Justin.MadIrish.net

In the latest Silver Bullet podcast Gary McGraw makes mention of the fact that he feels that web application security is attracting too much attention these days. In some ways I feel this observation is right, but in many ways I feel that it is dead wrong. In his book 'Hackers and Painters' Paul Graham makes a very compelling argument that most software should be available via the web. The idea is that most users don't really care about their platform, and providing software as a service frees users from all sorts of headaches. For instance, users don't have to upgrade their web based software, they don't have to worry about hardware requirements, they don't have to hassle with DLL's or anything like that.

It is a professional hazard in security to become stuck in a reactive stance, always running to put out the latest fire. Many security personnel find themselves in this mode and cannot seem to escape it. It is important, from time to time, or especially in the case that it has never happened, to stop and take stock of an organization as a whole. No matter how pressing the issues of the moment seem, it is critical to examine your organization from the top down in order to develop, and maintain, an effective information security program. While this sort of planning can seem like a waste of time when the very real threats are battering down the proverbial door of your defenses, it is critical to take a measured approach to your security response in order to be effective, especially with limited resources. The first step to achieving this goal is to gather effective intelligence, specifically having accurate monitoring systems and incident reports.

Recently I've spotted an increasingly tractable argument against pen testing emerging in the computer security industry. Articles such as Problems with Penetration Testing and Tenable Network Security’s CSO Marcus Ranum's talk in Risky Business #85 are widening the dialogue about the issue. Having just returned from InfoSec Institute's Ethical Hacking training I feel pretty close to the issue. Much of the InfoSec Institute training is designed to prepare people to enter the pen testing field and so I basically spent a week observing the industry from within.

I've never been prouder to be an American, with our new president, Barack Obama!!!

I'm so happy that 9/11 won't be the most historically significant day of my life, but that 11/04/08 will overshadow that horrible day, and will be the one I tell my children about.

I contributed to the Obama campaign through LGBT Philadelphia - and saw Barack Obama speak in Philly, standing in a crowd of gay people, cheering for the first African-American president made me prouder than ever to be an American. The healing sentiment that is spreading amongst my countrymen and women, feeling kindred spirit across all forms of diversity, truly inspires me, and has restored my confidence in American democracy.

P.S.: For all my friends - I'd like to point out that I called this one ;)

I recently had another occasion to make a full disclosure and was chided by some of my colleagues for doing so. Many thought I shouldn't make a vulnerability announcement to a public list. I assume they felt that working with the vendor to fix the issue was a more responsible course of action.

In this particular case the personal information of organizational members was being leaked through a conference registration application. While I understand the desire to work with vendors to fix problems before "responsible disclosure" I continue to disagree with the practice in most situations.

The internet security blog Security Aegis has just published an article, distilled out of interviews with some industry professionals, concerning the state of information security and the economy. As one of the interviewee's for the piece I am of course biased, but I find it to be an excellent piece. It's interesting to note the commonalities between responses to questions about the field and the future. While these may not necessarily lend authority to the prognostications of the contributors, it certainly provides a valuable touchstone for the sentiment of those involved in the profession. The "conventional wisdom" may not provide an accurate roadmap for the future, but is a great indicator of how people are feeling now.

I've been using Linux as my primary OS for a while now, but there are still a lot of tasks for which I still need Windows. For instance, I have a CanoScan 4200f which doesn't have any Linux support at this time. Often, when you need Windows applications on a Linux box, Wine is sufficient. If, however, you need device support that is only available in Windows then a virtualization solution is much more appropriate. I've tried out both VMWare (player and workstation) and VirtualBox in order to meet this need with varying success from each. I find that VMWare tends to have much better networking support and options. For instance, it's easier to run multiple VMWare images, each with it's own bridged IP (meaning machines other than the host can see them).

There has been a lot of debate over the years about "full disclosure". This is the practice whereby security researchers publish their findings to the world. It's a thorny debate and my opinions have changed over time. I've been the subject on the receiving end of a vulnerability disclosure in the past. In that case I only noticed the disclosure because I follow security announcements.