SAP SDM Denial of Service Vulnerability
SAP Enterprise Portal Multiple Unspecified Cross Site Scripting Vulnerabilities

Weekends are usually a good time to catch up on the dreaded “D” word of IT professionals everywhere…. Documentation.  Security is a process, and as such requires good documentation to drive those processes.  All organizations have (or should have) documentation to support their efforts and guide their work, typically in the form of a Site Security Plan, Change Control processes, Roles and Responsibilities, etc., etc. These process are in place to support constantly changing systems.  Updating the documentation is often a painful process that is left for less mundane and intriguing tasks, thus it is relegated to weekend work.  


The landscape of technology, requirements, threats, and vulnerabilities is changing every day, so the processes we use to support these need to adapt as well.  One key to managing the documents is establishing an annual review process of the document library.  These reviews can be broken up over the calendar year, to spread out the work; the larger documents can be sectioned out to team members for draft input and review over a period of time.  The review process, if possible, should include an objective review from a peer or colleague to assist in providing objective feedback and analysis.


Any process works best when it is known, documented, and implemented, and Security processes require the same care and feeding as the systems they serve.  

tony d0t carothers --gmail


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

After the OpenSSL Heartbleed vulnerability [1] that sent lots of products scrambling to issue a patch to prevent data leakage, the Linux Foundation formed a new initiative [2] with some of the major technologies leaders, to support critical open source projects to like OpenSSL to provide funding and ensure greater reliability.

"The first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests."[2]

Do you think this kind of initiative will improve open source project?

[1] https://isc.sans.edu/diary.html?storyid=17917
[2] http://www.linuxfoundation.org/news-media/announcements/2014/04/amazon-web-services-cisco-dell-facebook-fujitsu-google-ibm-intel


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java SE CVE-2014-2409 Remote Security Vulnerability
Mac OS X 'libc/strtod(3)' Memory Corruption Vulnerability
Oracle Java SE CVE-2014-0449 Remote Security Vulnerability
Oracle Java SE CVE-2014-0461 Remote Security Vulnerability
The FCC's upcoming net neutrality plan has already touched off such a blaze of reaction that the agency has set up an email box where the public can send comments about it.
Tech industry bellwethers, including Facebook, Microsoft, Apple and Amazon, weighed in this week with quarterly earnings and -- surprise! -- mobile and cloud offerings appear to be the key to their health.
The social networks are falling apart -- breaking up into multiple sites and apps that do in a scattered way what used to happen centrally.
Internet Storm Center Infocon Status