Who assesses your security configuration management practices?

Who assesses your security configuration management practices?

In follow up to Security Misconfiguration is the #5 risk in 2017.

Are assessments an internal processes? Do you rely on auditors (often an adversarial experience for staff)? Do you rely on Pentests and vulnerability scans (often limited in scope)? Or wait for the post-mortem after an event occurs?

If these options seem lacking, perhaps its time to consider adding a 3rd party assessment to your security program.  A few of the benefits include:

  • reduced burden on Security Operations team.
  • fresh perspectives and insights.
  • assistance preparing for Audits.
  • determination if scope of Pentests and Vulnerability Scans are appropriate and adequate.
  • evaluation of Security Configuration Management practices.  If needed, can provide coaching (or assistance) in establishing configuration management.
  • an SOW thats right for you and the current needs of your organization, not driven by the agenda of an auditor or a product vendor.

Even if your organization is not bound by regulations requiring specific security measures or audits, you may want to be proactive about your organization’s security health for more fundamental reasons.

Good security practices have numerous benefits:

  • fewer work errors and better quality control.
  • fewer occasions of unplanned down time.
  • better confidence in ability to handle exceptions quickly and efficiently.
  • better understanding of business relationships, dependencies, and trust decisions.
  • better understanding of roles and responsibilities.
  • better cost controls of the products and services purchased by your organization.

As you can see, good security practices can achieve much more than audit compliance.

Is your security program achieving it’s potential?

Advertisements

Security Misconfiguration is the #5 risk in 2017.

The latest “OWASP Top 10” lists “Security Misconfiguration” as the #5 security risk in 2017. Does your organization review it’s security configurations? Do you validate and test them? Does your organization practice configuration management?

 

 

Being agile, it’s not that complicated.

Some of the conversations I’ve been drawn into about Agile have been nothing short of mind-numbingly overcomplicated.  The Manifesto for Agile Software Development and the Twelve Principles of Agile Software are actually quite straightforward.
The manifesto only contains 62 words (354 characters).  The principles are described with 180 words (1,081 characters).
Yet, Amazon.com currently offers 4,521 books on “agile”.
If you really feel the need to read (or promote) a book about being agile… read “Corps Business: The 30 Management Principles of the U.S. Marines”.


   According to the “Scrum Alliance: Certified Agile Leadership Program”, an Agile Leader:

  – Operates effectively amid uncertainty, complexity, and rapid change
– Is knowledgeable about Agile values, approaches, and practices
– Surfaces more creative solutions through increased self-awareness, a growth mindset, and engaging others
– Aligns and empowers teams toward delivering more customer value
– Personally integrates feedback and experiments, and adapts their ways
– Takes a collaborative continuous-improvement approach to organizational effectiveness
– Catalyzes change in others and facilitates organizational change

Um… yeah… just give me a couple Marine Privates and stand back.  I’ll take someone whose earned their Eagle, Globe, and Anchor over a certificate of attendance, any day.

Still seeking a robust Bento replacement.

Still seeking a robust Bento replacement.  It’s been five years since the last update (Mar 16, 2011) and about two and a half years since it was discontinued (Sept 30, 2013).  And yet, two things still surprise me.  (1) There still isn’t a feature complete replacement product, and (2) I’m still using Bento.  It still works.

The short list of leading Bento replacements: 1Password, HanDBase, or TapForms.

* as of 2016-01-25, FileMaker would still be a >$350 buy in, require dev work, incur heavy “ease of use” penalties, and still leave me exposed to the poor Apple-FileMaker long term risks.

2016-01-25: tried/purchased 1Password and was left frustrated by missing features.

The 2nd worst of all is: any “schema” changes are only “per record”… i.e., adding a field only adds it to the record being currently edited… it’s doesn’t change the underlying table structure… because… they don’t have an underlying table structure… they don’t have a record/table/db schema… each record is just a bag of bits.

The #1 worst problem is: after customizing the fields for a record, and trying to export the record, the result is nearly gibberish.  It would be very labor intensive to create my preferred “schema” in 1Password and then subsequently export/migrate to even a basic spreadsheet.

