Friday, June 25, 2010

All Your Metrics Are Belong To Us

Just a quick note to help out the greater InfoSec community - Securosis via Rich Mogull is doing a big survey - and I know you guys love surveys - which you may win an iPad for if you particpate.  I mean, seriously, who doesn't want a free iPad?

When you go to fill ie out, use the Registration Code: Whabbit so I can track who fills it out from my readers.

Thanks you guys - I know we all whine about how security never has enough metrics - well now if your chance to fix that.  Let's GET CLICKING!



Monday, June 21, 2010

LIGATT, Goatse Security, and Common Freakin' Sense...

Well - it's been an eventful few weeks - and as most of you have noticed I haven't been writing as much.  There is a reason for this: I am spending a good deal of time blogging for the primary blog of my employer (link at the bottom) where I am adding significantly more value to the community than my rants here have of late.

That being said  - let's make no mistake - I'm still going to blog here and express opinions and clue you guys in on stuff that I think you should read here we go.

  1. LIGATT - Congratulations, Gregory Evans, you've now officially become a household word in the security community... although I'm sure it's not the way you intended.  Today on Twitter a new definition of a "ligatt" was born ...and it's a verb meaning "to make up something so far fetched that when examined, it unravels. For example, 'I drove my car to the moon today' ".  That little nugget comes from @dicipulus on Twitter folks - brilliant.  I know many of you have had a good time bashing these people - but I swear I'm still waiting for someone to pop up and yell "April Fools!"...
  2. Goatse - You, dear iPad email enumeration-script-builder, get the SuperPwn award.  You've not only shown a pretty clever little hack (ok, this really isn't a hack but whatever) - and at the same time made millions of people go Google goatse ... you win, twice.  Enjoy the prison sex.
  3. Common Sense - Currently apparently stuck on the tarmac awaiting extradition back to the land of reality.  What the hell is the world coming to when we can't even get the concept of vulnerability research disclosure down to a reasonable amount of circus?  This is sickening.  I refuse to perpetuate the stupidity others have already pointed out but what I'm going to instead point out is this - how much control over your private time does your employer have?  What can you do on your private time that your company/employer cannot fault you for?  I guess that all depends on the paperwork you signed when you joined right?  Where does the line of employer-employee relationship end and someone's private life begin?  This goes way beyond the fact that the media "journalists" in technology are obviously bored and need something to stir up controversy so they pick this Google vs. Microsoft sore to poke at ...really?  I think there's more to it than that ... my private life is my private life - and whether I choose to publicly blast a company's stupidity or not on the Internet should be of no concern to my employer as long as I make it clear the opinions are mine only and I do it on my own time.  Right?
Anyway ... it's just sad what passes for news lately, and how pathetic things have gotten.  I guess I'm thankful that I have an employer who can still tell the difference between my private time and private life and my job.  Anyway ... love to hear your comments as always via Twitter or here over over email.

Don't forget, the Following the White Rabbit blog has a new platform, and can be reached here [ ]... please check and update your RSS readers and let me know if something's broken!

...and yes, the opinions and thoughts expressed here ARE my very own, on my own time.  That is all.

Thursday, June 10, 2010

Ready for some Security Justice?

So just a quick blurb that my appearance on the SecurityJustice Podcast is now LIVE.  Had a great time, talked about some real issues (once we got through the opening ...unruliness, haha) ... I hope you enjoy!

Post your comments here, or on their page.

Tuesday, June 8, 2010

Thinking Through Software Testing Cycles

Testing software is an interesting discipline.

Software testing generally involves 3 facets - functionality performance security - if you're doing it right.  The true problem for any tester or manager is when these three components don't make it into every testing cycle.  This is akin to having to choose which of your 3 children will get the braces and which simply get a toothbrush and a slap on the back.

Since starting to look at web application testing more in-depth just over 2 years ago I've learned a great deal about testing cycles.  While this may seem like a simple concept, there are nuances which can make your head spin!

In my mind, it all breaks down to 3 simple questions:
  1. When to test
  2. What to test
  3. How much of it to test
I will address all 3 of these in the next few blog posts but I wanted to throw this post out there to get you thinking, and perhaps contributing some of your thoughts to this series.  I will expand my usually narrow-focused scope from security testing into the general realm of testing... and challenge you to come up with some of the answers to the questions people have posed to me, and I to others who are smarter than me on this topic.  I will also challenge you to come up with better answers than the ones I have... I don't think I'm breaking any new ground in the testing world - but in security... that may be a different story.

To get you started think about the real world scenarios that you encounter every day.  Applications (and not just those written for the train-wrecks we call web browsers) are released on a regular basis at your place of employment - I guarantee it.  If you don't know about it you have an even bigger problem than I am addressing should talk to someone about that process problem.

Think about how many applications your company delivers.  Think about whether you're doing Agile or traditional Waterfall development methodology.  Think about how long your release cycles are, how many people are involved and what powers you have to stop a poorly written application from going live.

Now- I want you to scroll back up and look at those 3 points I've highlighted for you.  How do you decide each of those 3 pieces?  Who makes the decisions?

So while your brain is going, write them down and either post them here (anonymously, or otherwise) or email them directly to me.  I want to get some real-life input from some of you to get your feedback and figure out how you solve some of these problems so that others can learn from your experiences and mine.

Thanks for reading ...I look forward to your feedback!