How do we "test" our security policy? -

-

disclaimer: @ place of work aware that, none of security experts, can't avoid hiring security consultants true picture of our security status , remedial actions vulnerabilities. question asked in spirit of trying little less dumb , bit more aware of issues.

in place of work, small business sum total of 7 employees, need work on reviewing our application security flaw , vulnerabilities. have identified 2 main requirements in security tester:

  1. they competent, thorough , know stuff.
  2. they able leave clear idea of work need make our security better.

this process iterative have scan, remedial work , repeat. regular occurrence going forward.

the problem have is: how know 1? and, if we're reasonably sure of 1, how on earth proceed 2?

our first idea light security scanning on our code ourselves , see if identify definite issues. then, if security consultants choose identify issues , few more we're on way 1 , 2. problem i've been trawling interweb days looking @ owasp, metasploit, w3af, burp, wikto, sectools (and stack overflow, natch)...

as far can tell security software seems come in 2 flavours, complex open source security stuff security experts , expensive complex proprietary security stuff security experts.

i not security expert, intermediate level business systems programmer looking guidance. there no approachable scanner type software or similar give me overview of state of codebase? going have take part time degree in order understand stuff @ brass tacks level? or missing something?

i read you're first interested in hiring , knowing they're good. well, you've got few options, easiest talk in know. i've worked few companies, , can tell neohapsis , matasano (though it'll cost you).

the second option have research company. have worked with? can give references? references have say? vulns has company published world? community response (were shouted down, vuln considered minor, or game changing, ssl mitm vuln)? have of company's employees talked @ conference? respected conference? talk considered attendees?

second, you're interested in understanding vulnerabilities reported you. testing company (a) give document describing did , did not do, vulnerabilities found, how reproduce vulnerabilities, , how know vulnerability valid, , (b) meet (possibly teleconference) review vulnerabilities , explain how vulns work, , (c) have written contract retest once after fix vulns validate fixed.

you can training developers (or hire has reputation in field) can understand what's what. safelight company. sans offers training, too. can use training tools owasp's webgoat, walks through common web app vulns. or can reading - nist sp 800 freely downloadable fantastic intro computer security concepts, , hacking exposed series job teaching how basic stuff. after microsoft press offers great set of books security , security development lifecycle activities. safecode offers good, short recommendations.

hope helps!


Comments

Post a Comment

Popular posts from this blog

ASP.NET/SQL find the element ID and update database -

-
basically i've got update query runs when click submit button. i have asp:repeater in page layer inside this <asp:repeater id="dgbookings" runat="server" onitemdatabound="itemdb"> <itemtemplate> <div class="bookingscontent"> <div class="bookingdetails" id="<%# databinder.eval(container.dataitem, "booking_ref") %>"> <p class="infotext"><%# databinder.eval(container.dataitem, "adults") %> <asp:linkbutton onclick="editdetails" text="edit..." runat="server"></asp:linkbutton></p> <p class="infotext"><asp:linkbutton onclick="submitdetails" text="submit..." runat="server"></asp:linkbutton></p> </div> </div> </itemtemplate> <asp:repeater> and outputs ...
Read more

jquery - appear modal windows bottom -

-
i have modal windows in application, work fine <div id="modal" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="mymodallabel" aria-hidden="true"> but when modal appears, appear top of windows, , want appear bottom the application joomla 3.0! , using template of meet gavern any idea? i found solution i modified de css in bootstrap .modal.fade { top:-25%; -webkit-transition:opacity .3s linear, bottom .3s ease-out; -moz-transition:opacity .3s linear, bottom .3s ease-out; -ms-transition:opacity .3s linear, bottom .3s ease-out; -o-transition:opacity .3s linear, bottom .3s ease-out; transition:opacity .3s linear, bottom .3s ease-out; }
Read more

c++ - Compiling static TagLib 1.6.3 libraries for Windows -

-
i having super hard time compiling , using taglib 1.6.3 in qt project. i've tried can think of. taglib claims supported through cmake i'm not having luck. furthermore, i'm confused kinds of files need qt libs! i've built *.a files, *.lib, , *.dll. understand far... believe since i'm working in windows *.lib want. no matter do, end "undefined references" taglib functions try use when try compile qt project. have tried mingw32, msys, visual studio 2008, , cross-compiling windows on linux. turning nothing. what makes less sense me if compile same taglib source qt on mac (g++ think?) works fine! somewhere in windows compilation procedures have going wrong. have been smacking face on desk 30 (on , off) hours trying figure out. since qt uses mingw must compile taglib same compiler? if compile *.lib's visual studio not compatible? are *.a libraries usable in windows? (assuming mingw) i'm still trying handle on c++ stuff, after reading coun...
Read more