Alik Levin's : Information Gathering

Calculate Security Breach Cost Yourself

alikl — Fri, 20 Apr 2007 00:35:00 GMT

That is both amazing and amusing (I will leave "why" to myself....) but now CxO does not have to think twice whether security services are too expensive. Check out this Security Breach Cost Calculator.

via http://news.com.com/2061-10789_3-6176074.html?part=rss&tag=2063-10789_3-0&subj=news

For example, if MS corp network gets penetrated, having at hand it has 71,172 employees the resulting cost would be about $10M. And that is just in short run, the losses caused by damaged reputation would be much higher. Fortunately, leading analysts and professionals think we are doing good in that space (touch wood and hooray to SDL!!):

"...we actually consider Microsoft to be leading the software [industry] now in improvements in their security development life cycle and in how they handle vulnerabilities and release patches..
John Pescatore, vice president at Gartner", read full story here

"What the smart banks are doing about this is they’re building security into their development lifecycles, and that’s exactly what Microsoft has done," he [Mark Curphey] said.

Mark Curphey, vice president of professional services at McAfee’s Foundstone division, read full story here. Mark is founder of OWASP.org

Or graphically:

Direct link is here http://www.tech-404.com/calculator.html

Have fun calculating your losses. Or just start proactively implementing Security Engineering.

Need help? - try this Security Developer Center: Security Development Lifecycle for IT

Enjoy

Code Inspection - First Look For What To Look For

alikl — Wed, 21 Mar 2007 00:13:56 GMT

Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files?

My good friend FindStr is of great help here:

So first let's find what to look for:

Ildasm.exe secureapp.dll /text | findstr ldstr

This is what I've got using it:

Wouldn't it trigger you think of authorization data doing roundtrip thus vulnerable to tampering and elevation of privileges?

Wouldn't it trigger you think there is some custom authentication mechanism that potentially could be vulnerable thus enabling identity spoofing?

Wouldn't it trigger you think.....

So once you have these strings you use same FindStr to find actual files to inspect:

findstr /S /M /I /d:c:\projects\yourweb "StringOfInterestGoesHere" *.cs

Cheers