January 22nd, 2010
Manual vs. Automated Testing
I’ve always been a firm believer in incorporating manual testing as part of any security assessment; after all, a human is the best judge of evaluating the contents of application output, and best able to truly understand how an application is supposed to function. But after attending Darren Challey’s (GE) presentation at the 2009 OWASP […]
January 13th, 2010
HITRUST Part 4 Looking Forward
In this conclusion of the HITRUST blog series, I would like to discuss some definite opportunities and challenges that HITRUST is likely to face. Putting together a single prescriptive framework for the healthcare industry is truly an ambitious effort. However, cross-referencing this framework with different regulatory requirements and then proposing a mechanism by which companies […]
January 7th, 2010
What’s Happening in the Application Security Arena?
Application security attacks are increasing According to Gartner, 75% of the attacks are coming though web applications and not through the network. This means greater emphasis needs to be placed on application security. However, this does not appear to be happening. Application security vulnerabilities are increasing For the first half of 2009, Cenzic identified about […]
December 30th, 2009
HITRUST Part 3 Certification Explained
As a continuation of the HITRUST blog series, in this post I would like to explore the concept of certification, and what it means. So, by now I hope you’ve followed my advice and have been browsing the framework up and down. Perhaps you generated a few reports that show you just how easy it […]
December 9th, 2009
Vulnerability Alert: FCKeditor Arbitrary File Upload
The worst kind of vulnerability in your environment is the one you don’t know exists. The “FCKeditor Arbitrary File Upload” issue seems to be just such a vulnerability. The purpose of this blog entry is to increase awareness of this issue and provide companies with sources for remediation options. The “FCKeditor Arbitrary File Upload” vulnerability […]
December 7th, 2009
HITRUST Part 2: Taking a First Look at the CSF
As a continuation of the HITRUST blog series, in this post I would like to take a closer look at the Common Security Framework CSF, and what it’s all about. The CSF is designed based on the ISO/IEC 27001:2005 and ISO/IEC 27002:2005 standards. Additionally, the framework currently includes: NIST 800 series of standards ISO/IEC 27799:2008 […]
December 4th, 2009
What is HITRUST? – Part 1
HITRUST is rapidly gaining popularity in the healthcare and security consulting fields, and NetSPI is investing significant resources in developing services that will assist clients in taking advantage of the new Common Security Framework (CSF), as well as in achieving all the benefits of optimizing information security programs against an industry-developed and accepted framework. As […]
November 18th, 2009
IP Traceback: Has Its Time Arrived?
In simple terms, IP traceback allows for the reliable identification of the source of IP traffic, despite techniques such as IP spoofing. While there are numerous methods for achieving this goal, they all have one thing in common: not one of these methods has actually been implemented in commercial networking equipment. Maybe its time has […]
November 16th, 2009
How Good Are Your Application Security Assessments?
Let’s talk about application vulnerability assessments, penetration testing, and code reviews. How effective they are depends on a number of factors: the education and experience of the testers, the tools used, the restrictions put on the testers, or even the environment in which the testing is done. This post focuses on the education and experience […]