Alik Levin's

Clarity, Technology, and Solving Problems | 

March, 2007

  • Alik Levin's

    Scriptomania - Scripting Tools and Utilities



    Scriptomatic 2.0Scriptomatic 2.0

    Do-It-Yourself Script Center Kit Do-It-Yourself Script Center Kit

    WMI Code CreatorWMI Code Creator

    ADSI ScriptomaticADSI Scriptomatic


    Log Parser 2.2Log Parser 2.2

    Portable Script CenterPortable Script Center

    HTA HelpomaticHTA Helpomatic

    Scriptomatic 1.0Scriptomatic 1.0

  • Alik Levin's

    Security Language That Every One Understands


    Although Michael Howard has some arguments about comparing software stuff with physical world I will take a chance on that one.

    As for me, language is designed to serve as communication channel between the parties, English  for two English speakers, C# for developer and machine, body language for all others :)

    Now how many times you walked into restaurant and asked for today's specials and in response you heard something that does not even sound like food. Or when talking to a lawyer she throws on you words only advocates understand (or pretend to).

    I constantly see the same story with security folks talking XSS, CSRF, Injection, and other beasts.

    I found it pretty useful to present security stuff differently to different audiences, here is the breakdown:

    1. C level, executive guys care about business shape, they cannot care less about your XSS if you cannot show it impacts the biz
    2. Security folks are paranoids - everything is crackable and hackable (now you exactly know who I am - the paranoid). Show them exploitability of the XSS, if you/they cannot - then drop it, or at least give it low priority.
    3. Project managers - all they care is to be on time, on budget, on spec. If security stuff is not in the spec - the war is lost already... But if you show them that the effort to fix is minor, then there is some hope, not too big though...

    RACI chart found here  Fast Track – How to Implement the Guidance can be talking point too.

    There are some more audiences, but I'll stop here to keep the post brief and readable - applying 4'th tip from 5 Tips for Blogging



  • Alik Levin's

    Security Deployment Inspection Using Office.


    I am a big fun of small time savers to be more productive.

    JD has the whole category for Effectiveness tag - worth checking on these gems.

    So I am looking always how to reuse my practices across disciplines

    I am trying to combine my security engineering practice with MS Office productivity tools

    This time I will show how I use Excel for Deployment Inspection.

    NOTE: It is not ultimate holistic approach for deployment inspection rather some productivity trick. For me at least :)

    Imagine I have a strong desire to inspect deployment on some IIS server where Pet Shop Web App is deployed. One thing I'd check if there are only sane files deployed. I will use my friend DIR command

    /A:-D means no directories please

    /S means subfolder too please

    /B means no summaries please

    thank you


     Here is how result looks like, notice source files deployed to production - not the best practices, but we just spotted it - good job!



    I've recently reviewed application with 650 dlls... well notepad is handy but not in this case. So let me open the txt file in Excel 2007 (other version are good too for this task) and define formula in B column like =RIGHT(A1, 3) - now I got extensions. "fig" would stand for .config files I presume. Now you have the power of excel spotting sane and insane files



    More on files that should be deployed to production are here Bin and Special Directories


Page 4 of 9 (25 items) «23456»