Category Archives: Uncategorized

External Network VAPT: tools, information sources

Photo by Sean Musil on Unsplash

This is a live post; it will undergo changes, which are captured in change log, provided at the end of this post.

Being part of many external VAPT engagements, one thing was clear from outset — methodology is the key, but so are the information sources & tools for conducting the VAPT.

This series is my attempt to record all the tools and information sources that have been helpful to me over the last few years.

Traditionally, external VAPT can be divided into the following major phases:-

External VAPT, Process Flow

In this article, we will try to cover the first 2 phases — basic pre-engagement & reconnaissance.

Basic Pre-Engagement

It is very tempting to start an external penetration test as soon as customer asks us to. After all, we can perform this test from our current location (no need to travel to customer’s site to perform test) and,

Who cares about that silly thing called documentation? Turns out, except us, everyone.

Your customer wants it so that they can compare, at the end of test, whether the entire perimeter has been accessed or not (in other words, did we leave anything out);

Your boss / management (any other role who is a decision maker in your hierarchy) wants it so that they know we didn’t do more than we were asked to (scope creep is not mythical) & that we did all that we were supposed to;

So, here are the things that one should keep in mind before starting an external penetration test


Scope of work

Is entire perimeter to be tested, or few IP addresses?

Few customers will share the list of external IP addresses to test and won’t be happy if you stray from that list. Few other customers would want you to tell them the attack surface (in other words, what IP addresses of ours are exposed publically) before they give us permission (for full or partial test).

Type of test (black box, grey box, white box)

Black box — we won’t tell you anything about our network, the type of machine under that IP, etc. We want to see what an external attacker would do.

Here, you will have to make it clear that uptime of external IPs are not your responsibility. You will need their IT staff to be on standby during the test so that they can monitor the network and devices for any performance hit. You will be expected to stop when they ask you to.

Grey-box — we will give you some information (e.g., IP address space, type of devices, make / model, etc.).

The expectation here, from customer, usually boils down to one line — now that we told you the things that we have on our external network (and potentially saved you lot of time), what vulnerabilities are we exposed to?

Is physical security testing part of scope?

If it is, i suggest you get your get-out-of-jail card before moving a muscle. Also called “authorization letter”, this document (signed by an authorized signatory — may or may not be the CISO / CIO but the person who is legally authorized to sign agreements on behalf of the company) will help you when you get caught in a mis-understanding with local cops. The coalfire incident has shown how important is this document. So get this before starting the pentest of any service / infrastructure that is business / mission — critical for your customer. TrustedSec has made a host of legal documentation available for no cost (thank you guys!) to facilitate legal boundaries around your physical security pentest. I recommend you have a look at them.

Few more pointers:-

https://www.techrepublic.com/article/dont-let-a-penetration-test-land-you-in-legal-hot-water/

https://www.securitymagazine.com/articles/88489-penetration-testing-by-letter-of-the-law

https://securitycurrent.com/legal-issues-in-penetration-testing/

Report Deadline

Very important. End of testing is different from end of engagement. Testing ends when it ends (!). However, reporting is another, separate activity. Reporting starts after testing is over. You must schedule some time for this.

Preferred timings of test

Some customer would want you to initiate the test when no one is in office (out of working hours). Few customers would ask you to initiate the test during working hours. You have to document this.


Reconnaissance

Wikipedia defines it as

Credit to Wikipedia

The third definition relates to the objective of network recon. There are 2 major ways to perform recon — one that makes a lot of noise, letting everyone know that you are onto them (active) while the other is more sneaky, stealthy (passive).

Passive Recon

Many people have written lot about it. However, i have few points to mention here:-

Whether you have IP address or a domain name, you need to find ASN (Autonomous System Number) belonging to that company first. The benefit — it will help you find all the IP ranges that belong to the company. You can use below links to find ASN from a domain name or IP address:-

You would also want to look at sub-domain enumeration. Utilize the following tools

  • Amass
  • Censys
  • Shodan
  • Spiderfoot
  • Virustotal
  • ViewDNS.info
  • VHostScan (https://github.com/codingo/VHostScan)
  • Google Transparency Report (transparencyreport.google.com)
  • CertSpotter
  • CertDB
  • Crt.sh

Active Recon

This is where we interact directly with the customer infrastructure. The tools that could be utilized in this activity include, but are not limited to, the following:-

So that’s all for now. We will expand on this series soon.

