Paid Advertising
web application security lab

Archive for the 'Books' Category

ModSecurity Handbook

Friday, June 18th, 2010

I finally broke down and bought a new bean bag chair. I had one of the older Sumo lounge models and I loved it, but the newer sway couple model is much more conducive to sitting down and doing work or reading a book. So, with an uber-comfy chair as a prerequisite, that is promptly the first thing I did. I’ve been meaning to find the time to sit down and read the ModSecurity Handbook by Ivan Ristic - the primary developer on the project. And is there any surprise? It’s really good.

Ivan has written an O’Reilly book in the past, so his approach to writing is very methodological. For instance, I’m always the skeptic about tools that add latency, and that’s one of the very first things he addresses - alleviating a lot of those questions in my mind, having not played with it much in a few years. He goes through a lot of the attack scenarios, the configuration, tactics and on and on. It’s very thorough. Of course it leaves you with a big question mark at the end - so what’s the future of mod_security really going to be? Hopefully just as bright in the future.

One of the things I particularly liked was that Ivan went through and explained how mod_security was never designed to be a panacea and it was intentionally designed to be a more straight-forward tool, solving things that he knew it could solve, without wasting time developing a tool to be everything to everyone. I like that it wasn’t trying to be something it’s not. It’s really refreshing to hear an author tell you why things were built the way they are, and even more refreshing when you agree with those decisions. It gives you a lot of insights into the development process. Anyway, it was a good book read while sitting on a comfy chair (I recommend both). Sometimes the simplest things in life are worth writing about. If you use mod_security or are looking for a good free solution you should check out Ivan’s book.

Book Review: The Pragmatic CSO

Wednesday, January 2nd, 2008

When I saw Mike Rothman’s name on the San Diego ISSA meeting speaker list, I tried to be the first person in the room. Yes, there were more technical talks I could have attended, but why would I want to? If you have never seen or talked to Mike, he is gruff, funny, and knowledgeable about security. I consider Mike to be a friend, so it wasn’t a surprise that he would send me an autographed copy of his self published book (which you will not find on Amazon or B&N). Trust me, that didn’t influence my opinion one way or another, but the inscription was definitely nice. What did influence my opinion of the book was that the content between it’s covers. Once I start reading it, I actually put down the other half dozen books I got until I finished every last word. Me? Finishing a book? I know, as crazy as it sounds, I managed to finish this one last night on a flight home.

Where to start? I think the thing I like about this book is that it’s attempting to be relevant, not just to today’s problems, but all future problems. It’s trying to drop the techno-babble that we all tend to get stuck on, and start talking about how to run a business - a security business no less. He takes a tongue in cheek approach to his lesson, which is that of the CSO as an addict. CSOs have a tendency to live on the edge. Closer to that of a life of a fire fighter than that of an executive. He tries to break the bad habits by discouraging the old school attitude that the security community tends to have - forgetting the modern day reality of monetary gain as a key motivator for malicious hacking.

At first I thought I’d like the book, with quotes like, “I’ve got two dogs at home. I don’t need any more friends.” Then I thought I’d hate the book when the main character, “Mike” said that his tests came back almost completely clean (because they almost never are, unless you really don’t know what you’re doing). But then, almost at the end of the book he pulled it out for me. He really ripped into why vulnerability assessments are critical to understanding your security and then the main character, “Mike” explained that he too had a laundry list of vulnerabilities. Whew! Mike Rothman gets it. One of the best quotes in the book for me was “Good Security = Compliance (but not vice versa)”. Oh, he so got me there. I fell in love with this book.

Not only did he manage to cover a very complex topic, which is that of a troubled CSO in a changing world, but he also managed to make it clear that certain types of testing were critical to business success (including application testing). He also had an interesting take on using actual exploits, and social engineering during the penetration test. He said a number of times that the people who feel that you shouldn’t use those or that it is unethical to do to your staff are wrong. No, I’m not oversimplifying his words. He says they are “wrong”. Bad guys do not follow a code of ethics and neither should anyone who wants to test their security as if they were a bad guy. Bad guys do whatever it takes to break in (understanding, of course, that your data may or may not be valuable enough to risk their freedom for).

