hIzbbvP2wbZJQ3N-fT9TrrFAmZJcsX7Wj7Q-VolBD0ShwNfw7OXydvWahOlcviEmNSb4fiuLTTeHYG3vLOQAOg60/s1600/Log.png" height="10" width="640" /></a></div>
<br />
[12/Dec/2013:23:48:10 +0000] "GET /Turkish_Van_Cat.jpg?id=01234 HTTP/1.1" 200 1718186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com)"<br />
<br />
<br />
<b><br /></b>
In practice companies wishing to track email activity will simply add a
hidden 1 pixel by 1 pixel image that will perform this tracking
unbeknownst to the end user.<br />
<b><br /></b>
<b>Opt-Out Argument</b><br />
The argument that you can opt-out of this new setting is a red-herring. If only those that read this post take actions to opt-out then the vast majority of people can still be tracked using this technique. <br />
<b><br /></b>
<b>Security Win and Privacy Loss?</b><br />
Perhaps there are security merits to this change. However, the collateral damage should not be ignored and overlooked in this change that impacts all gmail users.<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-80702767778366239782013-12-11T12:42:00.001-08:002013-12-11T12:42:25.167-08:003 Bottles of Whiskey for SSL on your News Org Website - Standing Offer<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQO9jgYOXhxcYn5aOKCNJO5pKXWn3bcpgTPqG1gQA_c9Icl2GFADnGcaEbAZjYqlhT9q0ihVSplxBp6uA96RAr8bOetx26qsMYZUCu6wqmXnfa68ElLLwGMJdNRjtRg8C2Pb5ZYQDJl4/s1600/Whiskey_for_ssl-ChrisSoghoian.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQO9jgYOXhxcYn5aOKCNJO5pKXWn3bcpgTPqG1gQA_c9Icl2GFADnGcaEbAZjYqlhT9q0ihVSplxBp6uA96RAr8bOetx26qsMYZUCu6wqmXnfa68ElLLwGMJdNRjtRg8C2Pb5ZYQDJl4/s1600/Whiskey_for_ssl-ChrisSoghoian.png" height="264" width="320" /></a></div>
<div style="text-align: center;">
<a href="https://twitter.com/csoghoian/status/410858495890583552">https://twitter.com/csoghoian/status/410858495890583552</a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSUTmaUsJ7pbDzQxWjQC2MEPeY0fLkulstiT4aV2_QFbS7IjR3UnLovNZA1DDiVfBLtT1QVjtIqJbi9j4FhMPX4_QO7O4jzV5l8ivL-HD7NWEnZdE26uZPmDR37zeKLpAl64CZxFFfgmU/s1600/Whiskey_for_ssl-MichaelCoates.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSUTmaUsJ7pbDzQxWjQC2MEPeY0fLkulstiT4aV2_QFbS7IjR3UnLovNZA1DDiVfBLtT1QVjtIqJbi9j4FhMPX4_QO7O4jzV5l8ivL-HD7NWEnZdE26uZPmDR37zeKLpAl64CZxFFfgmU/s1600/Whiskey_for_ssl-MichaelCoates.png" height="121" width="320" /></a></div>
<div style="text-align: center;">
<a href="https://twitter.com/_mwc/status/410864015045193728">https://twitter.com/_mwc/status/410864015045193728</a></div>
<br />
<br />
The original washingtonpost.com article :<br />
<a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/11/news-sites-could-protect-your-privacy-with-encryption-heres-why-they-probably-wont/">News sites could protect your privacy with encryption. Here’s why they probably won’t.</a><br />
<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-28132025988704343672013-12-11T10:28:00.001-08:002013-12-11T11:08:27.149-08:00Eliminate Application Attackers before Exploitation - Podcast OWASP AppSensor<br />
Podcast recorded at OWASP <a href="http://appsecusa.org/2013/">AppSecUSA</a> on the <a href="https://www.owasp.org/index.php/OWASP_AppSensor_Project">AppSensor project</a>.<br />
<br />
<iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/124165361&color=ff6600&auto_play=false&show_artwork=true"></iframe>
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-51271914814882791262013-12-08T18:24:00.000-08:002013-12-08T18:24:31.859-08:00Missed OWASP AppSecUSA? Videos Online Now<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXdTaZNHquuFFvZRFE37pOqA6QhAx6GBMrMr_WfKiUtoInyGA5Ikhs8oc3IIqOFR8U72PrBm0RzFgRWeWQrv7DF0jfl505mVG4t2P6zmF8N2JZelV1daSNXy9luv10cRgX3C_JMtlOci0/s1600/OWASP-AppSecUSA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXdTaZNHquuFFvZRFE37pOqA6QhAx6GBMrMr_WfKiUtoInyGA5Ikhs8oc3IIqOFR8U72PrBm0RzFgRWeWQrv7DF0jfl505mVG4t2P6zmF8N2JZelV1daSNXy9luv10cRgX3C_JMtlOci0/s320/OWASP-AppSecUSA.png" width="320" /></a></div>
<br />
<br />
OWASP AppSecUSA videos are now online <a href="https://www.youtube.com/playlist?list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU">here.</a> <br />
