parsonsisconsulting

Parsons Software Security Consulting Blog

The secret to the CSSLP the beginning of the journey

leave a comment »

I am studying to become a CSSLP.  I have had my CISSP for a number of years and have been a programmer and ethical hacker for ten years.  I have my master’s degree in information security and management science and a bachelor’s degree in information science and human computer interaction.  I work for a very large security company.   I am taking the exam too and wanted to share my knowledge of studying for it with the blogsphere.    

The CSSLP examination tests the breadth and depth of a candidate’s knowledge by focusing on the seven domains which comprise the CSSLP, taxonomy of information security topics:

  • Secure Software Concepts – security implications in software development and for software supply chain integrity
  • Secure Software Requirements – capturing security requirements in the requirements gathering phase
  • Secure Software Design – translating security requirements into application design elements Secure Software Implementation/Coding – unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
  • Secure Software Testing – integrated QA testing for security functionality and resiliency to attack
  • Software Acceptance – security implication in the software acceptance phase
  • Software Deployment, Operations, Maintenance and Disposal – security issues around steady state operations and management of software

CSSLP stakeholders include:

  •    Auditors
  •    Top Management
  •    Business Unit Heads
  •    IT Manager
  •    Security Specialists
  •    Application Owners
  •    Developers & Coders
  •     Project Managers Team Leads
  •    Technical Archietects
  •    Quality Assurance Managers
  •    Business Analysts
  •    Industry Group Delivery Heads
  •    Client Side PM

https://www.isc2.org

Thanks Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com

Apple hacked!! Ethical hackers personal information hacked at Apple

leave a comment »

My fiancé was trying to download a movie today from iTunes when the security certificate was marked as invalid.  My first thought was did Apple get hacked?   She was trying to download the Jackie Robinson movie, 42.   I didn’t think anything of it and went back to my normal Sunday evening routine.   I was outside playing with our dogs in the yard when my iPhone alerted me of a new message.  

The message I received was the following.  
Image

I then did a little research and found out that Apple was indeed hacked and they were doing major over runs for maintenance.   Part of the problem is that first and foremost I am a an application security engineer and apple developer second.  I have been programming for 15 years and doing application security for 11 of those years.  I have been an apple developer for two years learning cocoa daily to one day strike it rich on an apple development idea. 

I was then thinking.   Apple has all of my sensitive information.   They have my social security number, my credit card, my name and address and my bank account number to deposit my application sales at least 60 percent of it to my bank account while apple profits 40 percent.  

I was thinking that man;  I am an ethical hacker and I got hacked.   It was not a good feeling.  It was a similar feeling when I found out my veteran’s information was hacked and they enrolled me in credit monitoring.  

I felt like a victim.   My career goal in life is to make more applications more secure.   I actually interviewed a few times with the apple development team and they told me I was not smart enough.   I do know this; if I was working with Apple, I would have been smart enough to encrypt all sensitive information.   I would have ensured that the confidentiality, integrity and availability of the application was met.  

I am not sure how this attacked happened but I am guessing from a web application vulnerability.   I believe if Apple hired a competent 3rd party unbiased application security engineer this would not have happened.   Attackers use the same tools and techniques that application security professionals do.   A thorough penetration test and a secure application review could have prevented this.  I pray for other consumers sake and companies that more companies take application security more seriously and reach out to non profit organizations like the open web application security project by training developers and hiring ethical third party security engineers to do software reviews to ensure the confidentiality, integrity and availability of data in systems and putting the proper security controls in place to prevent this from happening in the future.  

 

 

I hope that the most successful company getting hacked is a wake up call.   We need to train developers to program applications more securely and value the competent ethical third party application security engineers that review these applications.  

 

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

 

 

http://allthingsd.com/20130721/apple-developer-center-was-hacked-site-remains-down-while-company-overhauls-security/

http://www.businessinsider.com/apple-developers-site-hacked-2013-7

OWASP top 10 2013 Introduction

leave a comment »

OWASP top 10 2013

https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents

   * A1-Injection

   * A2-Broken Authentication and Session Management

   * A3-Cross-Site Scripting (XSS)

   * A4-Insecure Direct Object References

   * A5-Security Misconfiguration

   * A6-Sensitive Data Exposure

   * A7-Missing Function Level Access Control

   * A8-Cross-Site Request Forgery (CSRF)

   * A9-Using Components with Known Vulnerabilities

   * A10-Unvalidated Redirects and Forwards

We are going to look at the new OWASP top 10 for 2013 starting with injection to unvalidated redirects and forwards.   We will go through each vulnerability and look at the attack vector, risks, how to exploit and how to remediate to protect an application from attackers. 

Thanks,

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Written by mparsons1980

June 27, 2013 at 12:26 pm

Cross Site Scripting and how to remediate

leave a comment »

When input isn’t properly validated and encoded Cross Site Scripting or XSS is possible.   This is when an attacker is able to execute a dynamic script.   To prove that a page is vulnerable to XSS I usually just do an alert pop up stating “XSS found by Matt”.   A black hat hacker can use this vulnerability to steal the user’s credentials or mounting phishing attacks or man in the middle attacks.   To remediate this vulnerability all input needs a white list validation scheme accepting only known good input and encode all output to prevent the script from running.  

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Image

Written by mparsons1980

June 25, 2013 at 2:27 pm

Iphone programming getting started

leave a comment »

My new passion besides software security is Iphone and cocoa development.  I will guide you through a simple Hello World application.  

 

 

iphonev4

iphonev3

iphonev2

iphonev1

Written by mparsons1980

June 25, 2013 at 1:37 pm

Why it is important to set the secure attribute on session cookies?

leave a comment »

When I do application security assessments I often see the secure attribute not set on session cookies over HTTPS.  It is fine to have non sensitive session cookies like language setting not set to secure but something as sensitive as the session cookie need to be set to secure so an attacker does not steal the session or the victim’s cookies and log on as the victim.   

Image

 

Image

Written by mparsons1980

June 25, 2013 at 11:57 am

Parsons Software Security Consulting has new website and is offering new services

leave a comment »

My company Parsons Software Security Consulting, LLC has a new look feel and logo. We also have a new website and are offering a new suite of services. The new logo can be found here.

As far as the new web site it can be found here. http://www.parsonsisconsulting.com.

For new services we are going to offer secure website development and social media advertising. Stay tuned for Parsons Stark Marketing.

Written by mparsons1980

March 28, 2011 at 6:21 am

Posted in Uncategorized