How to download Nessus Pro using cURL…

assuming you have a valid account with tenable and have paid for your license.

Problem Statement

You are setting up a cloud server to conduct Nessus scans. You don’t have access to ssh (due to various reasons, let’s not go there). you are using cloud console. How would you download Tenable Nessus Pro on your cloud machine?

curl --request GET --url https://www.tenable.com/downloads/api/v2/pages/nessus/files/Nessus-8.7.1-debian6_amd64.deb  --header “Authorization: Bearer <auth-code-here>” --output ./fileName.deb

Process Myths, Busted

This article was published by me on LinkedIn earlier.

— — — — — — — — — — — — — — — — — — — — — — — — — –

Disclaimer:- All of what is written here is my own opinion. ‘nuf said.

Raise your hands if you have heard / said these lines before:-

  • “This is not our job, this is the job of documentation team”
  • “I’ve many important things to do and deliver, I don’t have time for process”
  • “Process, what is this? We are doing fine here without it, we don’t need process here”.

This term ought to take the cake for oft abused / misused one apart from “housewife” (that is the MOST abused term on this planet IMHO. I think they deserve a LOT more respect than they get, but i digress).

I also think that knowledge of process is an evolutionary primitive to move up the corporate ladder because nothing provides a better view of the corporate than process.

This post is an attempt to explain the term from my perspective. Suggestions, remarks, feedback are welcome.

MYTH #1 — Process means documentation

Process is a way of doing things.

That’s it.

That’s what process is — A way of doing things. Say this again, and again and again, till your mind hurts and you cannot think further.

If you are following some steps to achieve an aim and if you are following a path (Ok, any path, your path, my path, some path) you are following a process (whether you like it or not). If you dream of reams of documentation in your sleep with reference to process, then I am sorry because it was never meant to be thought of in such a way.

Let’s pick some very common processes:-

  1. The process of going from one place to another
  2. The process of translating requirements into working software
  3. The process of capturing requirements from client;
  4. The process of eating / sleeping / buying things / selling things ….. you get the drift.

Just because it has not been documented, doesn’t make it a non-process.

MYTH #2 — It’s not process if it ain’t best practice

Now, this actually hurts. Best practices have a way of hurting like no one else. We have gotten results — good results, with satisfied customers — with less-than-best-practices. Also, has anyone seen a definition of it, lately?

Practically, if it works for your team, helps you repeat the success again and again, then I guess it is a best practice, for your team.

Ok, if you insist, call it a better practice. But please, don’t call it the best, because it depends on a lot of things (# of people required to execute it, can it scale up/down, efforts required to implement it, clear ROI, etc.).

MYTH #3 — If it works for company A, it will work for company B

Nothing can be farther from the truth.

The line, when corrected, would include “may” instead of “will”.

A successful process implementation answers the following questions:-

  1. Does it account for the existing capabilities of the team (in other words, can the existing team do it, with their current skill set)?
  2. Does it provide a way to not only repeat the success, but also to record the failures?
  3. Does it take the number of people into account (in other words, process that requires 200 may not work for 20 member team, and vice-versa)?

Successful processes depend a lot on the balance between other 2 factors — people and technology (and here i was thinking that it is just for feel-good factor and CYA, meh). Which means you will not be successful if:-

  1. Technology and process is appropriate but people with required skills are not put to implement the process;
  2. Technology and people are appropriate but the process is outdated (e.g., no review mechanism, no record keeping even though technology implemented supports it, etc.);
  3. Process and people match but no technology in place to help them (e.g., a very complicated, industry-recommended and proven process to handle incidents without tools to identify them in the first place, no-IDS, anyone?);

Please let me know if these myths exist or it is just a figment of my imagination. Any feedback is welcome.

My Publications

Well, so far, i have not fared very well as far as content churn is concerned. Mostly because of my self-induced-coma-like-tamasic-laziness. My ancestors would have scoffed at it (maybe they already are. However, if my life is any indication, i think they are benevolent and merciful, like my parents. But i digress, again).