A quick wrap-up of AppSecUSA from Tom Brennan is posted <a href="http://owasp.blogspot.com/2013/11/appsecusa-2013-wrap-up.html">here</a>. <br />
The whole catalog of owasp videos can be found <a href="https://www.owasp.org/index.php/Category:OWASP_Video">here</a>.<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-73733444879002705922013-11-18T14:06:00.000-08:002013-11-18T14:06:01.737-08:00Let's Chat at OWASP AppSecUSAI'll be at OWASP AppSecUSA this week and am looking forward to all the great talks and activities. I'd also enjoy the opportunity to setup time to meet with others interested in security, web development, or just catching up.<br />
<br />
Let's setup a time - Please send me an email at michael.coates@owasp.org or message me on twitter (<a href="https://twitter.com/_mwc">@_mwc</a>).<br />
<br />
First drink is on me.<br />
<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-46509515738140026652013-11-18T12:46:00.002-08:002013-11-18T13:35:32.397-08:00How Third Party Password Breaches Put Your Website at Risk<i><b>Every website compromise and password breach puts your website at risk even
if your business is completely unrelated to the compromised site. </b></i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGrFhLqmWfwXfeLb8mdcRPsBSBtETh0f9T_OrcXIhDv-mLLLBFaKbYyJ6TFm2vuguhH_zvg7K3zpoFPBSSgNzozzEeJ8BqXDJWCJTLE7p4BbnOktAHUTs66qvAdImp6V75rc8s8oksASo/s1600/old-bank-vault-3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGrFhLqmWfwXfeLb8mdcRPsBSBtETh0f9T_OrcXIhDv-mLLLBFaKbYyJ6TFm2vuguhH_zvg7K3zpoFPBSSgNzozzEeJ8BqXDJWCJTLE7p4BbnOktAHUTs66qvAdImp6V75rc8s8oksASo/s1600/old-bank-vault-3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGrFhLqmWfwXfeLb8mdcRPsBSBtETh0f9T_OrcXIhDv-mLLLBFaKbYyJ6TFm2vuguhH_zvg7K3zpoFPBSSgNzozzEeJ8BqXDJWCJTLE7p4BbnOktAHUTs66qvAdImp6V75rc8s8oksASo/s320/old-bank-vault-3.jpg" width="320" /> </a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGrFhLqmWfwXfeLb8mdcRPsBSBtETh0f9T_OrcXIhDv-mLLLBFaKbYyJ6TFm2vuguhH_zvg7K3zpoFPBSSgNzozzEeJ8BqXDJWCJTLE7p4BbnOktAHUTs66qvAdImp6V75rc8s8oksASo/s1600/old-bank-vault-3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> </a></div>
<br />
Which major website was compromised this week? How many user details and passwords were stolen?<br />
<br />
Over the past few weeks the news was littered with stories of <a href="http://www.csoonline.com/article/742570/adobe-confirms-stolen-passwords-were-encrypted-not-hashed">Adobe's compromise of millions of user records</a>, <a href="http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-password-data-for-860000-users/">MacRumors theft of 860,000 username and passwords</a> and the compromise of <a href="http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/">numerous user passwords at Vbulletin.com</a>.<br />
<br />
<br />
<br />
<br />
<br />
<b>Attackers Data Mine Compromised Passwords</b><br />
<br />
Every time a major password breach occurs the compromised emails addresses and passwords are available for hackers or criminal enterprises to download and analyze. Unfortunately, the breached companies often improperly protect their passwords and as a result it is easy for hackers to obtain the original password for each user. Attackers will collect and store these compromised credentials and then use this information to take over the user's account anywhere else on the web where the user has reused the username and password.<br />
<br />
<b>Account Take Over is Distributed and Automated via Botnets</b><br />
<br />
Armed with millions of email addresses and passwords from the breached website, attackers use these credentials to programmatically attempt to login to websites all over the web. This activity is not conducted by a single individual sitting at their computer and manually entering usernames and passwords. Instead criminal enterprises will leverage scripts, automation, and botnets to distribute the attack across many computers all around the world. This automation allows the attacker to cover their tracks by initiating the login attempts from real machines all over the world. <br />