Similarly, I loved his comments about not following best practices and not using the same thing as everyone else is. He’s hinting at some of the things I’ve discussed before regarding bio-diversity in networking and applications. It’s an interesting topic to see in a book like this, but I’m glad to see it in there.

Throughout the book Mike puts in statements like, “use common sense”, which I often think are missing from books like this. He’s absolutely right, of course. I think that thread echos throughout his book. It’s not a technical book, it’s a book on changing your thinking to get you ahead of the assailant, in the good graces of your executive staff and into auditory compliance. I’ve run into countless people in the industry who desperately need to read this book so that they too can get a clue. It’s not rocket science. It’s the art of running security like a business. Five stars, Mike!

The Web Application Hacker’s Handbook

Wednesday, September 12th, 2007

Well it’s getting closer! My friend, PortSwigger (also known as Dafydd Stuttard - author of Burp Suite) is getting ever closer to completion of his new book The Web Application Hacker’s Handbook. He’s co-authoring it with Marcus Pinto. I’ve known about the book for a while now, and am really looking forward to reading it.

He’s also released a table of contents for the book so people can get a head’s up. It looks like a pretty thorough writeup on how to do manual and semi-manual security assessments. It’s going to look nice on my bookshelf - once I get my bookshelf looking nice that is.

Book review: Professional Pen Testing for Web Applications

Tuesday, June 19th, 2007

I don’t generally do book reviews (maybe I’ll start if I have to do this much traveling in the future - since it will give me lots of time to read). In this case, the book was really on topic, if a tad out of date. Andres Andreu wrote a book in the 2005-2006 timeframe called “Professional Pen Testing for Web Applications” (I think he could have sold another 10k copies if he had spelled out “Penetration” instead of “Pen” but that’s neither here nor there). The book is actually a really good and quick read as there are lots of pictures and examples to drive the text along.

Normally I find it tedious to get through penetration testing style books, because the authors generally only talk about one or two tools (generally nmap and insert one or two other tools here) and stick with them for the entire book. Andres does a really nice job of talking about dozens of different tools and how they are useful from a web application security perspective. One section that I found a tad cheezy though was the ethics of what you can and can’t do during an audit. I don’t know why, but I’ve always found that stuff to be obvious. For instance while it does say extortion is not okay (I hope that’s also obvious to everyone reading this), it fails to mention bribery, rubber hose cryptanalysis, intimidation, kidnapping, murder, or a host of other things that actually do work and three letter agencies worldwide have employed. So don’t go looking at that chart as saying “Andres didn’t say I couldn’t.” The chart made me and id laugh. If anyone wants to sign up for that kind of audit, just let us know. We’ve got the blowtorch and the pliers standing by. The ethics section of the book was short, and it got better quickly thereafter.

Anyway, sure, some parts of the book are out of date, as you’d expect with a book written 1-2 years ago, but a lot of the book is timeless. The general tactics put in place, how the different threat modeling works, and how you document what you find is all good information. I’ve had my own way of doing things for years, but it’s always nice to hear someone else’s perspective. The best part of the book for me, was that since it was slightly out of date, I got to hear a lot more about technologies we tend to forget about since they aren’t used that much any longer. There weren’t many blogs detailing this stuff back then to read, so this is a bit of a blast from the past. Granted, he doesn’t talk at all about a lot of the more modern stuff since it didn’t exist yet, but I found it a really interesting refresher course in the way things used to be, and the way we should probably continue to think about legacy systems.

The cons are that he doesn’t discuss manual assessment using things like telnet hardly at all, focusing more on the existing tools, at least half a chapter when you add it all up is talking about buffer overlows without going into enough detail to actually show a working example in the wild, he talks quite a bit about SSL security (which really isn’t much of a problem most of the time), and it makes a big leap that you already know how to develop programs, run programs and have access to *Nix environments. That’s true in my case, and on the cover it even says “Programmer to Programmer.” Still it’s definitely not meant for a beginner with only access to Windows and no idea what Cygwin is. Overall, it was probably a four out of five star type book when it came out, but because it’s a little out of date it’s probably more like three stars now. Still, it makes a nice addition to the bookshelf, and it got my brain thinking.