April 26, 2005
There's a bunch of new stuff on the Serenity web site, including links to the trailer. Wow, am I excited. I'm more excited about this movie than Episode III and Hitchhikers, maybe combined. Kiara and I rented Firefly a short while back, and damn was that fine TV! The movie looks like it's going to be fantastic.
April 22, 2005
Minnesota governor Tim Pawlenty has ordered an audit of all state web sites (registration required, see BugMeNot.com). This is in response to the audit findings I wrote about last night.
Wow. A bold and necessary step, but probably an unfunded mandate. This will make the governor look good, but I am worried that the audit won't have nearly the resources that it needs to be done properly — and that it will result in knee-jerk overspending such as hiring consultants for quick fixes. We don't need quick fixes, we need software development processes that incorporate security planning and assessment. On the bright side, I'm willing to bet that where there are security problems, addressing a few issues (quick fixes) will have big impact on existing apps, so a deep audit won't be necessary. Low-hanging fruit and all that.
There are at least a couple things preventing more secure development: apathy and lack of funding. I say apathy because security is something to which people pay lip service but do not even attempt to understand. Because of that, it's easy to point to a lack of resources to address security properly. Developer training is sadly lacking (this is true throughout the industry, and we do a terrible job integrating security in computer science curriculum) and security is not addressed throughout the development lifecycle — which ends up being more expensive.
I'll write a lot more about this later. Were I not putting the finishing touches on handouts for next week's presentation, I'd write more now.
April 21, 2005
A couple feeds I've recently discovered:
Cool. We need more of that.
April 21, 2005
Minnesota Driver and Vehicle Services took down their web site for online license tab renewal in response to a Legislative Auditor's report sharply criticizing the lack of security in the site. The report is less than kind.
Good. This should be a wake-up call.
The report centers around the fact that DVS did not address findings and recommendations in a 2001 audit. There was no security program in place, inadequate documentation and processes to support secure software development and deployment. The system was found to be vulnerable at several levels: not just the application code, but network and database access as well. I credit DVS for shutting down the site and can commiserate with their lack of resources to address the problem. State government budgets are being cut right and left, and like it or not intangibles like security are often the first victims. Taking the site down might just make it seem a bit more real.
For me personally, the timing of the audit report could not be better. On Tuesday I'm delivering a presentation about web application security to college and university IT staff from throughout the state. My focus is on integrating security throughout the software development life cycle. I'll be touching on topics such as developer training, security requirements, misuse cases, threat modeling, code review, penetration testing, maintenance and monitoring. It will be nice to have this audit report to bolster my message. And it's clear that upper management is standing up and taking notice.
A final note. Chris Buse, an auditor who worked on this review, stopped through our offices a couple months ago and poked his head in on a web team meeting. "Say," he asked, "are you familiar with the OWASP Top Ten?" Coincidentally, we had just been talking about it, so to my enormous gratification everyone around the table nodded their head with an air of "oh yeah, that's old hat." It isn't, but we're getting there. The projects we're working on now, apps that will be rolled out this summer, are in good shape. I am so much more confident than ever before about the state of security in our current web development. It's a good feeling.