<br />
This type of attack is known as credential stuffing also called account takeover <br />
<br />
<b>A real world example - </b><b>How Facebook Is Protecting Their Users</b><br />
<br />
Facebook was not compromised<b> </b>in any of these recent attacks; however, as a large target and an organization that is accurately aware of the risk of third party breaches, their security group took <a href="http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/">immediate action</a>. Facebook mined the compromised data from the adobe breach to identify Facebook accounts that were potentially at risk. Facebook enabled additional security controls for any account within the adobe breach that used the same password on Facebook. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpT9ss0p_UHoPBSkj61vsepepc2hZbvBrno9ohdjhBY6u-1_wCg2-PqjbkIWkb__K8KDO1OGGwkxwEH2QgW_IK5eHKURunO-nyUnk7NDFzmw-7mIC-lW1dOvePSeOdYmDf6cGmq-bN45U/s1600/fb-message-600x238.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpT9ss0p_UHoPBSkj61vsepepc2hZbvBrno9ohdjhBY6u-1_wCg2-PqjbkIWkb__K8KDO1OGGwkxwEH2QgW_IK5eHKURunO-nyUnk7NDFzmw-7mIC-lW1dOvePSeOdYmDf6cGmq-bN45U/s320/fb-message-600x238.png" width="320" /></a></div>
<br />
<b>What You Can Do - Comparing Compromised Passwords with Your Web Applications Users Info</b><br />
<br />
Here's how to check if users the password information within a data breach may put your users at risk. Note: This may not be realistic for an organization to perform due to the technical requirements and resources needed.<br />
<ol>
<li><b>Obtain the compromised user data</b> - Download a data dump of the compromised information. This may take some searching but the information is available online.</li>
<li><b>Determine the passwords associated with user email addresses </b>- This step is straight password cracking. The work required will depend upon on the original method used by the website to protect their passwords. Unfortunately, in many cases the passwords are poorly protected with either encryption or a weak hash such as md5. The current best practice for password storage is bcrypt or PBKDF2. <a href="http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/">Read here</a> to find out how sophos analyzed the adobe breach.</li>
<li><b>Test Your User Passwords</b> - Next we need to compare the compromised data with your web application's usernames and passwords. Important, this step does not require you to view the passwords of your users. Instead, we'll simulate the login process in your application to validate if the compromised password from the breached website matches the user in your web application. Here are the steps:</li>
<ol>
<li>Compare the usernames within the breached data (from step 1) with usernames in your
web application. Note any matches. These are the accounts we want to
test in your application. </li>
<li>Work with your development team to identify the authentication routine for your web application. This will include a step where the password provided by the user is hashed and then compared against your data store of usernames and hashed passwords</li>
<li>Build a script to perform the hash and database comparison. The purpose of using a script is to avoid having to manually interact with your website UX for each test.</li>
<li>Take the list of impacted usersnames (from step 3.1) and their actual passwords (from step 2) and run them through the script (from step 3.3). If a login is successful then we've identified a reused password that is at risk.</li>
</ol>
<li><b>Protect your users</b> - For any matches in step 3.4 you'll want to immediately take action to protect their account. This can include locking their account, forcing a password reset, or whatever actions are typically taken by your organization in the event of account takeover.</li>
</ol>
<b>What You Can Do - Securely Store Your Passwords</b><br />
