Jardine Software

by

Reducing Phishing Risks with Office 2016

Social engineering, in this case phishing, is a huge concern for all organizations. The enterprise spends a lot of time and money implementing technical controls such as firewalls, IDS, and IPS, to combat security concerns. Yet phishing and other social engineering tactics are like water. They have the ability to work through any fracture or unsealed section of the controls.

Office documents with macros are a popular technique for attackers to use to infect an employee’s computer. You know the scenario:

  • Employee receives email with word document attached
  • Email is interesting or enticing enough for the employee to open the attachment
  • Employee enables macros to view the document
  • The macro installs malware on the system

Most recently we have been seeing a lot of ransomware being distributed which will encrypt files and only provide a decryption key when you pay some pre-determined fee. Of course, you can typically recover from backups, if you have them. Now is a good time to make sure the backups are working properly, just in case.

Microsoft has added a new feature to Office 2016 to help prevent employees from running the macros in certain scenarios. The simple idea is that if the document comes from the Internet, via email from outside the company domain, or public shares, Word will disable or make it much more difficult to enable the Macros. This is configurable via GPO.

For the full story on how this works, check out Microsoft’s blog post about the feature https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.

It is great to see features like this added to products. While this does not close every attack vector out there, it helps reduce the risk of a very popular one. Every little bit counts and this is a step in the right direction. If you are using Office 2016, it is a good idea to look into this feature.

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Webcast: Introduction to Penetration Testing for Application Teams

In most organizations it is the security team that initiates and manages the penetration tests. The application teams are called upon to ensure that an environment is available, credentials are created, and to remedy any findings in the report. Many application teams don’t even get the full report, rather just a listing of the findings. This listing often doesn’t include the needed details.

In this presentation, James Jardine focuses on educating application teams on what a penetration test is and how to extract the most value from it. Application teams learn how to participate in the engagement and better understand the report.

You can watch the recorded session at any time at: https://youtu.be/I1PukF8Glh0

https://youtu.be/I1PukF8Glh0

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Getting More Value from a Penetration Test

Penetration testing is one of the most common ways for companies to measure their current state of security. Even companies or applications that do not require a penetration test for regulatory reasons rely on them to measure their success or failure. The intent is to hire someone to hack your network or application like “the bad guys” would, and then receive a report indicating weaknesses in the system.

There are multiple ways to measure the value one receives from a penetration test.

  • The results, or at least a summary of the assessment, can be provided to clients, vendors, or other 3rd party entities. This is typically done to attest that the company is meeting industry standards when it comes to security. Of course, this view is only from an attack perspective, and doesn’t identify actual security operations within the organization. It is a primal indicator to determine if you are susceptible to security weaknesses that could lead to a breach. This type of testing is often required by these outside entities.
  • The results are used internally to help measure the security stance of the organization or application. It is a chance to get verification whether or not the controls put in place are actually effective. It allows the testing of auditing and monitoring controls in real time. It creates a way to determine if patches are applied to the right resources. It helps validate what we should already know. It also helps identify possible items that are not known.
  • The results are actionable. The findings can be handed to a developer or administrator to be remediated. This creates the ability to reduce the known risk.

Organizations put a lot of focus on remediating the exact penetration test results. Unfortunately, this leads to a false sense of security. To understand why, you must understand how penetration test reports are consumed. The most important thing to keep in mind is that a penetration test is typically not focused on finding every vulnerability. It isn’t even focused on finding all instances of a specific vulnerability. The focus is identifying weaknesses and risks that are available and determining how much access those items may lead to.

Listen to the podcast of this topic

There are two pieces to a penetration test finding.

  • The finding – This is the high level identification of a classification of vulnerability. Cross Site Scripting or SQL injection are common examples of a finding.
  • The instance – This is an example of the finding. There can be multiple instances per finding in the report. Cross Site Scripting on the search results page is an example of an instance of the Cross Site Scripting finding.

Due to the nature of a penetration test, remediating the instances provided falls short from a security perspective. Organizations spend so much effort focusing on the wrong information. Rather than focus on the finding, the focus is typically on each instance of a finding. Let’s look at an example.

A penetration test identifies cross-site scripting in the final report. That finding has 2 instances drawn out. The first instance is on the profile page and the second instance is on the documents page.

When the report is provided it is common to see the organization focus on the instances. In the example above, a developer would be assigned to resolve those two instances of cross-site scripting and the finding would be considered closed. By remediating those two items are you sure the issue is really closed? Remember, the goal of the penetration test is not to identify every instance, but to identify the different risks.

Rather than focusing on the instances, it is important to start focusing on the actual finding. Using the same example from above, the organization should create a task to identify why they have cross-site scripting issues within the application and then how they want to proceed to remediate them.

