Archive for the Application Security Category

We’re Doing It Wrong

Posted in Application Security, Events, Security Awareness on May 12, 2010 by Matthew Flick

As an industry, we have failed. Miserably. Web application security professionals–yes, including myself–have implemented a broken methodology and graduated from failing to properly identify the problem to failing to present an effective solution. The net sec methodology of: 1. Scan for Vulnerabilities, and then 2. Apply Security Patch, simply does not work for the custom web application environment. This statement may seem obvious, but it’s exactly what the industry has tried to do.

Our first failure was in identifying the problem. Early warning professionals considered web application vulnerabilities similar to those of other applications, and that they could be identified with vulnerability scanning tools and then remediated with a patch (albeit a custom patch). They were at least partially correct in theory; the problem was in the practice. This failure led to the development of web application vulnerability scanning products as the basis of the web application security industry.

We finally realized that the root cause of the problem was related to application development. More specifically, the security of an application is in the hands of its developers. And what was our solution to this problem? Inject security people into the development process. We trained developers how to break their applications. We tested pre-alpha code that will be significantly changed another dozen times. And some people did threat modeling, which I still have not found to produce useful results.

Security comes down to control. For application security, this means who is in control of the functionality and data available within the application. This is why it is necessary that current and future application developers and computer security professionals learn the foundation of how to build secure applications from the start. To promote this effort, we are offering a discounted AppTrust Developer Training course at Virginia Tech this summer to ensure that the next generation doesn’t fall into the trap of doing it wrong and starts off doing it right.

To learn more visit the event site.


XAB Presentation @ USF Whitehatters Club

Posted in Application Security, Events on January 27, 2010 by Tony Flick

Matt and I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!

Introducing AppTrust

Posted in Application Security on November 12, 2009 by Matthew Flick

FYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in a timely and cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.

The AppTrust Assessment, Training, and Certification solutions break this mold with a strategy that enables your organization to implement applications that are secure as soon as they enter production.

You can read more about FYRM Associates’ new AppTrust offering at our Web site,, or contact FYRM Associates at or (877) 752-7170 for more information.

XAB – Cross Site Scripting Anonymous Browser updated and seeking help

Posted in Application Security on November 10, 2009 by Matthew Flick

A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge:

We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.

XAB Presentation @ OWASP DC Chapter Meeting on 9/2

Posted in Application Security, Conferences, Events, OWASP with tags , , on August 25, 2009 by Matthew Flick

I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found here. See you there!

OWASP AppSec DC 2009 Sponsor

Posted in Application Security, Conferences on August 20, 2009 by Matthew Flick

OWASP just launched the official AppSec DC 2009 site @ We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!

LAN Party anyone? Let’s volunteer to hack Government websites…

Posted in Application Security, Government, Penetration Testing on June 21, 2009 by Matthew Flick

Would I volunteer my time? Sure, why not. Is it really a good or realistic idea to have our Military and Government solicit an army of volunteers to test their web sites? Probably not. Jeremiah Grossman, CTO and founder of WhiteHat Security, this past week voiced his opinion on a topic that isn’t entirely new, but hasn’t been brought up by an industry pundit for a while. He estimates “fewer than ten percent of United Stats .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities” and suggests getting vulnerability researchers to volunteer to test those web sites.  I honestly didn’t see his blog entry until late Thursday and up til now sort of waited to see all the comments to his thoughts. It seems feedback is back and forth with the more detailed responses are on the “not so good” idea side of the fence. Jack Mannino had a good response, which Jeremiah is planning to respond to.

Here are my thoughts: Have you ever worked directly for/with the government? Not a rhetorical question or being a smart a$$, but seriously. It’s a given that the US Federal government doesn’t spend enough money or resources on cybersecurity [see previous blogs]. I cannot imagine how difficult it would be to attempt to coordinate these “volunteer tests” with the Federal Agency, the government security teams that protect the site, the network and system folks responsible for the site, and then all the contractors involved in monitoring and supporting the site… that’s just a fraction of the folks on the government site. We’ve done contract work with the Federal Government and doing a simple scan of a small environment from a single source address took a tremendous amount of coordination and planning. It would be insanity to try to coordinate dozens of volunteers. And that is just one of a couple pre-planning obstacles I can see.

What about from a slightly tangent ethics view; is it volunteers or freebies? The Federal Government from what I’ve experienced has pushed procurement and purchasing folks through different types of ethics training to prevent inappropriate kickbacks to individuals and organizations. Could a big corporate entity like “Big Yellow” for example be allowed to volunteer a team of young staffers to “pen-test”? Wouldn’t it then be ironic if that same company down the line got a chance to bid on projects or even technologies to be implemented? You got to expect someone out there to try to take advantage of it.

The one point that Jack made mention that I’m not going to rehash too much but agree with is regarding incident response. Could you imagine being the contractor or GS-10 sitting in the SOC during “volunteer pen-test day”? If the government doesn’t have the tools to assess their own web sites, I wonder if they would have the technologies or resources in place to review the logs generated to figure out what is considered “normal” vs. “bad” traffic.

I’m not entirely sure if Jeremiah really thinks it’s a good idea or is throwing it out there for media fodder (I see SC Magazine already picked it up). It does bring up some interesting early debate but the more I think about it, it just doesn’t seem reasonable.

However one thought I did come up with and please pardon me if there is already an organization like this, is taking a page from the National Guard. It would still require some money, background checks, a tremendous amount of coordination and volunteering. How about a “Cybersecurity National Guard” unit, where people can volunteer X hours a month and have one of the core responsibilities testing government and military web sites. I’m deeply familiar with the military and intelligence community programs and teams that do this, but this “volunteer” group could be staffed with vulnerability researchers who have extra time or want to do something more valuable for ISC^2 CPEs ;)