Ensure you protect password data in your application by using an appropriate hashing algorithm. Approaches such as encryption, md5 hashing or any sort of home made manipulation are not sufficient. Instead you should use scrypt, bcrypt or PBKDF2. More information on password storage can be found at the <a href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet">OWASP Password Storage Cheat Sheet</a>.<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-49521778483497237732013-11-15T09:33:00.004-08:002013-11-15T09:33:44.168-08:00Support OWASP Outreach - Just a few moments today really helps<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXwBYrpHpR8P0m6x4FwZPo9NttQ9ZsegwDUSoSiqm5HcCE4GiAjr-cKebN6ciNm2Y9GzyyBkPwer4zM9Fzp8KAzzTa-NowoXoZaf_31rzhNPO95FZ50tKVaESk0orrKYQoDFL0jzftnvk/s1600/OWASP-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXwBYrpHpR8P0m6x4FwZPo9NttQ9ZsegwDUSoSiqm5HcCE4GiAjr-cKebN6ciNm2Y9GzyyBkPwer4zM9Fzp8KAzzTa-NowoXoZaf_31rzhNPO95FZ50tKVaESk0orrKYQoDFL0jzftnvk/s320/OWASP-logo.png" width="320" /></a></div>
<br />
OWASP is a worldwide nonprofit organization with a mission of making application security visible for all. In short, we're trying to make the world a better place by providing free security resources and communities.<br />
<br />
If OWASP has helped you or your organization please consider supporting our nonprofit. Here are a few ways to help:<br />
<br />
<ul>
<li>Support our <a href="https://www.thunderclap.it/projects/6403-hackers-hit-time-square-nyc">ThunderCloud outreach effort for AppSecUSA</a>. This is totally free. </li>
<ul>
<li>If we reach 100 supporters ThunderCloud will send a single message via the supporters chosen option (facebook, twitter, etc). That's it and we can potentially reach 50k+ people. However, if we don't reach the minimum supports we get nothing.</li>
<li>https://www.thunderclap.it/projects/6403-hackers-hit-time-square-nyc<br /></li>
</ul>
<li><a href="http://appsecusa.org/2013/">Attend OWASP AppSecUSA</a>. The event is next week in NYC and will be the most concentrated group of application security professionals in the world. There is an amazing lineup of speakers and events<br /></li>
<li>Support your <a href="https://www.owasp.org/index.php/OWASP_Chapter">local OWASP chapter.</a> We have chapters in over 100 countries around the world. Find your local OWASP chapter here.<br /></li>
<li>Consider <a href="https://www.owasp.org/index.php/Membership">supporting the OWASP foundation</a>. We offer all of our resources, including <a href="http://owasp.org/">owasp.org</a>, for free. We'll be able to continue offering these great items as a result of our supporters. </li>
</ul>
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-71384177046351939502013-11-12T10:52:00.000-08:002013-11-12T10:53:06.488-08:00DevBeat - Developer First Security Integrating Security into DevelopmentI presented to a great developer crowd today at <a href="http://venturebeat.com/events/devbeat2013/">VentureBeat's DevBeat</a> conference in San Francisco. Here are the slides and a few pictures from the event.<br />
<br />
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/28168462" width="476"></iframe>
<br />
<span id="goog_1180328862"></span><span id="goog_1180328863"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI8uSNFX2vYs4jIIdfy5FwsZj4BT2wcBW1xNm_vnLbKsHCnmVgWnYZHQfvaDnGr0wxx5JxANgP-6CraUjzp7gTrpVue4AzdCOjjdrS563ufNZ-xummS8JPdrwI5iOGKtIWTBS786Iy790/s1600/TECH9392-X2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI8uSNFX2vYs4jIIdfy5FwsZj4BT2wcBW1xNm_vnLbKsHCnmVgWnYZHQfvaDnGr0wxx5JxANgP-6CraUjzp7gTrpVue4AzdCOjjdrS563ufNZ-xummS8JPdrwI5iOGKtIWTBS786Iy790/s1600/TECH9392-X2.jpg" height="213" width="320" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkSAmtV5IDai2cRaHu_oPzFQkVuegpNfhIb612gc3hLx2Av-m7OQ6ED1z0NNzQCvi8oCV-ZcgCQymoHK7iRJceagF6V0-yOIQB1a0HojhQTOMk236Op6jPcX23LhyphenhyphenBWMsZ-xD-im5o5us/s1600/TECH9410-X2.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkSAmtV5IDai2cRaHu_oPzFQkVuegpNfhIb612gc3hLx2Av-m7OQ6ED1z0NNzQCvi8oCV-ZcgCQymoHK7iRJceagF6V0-yOIQB1a0HojhQTOMk236Op6jPcX23LhyphenhyphenBWMsZ-xD-im5o5us/s1600/TECH9410-X2.jpg" height="213" width="320" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkSAmtV5IDai2cRaHu_oPzFQkVuegpNfhIb612gc3hLx2Av-m7OQ6ED1z0NNzQCvi8oCV-ZcgCQymoHK7iRJceagF6V0-yOIQB1a0HojhQTOMk236Op6jPcX23LhyphenhyphenBWMsZ-xD-im5o5us/s1600/TECH9410-X2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<span id="goog_1180328862"></span><span id="goog_1180328863"></span><br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-34106787012624780952013-11-11T10:49:00.005-08:002014-09-08T16:31:13.870-07:00Virtual Security Training Lab - Setup Instructions<br />
