Searching for Source Code Security Vulnerabilities

While Google was quick enough to censor the colourful Malware Search logo -- colourful branding -- here's another recently started initiative, Bugle - a google based source code bug finder :

"Bugle is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results."

It could easily help you spot source code containing common bugs without the need of using a scientific model to predict vulnerabilities, but you should also consider the powerful source code search engine Koders which is currently searching 225,816,744 lines of code, and provides you with the option to segment your queries based on programming language.

Related resources:
SecureProgramming.com - latest update January, 2005, useful links through
An overview of common programming security vulnerabilities and possible solutions
Insecure Programming by example
Top 7 PHP Security Blunders

Detailed Penetration Testing Framework

This framework is simply amazing, as it takes you through the entire process of penetration testing, step-by-step in between references to the tools necessary to conduct a test -- wish experience was commodity as well. Best practices are prone to evolve the way experience does, so consider adding some of your know-how, and going through Fyodor's Top 100 Network Security Tools list in case you're looking for improved efficiency. It's not about the quality and diversity of tools, but about the quality of the approach, still the framework is a nice one to begin with.

Photo courtesy of IBM, featuring ethical hacker Nick Simicich. You may also find Secure DVD, a collection of the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) handy.

Anti Virus Signatures Update - It Could Wait

It's a common myth that all AV vendors exchange the malware they come across in between themselves, whereas that's obviously not always the case. And even if they don't, you'd better achieve a higher state of security in respect to ensuring your PC or network are protected from the majority of known malware threats, trouble is the average end users whose Internet connection speed is reaching that of an average ISP (metaphor), doesn't seem to bother because of the following concerns :

- it could wait
- it takes decades to update
- it would influence their superman's productivity
- where's the update button by the way?

From the press release of a commissioned survey :

"Harris Interactive® fielded the online survey among a nationwide sample of 2,079 U.S. adult computer users 18 years of age or older. The survey reveals that: Despite 55 percent being very confident or confident in the protectionoffered by the antivirus program on their computer, 42 percent have been affected by malware. A surprising 65 percent have postponed updating their virus protection. Of these adults, their top reasons for not updating are:

It was too disruptive to what they were doing on the computer - 38%
They thought it was something that could wait - 32%
They thought it would take too long - 27%
They weren’t sure how to update the antivirus program - 14%"

These very same end users represent among the key factors for successful assembling of botnets these days. If you secure the entire population, you'll end up with a secure sample itself, but the novice user's lack of incentives is ruining the whole effect -- and driving the DDoS protection tools market segment of course. I also wonder how did Gartner manage to estimate Panda Software's revenues and market share, given that compared to the rest of the publicly traded companies it's free from the burden of having stakeholders breathing down their neck?

Failures in Detection courtesy of VirusTotal.

When Financial and Information Security Risks are Supposed to Intersect

Interesting security event at Morgan Stanley's NYC headquarters related to insider abuse, mostly interesting because the clients' list and charged fees weren't even uploaded on any removable media, but forwarded to the consultant's private email account :

"A former consultant to Morgan Stanley has been arrested and charged with stealing an electronic list of hedge funds and the rates the investment bank charges them. The hedge funds are clients in the company's prime brokerage business. According to court documents, Chilowitz is accused of sending a copy of the firm's administrative client list and its client rate list for the prime brokerage business in February from Morgan Stanley's offices in New York to his personal e-mail account at his home in Virginia."

I once said that nothing's impossible, the impossible just takes a little while, but given who Morgan Stanley is when it comes to risk management, assessment, let's don't say risk engineering -- psst, paying $15m in order not to pay $1.5B is such a sound investment -- they should have never allowed for this type of info to leave over the Web.

Meanwhile, the WSJ is reporting that Employers Increasingly Firing Staffers for E-mail Violations :

"The news comes from the 2006 Workplace E-Mail, Instant Messaging and Blog survey from the American Management Association and the ePolicy Institute, according to the Journal. The survey found that more than a quarter of the employers queried had fired an employee for violating company e-mail policy, up 9 percent from the 17 percent of employers who let employees go for similar violations in 2001, the Journal reports. On top of this finding, the survey also said that 2 percent of respondents had fired workers for instant-message correspondences that weren’t appropriate, and another 2 percent of employers said they’d fired a staffer for posting distasteful content on a Web log—or blog—be it their professional or personal page, according to the Journal."

Security policies are not the panacea of security, they are the basics, so consider developing and monitoring the effectiveness of one. My advise - think twice before feeling like a smart ass for exploiting your interns next time, and yes, fingerprint your most valuable IP assets as well.