Here’s a partial list of things that i have published so far. Hoping to increase the quality in the times to come (Credit: Anton Chuvakin for inspiring the format): –

  1. Mar 2016, {ctrl+z} My Interview :: Here’s what is should have said (LinkedIn post); I have tried to re-capture the essence of an ISMS implementation through a-should-have-been version of an interview response that I gave long time ago.
  2. Mar 2015, ModSecurity — Manager’s Dilemma (un-edited version, published in march issue of OSFY); This article tries to explain why deploying WAF in general, and modsecurity in particular, makes sense for a manager.
  3. June 2014, Process Myths — busted (published as a post on LinkedIn); This post lists some of the customer impressions related to processes that i could gather and my response to those myths.
  4. Sep 2013, Importance of Maturity Models in ISMS (published in October issue of ClubHack magazine); This article discusses the importance of process and maturity models and their requirement for ISMS (Information Security Management System).
  5. Sep 2013, Why is host integrity monitoring important (published in October issue of OSFY); This article discussed the role of file integrity monitoring system in the present compliance and regulation landscape.
  6. Aug 2013, DSCI Security Framework for ISO 27001 Implementers (published in September issue of ClubHack magazine); This article discusses the DSCI Security Framework and its relevance for ISO 27001 implementers.


Interview of Akash Mahajan

My interview obsession started before Ajin Abraham. My first interview was with someone who defied quite a few stereotypes in making his mark on the india infosec scene.

Now, here’s is someone who started working in this field without fulfilling any checkpoint in a standard HR recruitment checklist. Yeah, no certification (Gods must be crazy!), However, he is famous not just for his involvement with NULL, Bengaluru (look ma, constitutionally correct pronunciation!) but also because he is an extraordinary presenter. The thing to look for is his style of presentation. The name – Akash Mahajan

So without much ado, here’s it.

ME — What is your online handle / real name (depending on your preferences)?

AM — Usually I use makash, in some places I use akashm. But mostly googling for Akash Mahajan will return most of the results about me.

ME — What do you do for a living?

AM — I help small and medium companies become secure. It starts with me supporting them in making their web apps, mobile apps secure, building internal app sec capability, usually extends to me making sure their servers and cloud networks are secure. Sometimes companies take my help in charting out long term strategy about their security choices. For a long time I worked as a freelancer in this field but since last year I registered as a private limited.

ME — Can you describe your journey?

AM — So I was on my way to becoming a java programmer. Not particularly a good one. While working on java related projects there was a massive network outage in my company. The internet was basically not working for a week because of malware outage. I wasn’t affected personally because I was using a linux box. When the infection reached the team subnet I was in my project lead allowed me to take a look. I was able to isolate the malware and remove it from the system fairly quickly. Once that was done, I shared my solution with the IT team and realized that I had a lot of fun doing this. Definitely more fun than writing java code. That is what started my infosec journey. I quit my job and joined a security products company. While working there learnt a lot about network security, application security, python scripting and virtual machine automation. One day in the month of June of 2008, I decided that I should try being a freelance security consultant for all the hundreds of companies in Bangalore.

ME — What were the challenges in your journey & how did you overcome them?

AM — I am not an engineer. Initially I never thought about going on my own. I got rejected by a bunch of companies for not being an engineer or not having a security certification. I got myself a Certified Ethical Hacker certification because companies started demanding it. Once I had a certification it was easier.

In our industry a bigger challenge is to keep yourself updated about latest security techniques etc. I did struggle with that a lot at the beginning. Then one day on twitter I posted about asking for security communities in India and Aseem responded. They had started null — The Open Security Community sometime back in Pune and were looking for people to grow it to other cities.

Having a community full of seriously talented people doing security day in and day out makes it far easier to know what is happening in this field. Not only that we have so many folks who are doing original research, so in some cases we get to see the newer stuff even before it becomes public.

ME — What are the most important things that you want to focus on in coming years?

AM — Building and taking null to every state in India. Build my company to doing high quality security research and offering testing services for various levels. Personally I would like to try adventure sports.

ME — What, in your opinion, will be most in-demand things from a security standpoint?

AM — Automation of security testing, deployments(devsecops), user data privacy and figuring out ways on how to trust 3rd party software and services.

ME — What, in your opinion, should the industry focus on?