Below are the setup instructions to configure a virtual security training lab that runs within an isolated virtual machine. Using this lab you can perform hands on security testing that leverage a variety of prominent application security flaws including those mentioned in the OWASP Top 10.<br />
<br />
The lab requires the following software (all free):<br />
<br />
<ul>
<li>Virtual Environment</li>
<ul>
<li><a href="https://www.virtualbox.org/wiki/Downloads%E2%80%A8">Virtual Box </a></li>
</ul>
<li>Web Proxy </li>
<ul>
<li><a href="https://code.google.com/p/zaproxy/wiki/Downloads?tm=2">OWASP Zap </a></li>
</ul>
<li>Security Testing Lab </li>
<ul>
<li><a href="http://sourceforge.net/projects/owaspbwa/files/1.1.1/">OWASP Broken Web Apps (BWA) </a></li>
<li>OWASP BWA includes the target software OWASP WebGoat</li>
</ul>
<li>Java SE - May already be installed on your device . No specific version needed.</li>
</ul>
<br />
<div>
<br /></div>
<br />
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/28126110" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" width="427"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/michael_coates/lab-setup-28126110" target="_blank" title="Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP">Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP</a> </b> from <b><a href="http://www.slideshare.net/michael_coates" target="_blank">Michael Coates</a></b> </div>
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-52629725912252363422013-10-31T11:47:00.000-07:002013-10-31T11:47:14.521-07:00OWASP Bay Area - Social Hour in San Francisco on 11/6<div>
The next OWASP Bay Area social hour is scheduled for Wednesday,
November 6 in San Francisco hosted by Lending Club! Our fist social hour
was well attended and people really enjoyed it. Please join us for our
2nd event in San Francisco.<br />
</div>
<b><br /></b>
<div>
<b>RSVP Here:</b><br /><a href="http://owasp-bayarea.eventbrite.com/" target="_blank">http://owasp-bayarea.<wbr></wbr>eventbrite.com/</a><br /><i>(RSVP is needed to gauge attendance)</i><br /><br /><div>
<strong>When:</strong></div>
<div>
Wednesday 11/6/13</div>
<div>
5:30-7:30pm<br />Space and drinks will be provided by our event host Lending Club</div>
<div>
<br /></div>
<div>
<strong>Where</strong>:</div>
<div>
Lending Club</div>
<div>
Stevenson Place Building - 2nd Floor</div>
<div>
71 Stevenson St</div>
<div>
San Francisco, CA 94103<br /></div>
<div>
<b>Parking</b>/<b>Travel</b></div>
<div>
The office is near the Montgomery Bart/Muni station.</div>
<div>
If driving, a parking garage is located at 123 O'Farrell St.</div>
<div>
Street parking will be difficult. </div>
<br /><br /><div>
<strong>The purpose of the OWASP social gathering is:</strong><br />
<ul>
<li>Informal security chat - the benefits of "hallway con" and security talk with others in the industry</li>
<li>Networking - meet other people in the field and industry</li>
<li>After work drinks - a nice break after a long work day</li>
</ul>
</div>
<div>
</div>
<div>
Note: These events won't have any formal presentations. They're
meant to be social gatherings to meet others in the industry and chat
about security. Check our quarterly OWASP Bay Area schedule for the
security presentation events.</div>
<div>
<a href="https://www.owasp.org/index.php/Bay_Area" target="_blank">https://www.owasp.org/index.<wbr></wbr>php/Bay_Area</a></div>
<div>
</div>
Is your organization interested in hosting an OWASP social hour in
the bay area (San Francisco, South Bay, East Bay)? Contact
<a href="mailto:michael.coates@owasp.org" target="_blank">michael.coates@owasp.org</a><br />
<br />
<br /></div>
