a blog by Dennis Hurst

HP’s CEO Mark Hurd was speaking at the the Gartner Symposium in Orlando and had some interesting perspectives on Cloud Computing and Security.  Overall I think he was on target, Cloud Computing has a lot of potential and a lot of current uses but you have to be concerned with Security.

http://news.cnet.com/8301-30685_3-10378781-264.html

http://news.cnet.com/8301-13846_3-10372446-62.html

Interesting read how IT spending will be shifting to the cloud over the next few years.  It’s going to be interesting to how security evolves with the new complexities that come about due to the cloud and hybrid cloud – classic applications.

…..I still love being in the IT Industry, just when you get board someone comes along and changes pretty much everything, except the fact that people just keep making the same old security mistakes in ever new and changing ways ;)

http://www.usatoday.com/money/industries/technology/2009-10-08-cyberthieves-network-hackers_N.htm

An interesting read in USA today talking about the risk of internal users.  I’m glad someone is talking about this in the media FINALLY!  I have lost count of the number of people who say “it’s an intranet application, we don’t have to worry about it right?”   WRONG!!!!!, you need to worry.

The Cloud Security Alliance has issued it's v1 Guidance for Cloud Computing. I had the pleasure of working on the Application Security section of the document with Scott Matsumoto from Cigital. When you have a chance check it out. http://www.cloudsecurityalliance.org/

Dark reading has an interesting article on issues in Open Source software.  It looks like Fortify did a bunch of testing of some Open Source software and all was not happy in the land of free stuff.

Don't get me wrong, I like Open Source Software, but it's not immune to security issues, and I hope no one thought it was.  I know that in theory it's better since it's open for public scrutiny but that's only if the community actually cares about security.  I am personally a big fan of BSD (not sure why Linus is so touchy about that one http://article.gmane.org/gmane.linux.kernel/706950 ) but other packages have not stood the security test of time. 

It's a good read, check it out.

Report: Vulnerabilities Abound in Open-Source Environments - Desktop Security News Analysis - Dark Reading

Most people I know have a short list of places they want to see in there life.  One of the places on my list has always been Israel.  I would venture to say that no place on earth has so much heritage and history.  It is rare to fine a place where you can stand where so many of the events that have shaped humanity have happened. 

Having said that, it was my great pleasure to speak at the Software Universe, Israel event yesterday.  I don't have a final count yet but I think there were around 750+ people in the auditorium.  What was exciting is that the vast majority of the people in attendance for my talk on Application Security was that few of them were "security" people.  Most were business owners, IT people, QA people and others.  I think this adds another data point to the believe that Application Security is a software / IT / Business issue not just a traditional "security" issue.

Many in the Application Security industry have been saying for years that application security needs to be addressed as part of the SDLC and the risks are business risks, not just technical risks so the business needs to be aware of them and take responsibility for ensuring they are properly addressed.  Based on the crowd and the response at this event in Israel I think we are heading in the right direction.  We still have a LONG way to go but at least we are on the right road.

Microsoft has announced a few interesting tools that developers of ASP pages can use to find vulnerabilities.  One was the Scrawler tool released by HP a few weeks back and the second is a tool that will look for SQL Injection in ASP pages.  Below if the link if you would like to check it out.

The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Ever want to check out a list of the the worlds most interesting data breaches?  Well my good friend David N. sent me this link and I think it's worth noting.  It lists some of the more interesting data breaches that have been released to the public with details. 

A special thank goes out to the The Privacy Rights Clearinghouse (http://www.privacyrights.org/index.htm) for putting all the information together.

Check it out here