AM — Industry as a whole needs to focus on building quality solutions. Also while profits are important industry should understand that in the knowledge economy a well trained work force is not only an asset but the returns from such a work force can be exponential.

ME — Where do you see the security industry heading to?

AM — More automation, instrumentation of solutions, deployments. Also more and more systems will be in the cloud.

ME — How can one become an expert in your field (not security in general, but the work that you are doing currently)?

AM — Practice, collaborate, publish, solicit feedback. Wash rinse repeat.

ME — Do you think bug bounties help?

AM — Bounties do help. At the very least bounties offer a short term incentive for more people to spend their quality time in finding bugs. And humans tend to love competition. The indirect benefits of bounties are that when more and more people starting bug hunting seriously they also get serious about collaboration, sharing of knowledge and it always helps when a group of people are focused towards a common objective.

ME — What is your vulnerability disclosure policy (ignore if not applicable)?

AM — I don’t disclose bugs.

ME — In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

AM — Internet usage will not decline. But yes it is possible that companies will spring up trying to get customers based on nationality etc. Governments tend to work towards exclusivity and sometimes inefficiencies get hidden due to the nature of how they operate. This will make sure that some parts of the world will be working with substandard software which if taken positively can mean better competition or a clear competitive disadvantage.

ME — What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

AM — Nothing at the moment. I am just trying to build the null security community, which sometimes is more hectic than even paid work that I do.

ME — What do you advice the newcomers who want to hop on to the information security bandwagon?

AM — There are enough and more avenues to learn, enough documentation, learning resources. What is required is that they take up a topic and get some indepth practice in that. For most things that you need to practice all you need is a virtual machine, some software and good documentation. Get started with that and they can quickly build capability in this field.

I usually tell newcomers to learn the following to get started.

1. Linux and Windows

2. TCP/IP basics

3. HTTP

4. HTML/ JavaScript

5. BASH, Python, Ruby, Java

Who am I

Well, aint it the most profound question!

I haven’t yet found an answer to this, however, i usually describe this body as-

I am an information security professional. I have some scary certifications that make people think highly of me till i open my mouth. Well….

This blog of medium is my renewed attempt (you seriously didn’t think that this is my first attempt at jabbing on the keyboard, did you?) to write about information security the way i want.

Look below for a more nuanced (and probably not-so-real) me:-

This body is much more than this

Please feel free to have a look around for the blog posts that i have written so far. A list of the articles that i have written elsewhere is also available here.

Interview of Ajin Abraham

Infosec has always fascinated me. After i wake up from my occasional slumber, i always look around to see if i can identify someone to admire (maybe it is the hero-worshipper in me). Off late, i have focussed on identifying people whom i like in infosec. I, then, pester them till they agree to give me an interview. I then post them questions over email, and they, well, respond over email. That’s how it works.

Today’s interview is with @ajinabraham.



I like Ajin Abraham because he hasn’t wasted much of his time in identifying his field of choice. Maybe that is the reason his body of work is so impressive (and he is young, so he has time on his side as well). So, without further ado, let’s talk to Ajin.

1. What is your online handle / real name (depending on your preferences)?

My online handles are ajinabraham or xboz in the dark past :).

2. What do you do for a living (company name not required, role / nature of work is preferred)

I am freelance security engineer, I do security engineering that includes developing security tools, security algorithms, pentesting mobile and web apps, code reviews etc. Apart form these I do applied security research and publish the outcomes at multiple security conferences. Also, I run an e-learning platform called OpSecX for security education and once in a while I do hands on live security trainings at security conferences.

3. Can you describe your journey in application security so far?

During school days, I was always curious on how games, software and os works. A teacher at school understood my fascination with computers and she taught me VB.NET. Unlike many others, I never started in C/C++ but instead in VB.NET and Microsoft Frontpage. I feel good about that now. At that age, everyone found C very boring and primitive. .NET and Frontpage offered great GUI experience and you could build a real application than printing fibonacci series.
It was applied programming that allowed me to create things that I imagine with ease. I could have never done anything better with C at that time and understand the beauty of application development if it was not for .NET. Eventually my curious mind took me to the internals of the applications where I started with reversing to understand the inner workings. The more I understand how applications work, the more I was able to use them in ways they are not intended to work. Later with the help of Google and StackOverflow, I learnt a great deal of things in Security and Engineering. I wrote security tools and published my research in the 2nd year of my Bachelors. Over years I found that there is a career that is in align with my passion and later got hired as an Application Security Engineer during the final year of B.Tech.