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-65416306041043099332013-09-26T17:50:00.004-07:002013-09-26T17:50:54.094-07:00Scaling Web Security - JavaOne Security TalkThis week I spoke at JavaOne on scaling web security programs. It was a great event and I enjoyed the chance to speak to a great crowd of developers and security individuals.<br />
<br />
Presentation below. Enjoy. <br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="https://www.slideshare.net/slideshow/embed_code/26599020" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" width="427"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/michael_coates/2013-michael-coatesjavaone" target="_blank" title="2013 michael coates-javaone">2013 michael coates-javaone</a> </b> from <b><a href="http://www.slideshare.net/michael_coates" target="_blank">Michael Coates</a></b> </div>
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-43853380367866335752013-09-24T21:31:00.001-07:002013-09-24T21:31:57.080-07:00Moderated Application Security News Feed from OWASP<a href="http://feeds.feedblitz.com/OWASP">OWASP's moderated application security news</a> feed has returned! We have a new RSS link so please <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxaocCF2SkDEmNvQlmnBev-BF0AB8TTN-0NilBA0I0U0LOGeqfQPLoxocbR6YZ3cwyq57DR10iGLjcCtJhsYDwVVAm8skTNCLQjEgcTxdeVtF2hHik2GWiXQ3MhBiRQg-PmIFpbIfIcwI/s1600/owasp_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxaocCF2SkDEmNvQlmnBev-BF0AB8TTN-0NilBA0I0U0LOGeqfQPLoxocbR6YZ3cwyq57DR10iGLjcCtJhsYDwVVAm8skTNCLQjEgcTxdeVtF2hHik2GWiXQ3MhBiRQg-PmIFpbIfIcwI/s200/owasp_logo.jpg" width="200" /></a></div>
update your RSS readers with the new information.<br />
<br />
The Feed:<a class="external free" href="http://feeds.feedblitz.com/OWASP" rel="nofollow"> http://feeds.feedblitz.com/OWASP</a><br />
Syndicated on twitter: <a href="https://twitter.com/OWASP_feed">@OWASP_feed</a><br />
<br />
Know of a good application security blog that should be included? Please submit it for consideration <a href="https://docs.google.com/a/owasp.org/forms/d/1nZ-fexl0uKRkdxnDOy-smJQEYYiIwiK2EGAmMVItWWM/viewform">here</a>. Lastly, OWASP is free and open so if you're curious how the AppSecNews feed is run then check out the details <a href="https://www.owasp.org/index.php/AppSecNews_Curation">here</a>.<br />
<br />
Many thanks to <a href="https://twitter.com/planetlevel">Jeff Williams</a> for running the AppSecNews feed for the first 8 years. Thanks also to <a href="https://twitter.com/manicode">Jim Manico</a> and <a href="https://twitter.com/OWASPgirl">Sarah Baso</a> for investigating various platforms to restart the new AppSecNews feed!<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-20436329280259733212013-09-18T03:00:00.002-07:002013-09-18T03:00:22.028-07:00Security Capabilities Comparison (HSTS & CSP) for Mobile & Desktop BrowsersCompliments of the great website <a href="http://caniuse.com/">caniuse.com </a><br />
<br />
<br />
<div style="text-align: center;">
<b>Mobile Comparison
</b></div>
<a href="http://caniuse.com/stricttransportsecurity/embed/agents=mobile&eras=-3,&links">Strict Transport Security</a>
<iframe height="300" scrolling="yes" src="http://caniuse.com/stricttransportsecurity/embed/agents=mobile&eras=-3,&links" width="600"></iframe>
<br />
<br />
<br />
<a href="http://caniuse.com/contentsecuritypolicy/embed/agents=mobile&eras=-3,&links">Content Security Policy</a>
<iframe height="300" scrolling="yes" src="http://caniuse.com/contentsecuritypolicy/embed/agents=mobile&eras=-3,&links" width="600"></iframe>
<br />
<br />
<br />
<div style="text-align: center;">
<b>Desktop Comparison </b></div>
<div style="text-align: center;">
<br /></div>
<a href="http://caniuse.com/stricttransportsecurity/embed/agents=desktop&eras=-3,&links">Strict Transport Security</a>
<iframe height="300" scrolling="yes" src="http://caniuse.com/stricttransportsecurity/embed/agents=desktop&eras=-3,&links" width="600"></iframe>
<br />
<br />
<br />
<a href="http://caniuse.com/contentsecuritypolicy/embed/agents=desktop&eras=-3,&links">Content Security Policy</a>
