Infosec: Safer internet depends on private sector
Neelie Kroes, vice president of the European Commission, said business must play its part in the development of a more secure online world. By Caroline Donnelly, 24 Apr 2012 at 17:38 The development of a safer, more secure internet will require greater ...
David Willetts: UK firms need to 'fess up to security boobs
Speaking at the Info Sec conference this morning, Willetts, whose remit includes cyber security, urged companies to be very honest in reporting their cyber security problems and system breaches. He said: I want large companies to be very frank about ...
InfoSec: The UK Drops FUD Bombs On BYOD
At least, that's the impression I was left with after an InfoSec 2012 briefing with BT and a number of its customers, including the Ministry of Defence and Norfolk County Council. Research from BT showed globally, 60 percent of businesses allow ...
by Michael S. Mimoso
You’d have to be a serious security curmudgeon to try to pick holes in the Microsoft SDL. The company’s security development lifecycle grew out of the Trustworthy Computing initiative, which turned 10 years old this year, and in many organizations, it sets the standard for secure development practices. At a minimum, it put secure development into the consciousness of many organizations and inspired a lot of companies to adopt bits and pieces, if not all, of the SDL.
No program is perfect, however.
Two security program managers working in the Microsoft Security Response Center (MSRC) shared a story during the SOURCE Boston Conference last week that’s worth sharing. It seems not too long ago, a security researcher reported a fairly serious vulnerability to Microsoft via its [email protected] email address. Turns out, however, that Microsoft’s spam filter kicked in and the vulnerability sat in limbo for months in a spam folder (sometimes it’s the simplest details that get ya.)
The researcher waited a responsible, er, respectable period of time, and eventually went public with details on the vulnerability, thinking Microsoft had ignored the researcher’s efforts. Once the details went full disclosure, Microsoft had to rush an out-of-band fix for the vulnerability; the two program managers refused to reveal the flaw last week.
“Don’t trust spam filtering,” said Jeremy Tinder, one of the managers. “This one was a crisis. Now we read them all (up to 500 a day). We have dedicated individuals to this triage stage of our security response.”
Tinder and his colleague David Seidman explained the MSRC’s role in the SDL at Microsoft and how vulnerabilities are handled once reported—and suggested these are minimal steps that organizations building their own software could follow. It’s a well-reported process that involves several stages:
· Triage—Microsoft determines whether vulnerabilities are security issues, or, for example, a coding or configuration error.
· Reproduce the issue –Microsoft tries to reproduce the security bug with the information provided by the researcher who reported it.
· Analyze the root cause—Once the MSRC is able to reproduce the issue, it determines how much user interaction is required to trigger it, and whether it’s a configuration that’s widely used by all customers.
· Planning—Schedule a fix and move forward after determining the scope of what needs to be fixed and any variants that could also trigger the vulnerability.
· Variant testing/investigation – This is a critical stage where all possible variants are tested before releasing a fix; the last thing the MSRC wants to do is release a fix and then have to re-release it.
· Implementation stage – The MSRC starts developing fixes immediately, and tests in parallel. They test whether other fixes cause regressions.
· Verification—Functional and regression testing is done here to ensure the patch fixes all attack vectors, doesn’t revert previous patches and doesn’t break applications.
· Release: More than a click of a button, Tinder and Seidman said. Involves having the infrastructure in place to push automatic downloads of patches, or give enterprises the ability to choose when and how to apply fixes.
Ultimately, the MSRC shoots for 60 to 90 days to turn around a patch, depending on testing and any issues that could arise and cause a regression forcing the MSRC to start over.
And oh yeah, check those spam folders.
|Click here to Download a FREE white paper – “How Monitoring Systems Reduce Human Error in Distributed Server Rooms and Remote Wiring Closets ” and learn how a basic monitoring system can help reduce the occurrence of unanticipated downtime events in server rooms and remote wiring closets.|
UK biz pays heavy price for skimping on security - PwC
By John Leyden • Get more from this author Infosec 2012 Hacking attacks against Blighty's top firms hit a record high according to figures for 2011. On average, each large organisation suffered 54 significant digital assaults in that 12-month period, ...
Security breaches costing UK firms billions
Bit9 wants to bin 'broken' antivirus, install whitelisting tech
By John Leyden • Get more from this author Infosec 2012 Bit9 is using the Infosec show as a launchpad for its move into Europe as part of its wider ambitions to displace traditional antivirus technologies from corporate desktops and data centres.
Brit upstart flogs cloudy SaaS to clipboard-waving bods
By John Leyden • Get more from this author Infosec 2012 UK-based startup SureCloud is flogging a cloud-based auditing and compliance platform at mid-market businesses with high info-security standards. SureCloud's Unified Compliance Platform pulls ...
SSH Communications Security Unveils SSH User Key Management Solution at ...
RealWire (press release)
London, UK – April 24th, 2012: SSH Communications Security, known the world over as the inventors of the SSH protocol, unveiled today at Infosec 2012, London the first new extension of its SSH Information Integrity Platform, SSH User Key Management.
Penetration Testing Book For Hackers & Security Professionals Published Just ...
PR Web (press release)
HackerStorm.com has published a new ebook aimed at ethical hackers and security professionals to enable them to create better test plans, test scopes and to grill testing consultants at InfoSec Europe about their services. 'Firewall Hacking Secrets For ...
GlobalSign Demonstrates iOS Device Authentication Solution for the Enterprise
PR Web (press release)
The increased risk that come with mobile devices accessing corporate networks will be a hot topic here at InfoSec in London this week, and we believe GlobalSign's iOS Identity Certificates are a perfect fit for the “bring your own device era.
Posted by InfoSec News on Apr 23Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>
Posted by InfoSec News on Apr 23http://www.guardian.co.uk/media/2012/apr/23/colin-myler-news-of-the-world-scrutiny
Posted by InfoSec News on Apr 23http://espn.go.com/espn/otl/story/_/id/7846290/new-orleans-saints-mickey-loomis-eavesdrop-opposing-coaches-home-games
Posted by InfoSec News on Apr 23http://www.informationweek.com/news/security/attacks/232900691
Posted by InfoSec News on Apr 23http://www.darkreading.com/compliance/167901112/security/news/232900802/do-s-and-don-ts-of-compliance-policy-development.html
GlobalSCAPE(R) Showcases Latest Solutions at Infosecurity Europe
MarketWatch (press release)
"Infosec Europe is a wonderful opportunity for GlobalSCAPE to reach out to the IT community and demonstrate the security and efficiencies our solutions can bring any organisations of any size," says Melinde Henderson, GlobalSCAPE's director of channel ...