4. What were the challenges in your journey & how did you overcome them?

Today there are active community and security folks to guide someone in the security field. It was not like that when I started. The only help I had was Google and later StackOverflow. It was difficult for me to understand the concepts as I directly jumped into something before grabbing the fundamentals. Over time and experience I learned that I have to make my basics strong and clear. Thats when I started to learn everything from the fundamentals. It helped me a lot to understand things in depth.

5. What are the most important things that you want to focus on in coming years?

* Travel and explore the world and cultures.

* I am a petrol head, I love any thing that revs. More Drives and Rides.

* Keep my security knowledge updated. This is a rapidly changing field.

* Write more open source security tools, maintain the existing ones

* Do more application security research.

* Share what I have learned through trainings.

6. What, in your opinion, will be most in-demand things from an application security standpoint?

Skilled personnel. We have everything in large quantity but the quality is not that great. Even though I am not a fan of AI, it seems like Machine Learning and AI promises a lot of advancements in this field. But we need skilled persons to implement this at the first place. In India, Application Security is always viewed from a Job perspective and most people doesn’t give importance to Applied Research and the Academics side of it.

7. What, in your opinion, should the industry focus on?

Hire people based on skills over years of experience and certifications. Also make opportunities to build up quality resource over quantity. Promote application security research and develop that culture right from college or school.

8. Where do you see the application security industry heading to?

Application Security is fairly new compared to other branches of Security domain. I don’t know what we will have in the coming future but as more and more things move to cloud, we need solutions to defend them. Eventually we will have huge data sets which will definitely help the machine learning solutions to perform better with higher accuracy. I am also excited as you are, lets wait and watch.

9. How can one become an expert in your field (not security in general, but the work that you are doing currently)?

Rule 1: Passion or Interest is what keep you forward. (Don’t start if you don’t have it)
Rule 2: Give it Time and Patience
Rule 3: Always start with the fundamentals
Rule 4. Always learn, unlearn and relearn

10. Do you think bug bounties help?

I don’t personally like bug bounties as for me I found it a waste of time.

But it has couple of sides.

The good thing is it helps companies to save a lot on their budget for security, spend less but get applications tested by a large crowd.

For the participants it’s a good way to make money.

In the security industry, there is a new bread who claim themselves as bug hunters/ security researchers/ experts by finding few low hanging vulnerabilities in web applications. Some of them don’t even know how applications work. They don’t even know how the vulnerability occurs, how to fix it or how to report it professionally. Some of the bug bounty reports are hilarious (http://bugbounty.fail/).

I really admire and appreciate those 1% bug hunters who do real nice job, the guys who know their stuff. But others are pure disgrace to the industry. I am sorry to say it, but that’s the truth. This is what google says about their bug bounty program “Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security,”.

11. What is your vulnerability disclosure policy (ignore if not applicable)?

I use to do aggressive full disclosures in the past but currently follows a 30 days disclosure policy with few exceptions.

12. In the wake of PRISM, and other monitoring activities that are taking place, do you think Internet usage will decline? Reasons?

I don’t think the usage will decline. The interesting fact is, most Indians don’t really care about Personally Identifiable Information (PII). I haven’t seen that culture of defending privacy in India much.

13. What, apart from your regular work, are you doing in the field of information security (any open source work, tool, etc.)?

I do a lot of open source work, you can find it here: https://github.com/ajinabraham
Also I occasionally blogs about my research outcomes here:
https://ajinabraham.com/

14. What do you advice the newcomers who want to hop on to the information security bandwagon?

Start form the basics and fundamentals, learn how things work.

Always try to learn things by self. Ask only when you are really stuck. There is a great difference in learning and understanding by self and some one explaining it to you.
Use Google and StackOverflow.
Explore for there is no limits.

{ctrl+z} My Interview :: Here’s what I should have said

So, after a long time, i finally broke my jinx of not updating my blog! I hope to keep updating it more often now.