<iframe height="300" scrolling="yes" src="http://caniuse.com/contentsecuritypolicy/embed/agents=desktop&eras=-3,&links" width="600"></iframe>
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-37273986732123405612013-09-17T02:45:00.001-07:002013-09-18T04:22:58.523-07:00OWASP Bay Area - Social Hour in Mountain View on 9/25<div>
Our first Bay Area OWASP <span class="il">social</span> hour(s) will be in Mountain View on Wednesday, September 25th and will be hosted by <a href="http://shapesecurity.com/">Shape Security</a>.<br />
<br />
The event starts at 5:30pm. Swing by for an after work drink or join us when that last late day meeting ends.</div>
<div>
<div>
<div>
<div>
<br />
<a href="https://owasp-bayarea.eventbrite.com/" target="_blank">https://owasp-<span class="il">bayarea</span>.<wbr></wbr>eventbrite.com/</a><br />
<i>Please RSVP so we can gauge attendance</i><br />
<br clear="all" />
<div>
<div dir="ltr">
<br />
The purpose of the OWASP <span class="il">social</span> gathering is:<br />
- informal security chat - the benefits of "hallway con" and security talk with others in the industry<br />
- networking - meet other people in the field and industry<br />
- a nice break after a long work day</div>
</div>
</div>
</div>
</div>
</div>
<br />
<br />
<div>
Note: These events won't have any formal presentations. They're
meant to be social gatherings to meet others in the industry and chat
about security. Check our quarterly OWASP Bay Area schedule for the
security presentation events.</div>
<div>
<a href="https://www.owasp.org/index.php/Bay_Area">https://www.owasp.org/index.php/Bay_Area</a></div>
<div>
</div>
Is your organization interested in hosting an OWASP social hour in
the bay area (San Francisco, South Bay, East Bay)? Contact
michael.coates@owasp.org<br />
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8004175896926148334.post-60564017408698660652013-09-04T02:00:00.000-07:002013-09-04T02:00:00.402-07:00OWASP Framework Security Project<i>The most effective way to bring security capabilities to developers is to have them built into the framework.</i><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrIQhE3cSsjOQJddWlot2WBD_0ShbZ53B5asIO40Dkuof5LiiFSLWdF26B-6dPN2Wvih_HEPtV_LBBQdsG9BHnNUHaHNYiXs_HXnGt4M2mGX1J-3Bx44OTe-BTELvZB4swiREwACRklM/s1600/owasp_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrIQhE3cSsjOQJddWlot2WBD_0ShbZ53B5asIO40Dkuof5LiiFSLWdF26B-6dPN2Wvih_HEPtV_LBBQdsG9BHnNUHaHNYiXs_HXnGt4M2mGX1J-3Bx44OTe-BTELvZB4swiREwACRklM/s200/owasp_logo.jpg" width="200" /></a><br />
With the above goal I've started the <a href="https://www.owasp.org/index.php/OWASP_Framework_Security_Project#tab=Main">OWASP Framework Security Project</a>.<br />
<br />
<b>Get Involved</b><br />
Please join the <a href="https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project">mailing list</a> or jump in and start contributing to the wiki<br />
<a href="https://www.owasp.org/index.php/OWASP_Framework_Security_Project#tab=Main"></a><br />
<b>What is the OWASP Framework Security Project?</b><br />
The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers, and framework developers and leaders. The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework.<br />
<br />
<b>Needs</b><br />
<ul>
<li> <b>Framework Developers</b> - We need your help to build the
security controls that will get accepted upstream into the framework.
You have the best knowledge on development practices, code style, and
knowledge of the framework to get new code accepted.
</li>
</ul>
<ul>
<li> <b>Security Professionals</b> - We need you to help research
and catalog available security controls in various frameworks. Our goal
is to produce and clear matrix of available and missing security
controls by framework.
</li>
</ul>
<ul>
<li> <b>Framework Leaders</b> - Do you lead a key portion of a framework? Let's work together to understand the best way to get new security controls added.
</li>
</ul>
<br />
<br />
<br />
-<a href="http://michael-coates.blogspot.com/">Michael Coates</a> - <a href="https://twitter.com/_mwc">@_mwc</a>Unknownnoreply@blogger.com