This involves:

  • Identifying and understanding the flaw (May indicate needed training)
  • Understanding how the application is developed
  • Identifying how it should be coded securely
  • Going through the application identifying these items to resolve it application wide

By actually analyzing the flaw itself, a much larger impact can be made to the application. Working just the instances identified in the report is like trying to plug randomly identified holes in a sinking ship. Sure, it resolves that one issue, but what is happening with those holes you don’t see letting water in.

If a quick inspection of a ship identified a crack or issue in one location, wouldn’t you want to inspect the rest of the ship making sure that issue isn’t somewhere else?

Penetration tests provide different values, but it is time that the true potential is realized. Don’t stop at just trying to remediate the instances in the penetration test, start looking to enhance your overall security by analyzing the findings.

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Introducing the Security Learning Opportunity (SLO)

We are happy to announce the release of the Security Learning Opportunity (SLO) template. SLO is a free template that helps application teams continue their security education through the use of security related items identified within the business applications.

Benefits

  • Relevant to the business – Identifying issues that relate directly to the business, or a business application helps the team understand the impact of the issue. Typical training uses purposely vulnerable applications or examples from other companies for reference.
  • Continuous education – Training needs to be re-enforced throughout the year. SLO provides an opportunity to participate in small learning sessions over time in addition to what resources may get through a 2-4 day class held annually.
  • Effective use of time – SLO is designed to be a short task, allowing the application team to focus more time on building great applications.

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

SLO helps organizations share the information that typically gets handled by one or two developers. Often times, when a vulnerability is discovered, it is handed to one developer to fix. Unfortunately, the other developers are never made aware, leading to a continuation of creating the same issues going forward. The SLO hopes to help solve that issue. The developer, or other team member, can fill out the template and then easily share the results with the rest of the team. This is great if the remediation should be done consistently within the applications.

For example, you find CSRF and decide on a specific way to mitigate it. You will want all of the developers to understand how this mitigation works and how to implement it going forward. If only one developer looks at the issue, resolves it, and moves on, it leaves all the other developers in the dark. It also helps testers and other team members understand the significance of the issue and ways to identify it.

SLO is designed to require only a short amount of time and is composed of 2 phases.

Phase 1: Identification and Analysis (Est. 30 minutes)

During the first phase, a team member will identify a security issue that makes sense to share with others. Don’t get caught up trying to create a SLO for every security issue identified. The trick is to identify things that can be shared on a mass scale and provide value to the other team members. Once an issue is identified, some analysis is performed to determine the following items:

  • Description of the issue
  • Risk the issue presents
  • How to identify/test for it
  • Remediation

It is estimated that it should take around 30 minutes to complete the identification and analysis phase of the project.

Phase 2: Sharing the Information

The real value of the SLO is realized when the information captured is shared with the team. There are multiple opportunities to share the information.

  • With the group during dev meeting or stand up
  • Share via email or internal collaboration site
  • Include as part of yearly or other security training classes

Sharing the information can be anywhere from 5-30 minutes, depending on the issue identified.

Download It Now

You can get SLO from https://www.developsec.com/wp-content/uploads/2016/02/SLO.docx

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

by

Welcome to Jardine Software

Welcome to our home!

I get asked a lot why a company that focuses on application security is named Jardine Software. It feels more like a development house than a security oriented company.

I started Jardine Software back in 2002, when I was in fact focused 100% on software development. Over the years I became interested and focused on application security. I was in the weeds creating applications and could see the struggles that were there in regards to secure application development.

After spending time focusing just on security consulting I realized that there had to be a better way to help organizations adopt application security programs. Using both the development and security backgrounds provides an advantage over other firms that don’t have the experience.

I have spent a decade building the Jardine Software name and believe it makes collaboration easier with development teams. Having a similar background in development helps relate to the teams and remove any contention.

A few years ago I also started DevelopSec (https://www.developsec.com) which provides resources and a podcast aimed at the application teams. It is a way to provide security information to the people that need it the most: the ones that actually write the code, design the apps, and do quality testing.

I encourage you to look around on the site and ask questions. We are here to help you better understand your organizations application security posture and make it better. We are not your typical security consulting company. Contact as now to find out how we can help you out.

James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.

Company Profile

Jardine Software Inc. was founded in 2002. Originally focused on software development, we now focus on helping development teams and … Read More...

Resources

Podcasts
DevelopSec
Down the Security Rabbithole (#DTSR)

Blogs
DevelopSec
Jardine Software

Engage With Us

Contact Us

Jardine Software Inc.
Email: james@jardinesoftware.com



Privacy Policy