Life is a collection of memories. If you don’t have memories, you don’t have a life (which means you are dead. That is why Shiva — the lord of death — is also called “smarahara”. “smara” incidentally, is sanskrit word which has two meanings. One, it refers to kaamdeva — the god of love. It also means memories. Amazing language, isn’t it? But i digress). My information security career has also gifted me with many memories, one of which is this interview. I didn’t like one of my responses during the interview and i kept going back to it, for some reason.

I finally got the reason (or so i think). This LinkedIn post is an introspective attempt to articulate that reason. Please find a reproduction of the same below: –

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Being a thick skinned guy that I am, I usually don’t like to admit mistakes. Scratch that, I NEVER like to admit mistakes. However, there are instances when one, during introspective phases (I know, it is a big word, yipee-ka-yay — MS Word 2013), identifies his/her mistakes and what he could have done instead of how-could-I-do-it and wish-he-forgets-it type of things.

So, during one of those ‘aha’ moments, I realized a mistake that I happened to commit during one of my interviews.

The Question

Around the end of an interview, one of the interviewer asked me this question

“If you had unlimited budget, what would you have done to improve your organization’s security posture?”

Now, on the face of it, this is a pretty open ended question that allows you to articulate some of the key controls / strategies that you think would add value to an organization’s security posture. This question also allows an interviewer to probe the mind of the person who is being interviewed to gauge his priorities. AND, this is also the sort of question, the response of which, will open you up to scrutiny.

My Answer

When I faced the interviewer, I was on the way from a normal ISMS professional to a higher plane (by establishing a SOC or Security Operations Center). I was then struggling with handling incidents with limited resource and skill (more on skills and competencies in a later post), so my response was a reflection of my struggles:-

“Given unlimited budget, I would like to invest in a tool / technology / process which ensures that infected machines are isolated as soon as they are identified. Also, I would like to be able to analyze them faster”.

How wrong I was!

An organization’s security posture is dependent on the following 3 Ps:-

People, Process, Technology

People — The most important thing in the triad. If people

(a) don’t have an understanding of the information that they have and its value and

(b) don’t want to secure it (due to different reasons, and surprisingly, deliberate espionage doesn’t feature till the end of the list), you will not be secure no matter how many processes and technical measures you have.

Think of all the passwords that have been shared, all the intellectual properties lost due to people and you will get the drift of what I am trying to write here. Awareness sessions on information security DO’s and DON’Ts, communicating all and any process changes to all relevant people, assessments (both online and behavioral) to gauge how people treat information security when no one is watching are some of the things that an organization can do to ensure that people act their part to keep information secure while handling. All information security branding related activities would also come here. The branding activities could include posters, quizzes that includes giveaways, etc.

Process — I can never tire of saying this “The way you handle information will dictate how secure you can make it”. Please refer to this post to know more about my thoughts on this.

Technology — All technical gadgets worth their salt (e.g., DLP, SIEM, IDS / IPS, Firewall, etc.).

So, while technology is important, information security is inherently a people and business problem. It is perfectly possible to implement a cost-effective ISMS that is aligned to the business and it is equally easy to botch it by blindly implementing “best practices”.

What I should have said

“Given unlimited budget, I would invest in security awareness at all levels, coupled with good detection tools, a superb DLP tool, and a capable incident response team”.

Now that would be a better answer, don’t you think?

Client Data Security — Why and How

I have finally decided to break the jinx of not keeping my blog updated. I shall update it once a week. Here’s the post for this week.

In today’s fast changing business world, regulations related to security are pervasive, so much so that with every new project (whether in the same or a different geographical region as that of the client), comes a whole set of laws to carry out (to the letter) as far as client data is concerned. If there is anything that the law misses, it is covered in the contract.

The next question is — why do client put these clauses (related to their data privacy) in their contracts?
They put it there because if the information leaks/gets modified, the client is liable to suffer monetary & intangible losses (lawsuits, fines from government, damaged image, lost clients, etc.).

Hence, in order to make sure that we understand and commit to the security and privacy of client information, they put the relevant clauses in the contract.

Bottom line — client data is sacred, and any security issue related to it can come back to haunt us (legally and otherwise). Hence, it makes business sense to protect our client data.

This poses some challenges.

