I am a little early for the new year but I have been thinking about 2015. I noticed I made 62 posts in 2015 not counting this post. I thought I would review some posts throughout the year for those that may have missed them.
OWASP Security Logging Project
What is it? Open source SLF4J compliant security logging API for application. Use it with log4j or logback in your applications.
Benefits? Extends popular logging systems and adds specific functionality for security like message classification (e.g., secret, confidential, public, etc). Catches sensitive information developers log by accident like passwords. Extend to catch SSN or other types of personal information and more.
Future Thoughts? Improvement code proposed to log information like thread information, heap space, etc. using a background thread at regular intervals for diagnostic/forensic purposes. Currently under review. We have many more so check out the project web site.
What is it? Ongoing project to build a flying robot
Benefits? Build a 100+mph(158+kmh) multi-rotor flying aircraft from scratch. Fly this high speed carbon fiber aircraft beyond line of sight using a video system that transmits to VR goggles worn by the remote pilot. Two builds are provided, a hexcopter and quadcopter. Follow me on my adventures and learn about the systems and principles of fly by wire technology and robots. Advanced project.
Future Thoughts? With basic aircraft complete, I plan to focus on building a microwave ground station in a backpack. The man packable ground station uses larger batteries, duel receivers, and high gain antennas to improve video reception.
Links: DIY Drone Bootcamp Learning to Fly, DIY Drone Bootcamp Build Log, Drone Flight Training Continues, Drone Flight Training Continues 3, Drone Flight Training Continues 4, ZMR250 Quad Racing Drone Build Log
What is it? SSL/TLS DAST tool
Benefits? Open source Java source code and binaries to introspect a SSL/TLS connection to identify weaknesses. Works like a web browser, type in a HTTPS URL, point and click. Enumerate the servers cipher suites to spot weaknesses, display site certificate information, CA trust chains, HTTP/S headers, DNS information, and more. When your done save scan reports to ASCII files for offline viewing. Alternatively, run headless from command line and script your stairway to heaven.
Future Thoughts? I am considering including some support for Certificate Transparency. I also like the idea of including support for flagging certificates that are about to expire.
Links: Public source code and binaries in GitHub, background and screenshots of GUI and command line.
The Case of Symantec’s Mysterious Digital Certificates, Symantec certificate flap. The story of a certificate authority too big to fail.
Java Security Track Highlights by Yolande Poirier and David Lopez
HTTPS Party at Blogspot, Google includes HTTPS support for the default domain. No support for offered for custom domains.
Webdriver Torso, super strange videos.
Pathological Security, if a model for constructing towns and buildings are helpful for software design patterns then why not apply them to security?
The Future of Software Security? Ever seen a TV advertisement for prescription drugs in the United States? Essentially, 45-second rants on every negative effect known with no discussion about intended purpose or patient benefits. Are you confused? American’s are too. I tried to imagine how this technique could be applied to security.
Application Security Complaint Department, a special behind the scenes look. A friend passed this along since it say’s “Milton” on the desk. I have no idea where this photo comes from. It’s not mine but funny.
My DEFCON 23 T-Shirt, the front and back of my t-shirt I made for DEFCON 23. CustomInk is so cool.
Hacked Meme, is my frustration at the card industry and retailers around their response to mass customer exploitation. Often retailers offer identity theft protection as a remedy for a time period after the incident. The problem with the approach it does not address customer concerns – prevention. Retailers provide no idea what went wrong or even why customers should trust them again.
Application Security Meme, the point here is that many people make judgement calls on security that should be consulting a professional. A business leader who “thinks” they understand security can destroy a security program before it even begins. If you can’t afford a professional perhaps you can find some free advice or work a deal to get some ideas for future positive directions. Be a detective, find a pro on OWASP, and message them on LinkedIn. Sure, we all need to eat but almost all my friends don’t mind answering a free question or two to see someones project move in a positive direction. Security professionals are like doctors in the sense that we are cyber health professionals and promote application health for the betterment of society.