I went to DefCon 2012 this year for the first time ever and I must say that it was a great experience. I met too many people to count, and learned a good deal about some security topics. I also learned some information about password hashes, which is fantastic b/c it’s some timely information with all of the news recently about hashes being leaked.
I’ll post more about that as the material becomes available online. If you live in San Diego and want to meet to discuss security topics, drop me a line, I’d love to meet up. My twitter handle is niemesrw.
I have been listening to Exotic Liability for the past few months – the guys on there are a fantastic resource for those of you who are interested in computer security. Their expertise in penetration testing is unparalleled, and they have some interesting guests on as well. Plus, unlike some podcasts, they’re not trying to sell you anything.
Anyway, my re-entry to the security field has left me wondering how I can give back to the community. I have a lot of expertise in corporate IT, networking, and systems, and I believe this gives me a good window from which to view security in a big-picture sense. The bottom line for most of us is we’re all strapped for resources, so the ‘next big thing’ is sure to only cause us more headaches since it won’t have anyone to manage it. It got me thinking about some recent projects I have at work – we’ve already got some web services but we will be adding more as time goes on. Some of which will have access to not just products we’re offering customers, but some of our enterprise applications. This got me thinking about how to best secure these applications. The old adage of putting a server in the DMZ is over. We have all of these technology solutions to choose from now as well – web-application firewalls, reverse proxies, etc. Nothing, however, compares to actually implementing a real security program that your developers follow.
The guys over at OWASP are a tremendous resource for how to implement secure web applications. They tell us that one of the most important things we can do is to perform a risk analysis. What data will the application have access to? And what are the risks of compromise? Only then can you associate controls to help mitigate the risk, and some of these controls are very basic and non-technological. You need some sort of secure development program, and a security testing program. Technical measures, like WAFs, can be defeated, but writing secure applications are much more difficult to defeat.
Anyway, I ramble, and it’s been a long week already. I hope this is just the first in a series of posts! But we all know how that goes in the blogger world.
security without obscurity 