The challenge is — No one, in their right minds, would want to put client data at risk. However, by virtue of our work & our focus towards it, security sometimes takes a back seat. This is reflected in our activities (we can also call them habits, as they keep happening from time to time). Some of them are (the list below is indicative):-

1. Noting some crucial information on a piecec of paper and keeping it at a public place;
2. Sharing password so that any client information that you have is now easily accessible to others;
3. Not keeping your anti-virus software updated;
4. Clicking on a link in mail without checking it first;
5. Discussing/sharing sensitive client information with people who do not need it to do their work;

Human beings are creatures of habit. Habits are very important in security. If i have a habit of sharing my password, there is a high chance that people near me (with good or bad intentions) can get access to it; further, if i have a habit of not locking my machine while going away, it is possible for someone to look at a crucial information (of client or personal) & make use of it.

Below are some habits that are found to be helpful in increasing the security quotient of a project, and should be used by all to ensure that we do not compromise the security of client information:-

1. Secure your passwords
 While it is not always practically possible to remember a password that resembles Garnier Fructis (Long and Strong), one should understand that once you put a sensitive information like password somewhere other than your brain, you should protect it, lest it get into someone else’s hands.

2. Do not share your passwords
 Once a password is shared, it is no more yours. If you have to share it (due to project requirements), make sure that you do not re-use that password for any other purposes and that you change it as soon as possible.

3. Keep your anti-virus software updated
 While anti-virus software usually are put on auto-update by default, it pays to be vigilant and update it manually if the update gets failed (e.g., due to bad network conditions).

4. Be careful while clicking a link
 Most of the bad code (virus/trojan/worm, etc.) require your effort (unknowingly, of course) to get onto your machine. We do so by clicking on some link without checking it first, thereby getting a bad code on our machine.
Always check a link (by putting your mouse over it, not clicking) before clicking it. If the link is pointing to a direction (e.g., an IP address or some mis-spelt address), do not click it.

5. Do not share client information with anyone who does not need it
 Now this is tricky! How to find out if the person who is asking it needs it? A rule of thumb is — if the person does not belong to your project and is not authorized by your respective manager / superior, he/she should not have that information.

6. Lock your machine while leaving it unattended
 Leaving your machine un-attended is a dangerous habit as almost all the access rights/privileges are attached to our machine identities. As one moves up the corporate ladder (and sometimes depending on the project requirements), one gets access to information that is confidential in nature. This habit of leaving the system/desktop/laptop unattended & unlocked may prove disastrous (Think someone-stealing-a-file-that-your-VP-sent-for-your-eyes-only)!

OpenSAMM — Part 01

This is part of a series of presentations that i am going to create for explaining an open secure SDLC maturity model, called SAMM aka OpenSAMM. Click here to view the presentation.

Disclaimer — This is NOT an original work. I have taken help from the official presentation and some other articles/presentations available on internet. I regret that because i forgot to keep track of the sources, i cannot credit them properly in the presentation. However, if i get any information about the source, i will update this presentation with the credits. Would request people to get back to me if they have information on the sources.

Although it is generally believed that security should be in-built and not a patch after development, very few companies give it a try for one or more of the reasons:-

  1. There is little explicit demand (after all, my customers are not saying they want security, why should i bother? If i put some investment and cannot get it back, it’ll be bad for business, won’t it?);
  2. As a corollary to the above point, clients probably worry that if they demand security, maybe they have to pay for it (in terms of additional efforts and hence cost);

However, with SEC demanding that companies disclose “potential” security breaches (and this usually means that apart from companies to take notice of this fact, us compliance professionals can take little sadistic respite in the fact that we would be in little more demand 😉 ), i think companies better start demanding security in their applications (at-least those that come under purview of SEC).

OpenSAMM (or SAMM) is a maturity model that helps gauge the maturity of secure SDLC implementation in an organization. It also provides a benchmark against which similar efforts from different organizations can be judged. In retrospect, isn’t this how ISO propagated (capitalism, anyone?). Business wise, i think it makes perfect sense to demand security from a service provider, and then benchmark it against those of other vendors, makes ROI sense.

I gave this presentation at an OWASP Chapter Meet. Hope to finish the entire series in a couple of months. Watch this space for more!