2016-01-25: evaluated TapForms and elected not to purchase those apps.

The MAC App is $34.99, 13.4MB.

The iPad app is $8.99, 29.9MB.

The iPhone app is $8.99, 32MB.

From the support forum, the developer has been responding to “wifi-sync” requests, with “it’s four or five months away”… but he’s been saying that for a year.  Until he gets that option figured out, TF is a non-starter.

2015-03-01, really need to find a replacement before the Bento apps quit working altogether.

Must have features: wifi sync, ipad forms.

1Password is iOS universal, HB and TF are not.

The HandDBase folks are leaving basic features, like form design, out of the MAC App.

** 2015-10-10, HDB pulled out of the MAC App Store over some little bitchy thing earlier this year.

1Password has too many integration points with too many things; it’s a high risk product in the long term.

** 2015-10-10, 1P began requiring IOS 9 less than a 1 week after Apple released the new OS. No backwards compatibility at all!

TapForms may become the defacto choice at some point… but I’ll wait a bit longer (Bento is till working today).

** 2015-10-10, TF is only syncing thru iCloud or DropBox (not an option for secure content).

2015-10-10, still looks like a DIY custom app is my best option…

Delete individual items from OS X 10.11 El Capitan “Messages 9.0” app.

To delete individual items from OS X 10.11 El Capitan “Messages 9.0” app.   *this is for deleting specific messages within a conversation thread.  if the same Messages/iMessage account is active on multiple MacBooks, this will likely only delete the items on the specific macbook where you do this (ie., it doesn’t auto-delete the items from all connected devices).

  1. press and hold the command key
  2. click each of the individual messages to delete from a conversation.
  3. use the delete key.

It’s easy once you know the option is there, but it’s not obvious.


To delete individual items from a Messages conversation in iOS 9

  1. press and hold a finger on one of the items to be delete.
  2. look for the ” Copy | More… ” popup to appear.
  3. tap “More…”, now the selected message will get a checkmark and an option to delete.
    • if there are multiple items in the conversation, each will now have a circle which can be checked (tapped) to select for deletion.
  4. tap the circles to select any additional messages to be deleted.
  5. tap “Delete All” at the top left of the screen.

*This doesn’t delete message items from other devices.  Nor does it remove/retract sent items from recipients.

quirky things you can learn from having a blog

Yes, this is self indulgent, but I’m doing it anyway.  Why? Because this is kind of interesting to me… and maybe I’ll take a similar look in another few years and see if any of it changes.


Well, not sure these really count as things I’ve learned from having a blog.  More like some things I can wonder about, some things I can guess at, and some things that are obvious.

  1. it appears a lot of people are still using OS X Mountain Lion.  And that a lot of people are still having problems with it’s DNS Cache.
    • suggestion:  try a system update folks.  at least get the security updates, there are recent ones available from 2015.
  2. folks from the Bahamas, Jamaica, and the Cayman Islands don’t spend a lot of time reading obscure blogs.
    • I’m going to assume they’ve found better things to do.
    • If I were there, I would have joined them rather then write this.  🙂
  3. folks from Russia are not real big on Apple products.
    • not really a surprise, given Moscow’s approach to most foreign corporations.
  4. my blog consistently gets two to three times the traffic from Germany (population 80 million) than from India (population 1.2 billion).  In fact…
    • German traffic has been one of my top five country sources since starting this blog.
    • and, German traffic has been higher than almost all other “non english speaking” country sources combined.  I know Germany has very high english literacy, but the stats are still interesting.
  5. some posts about managing Apple IDs have actually seen traffic double over the same time the rest of my traffic has dropped off.
    • although aging, those posts are accounting for a very significant portion of my traffic, and the stats keep increasing.
    • in addition to views/visits, I’m getting a lot of search hits and click throughs on those posts.
    • feels like a lot of people are getting frustrated with Apple’s haphazard way of managing IDs across Apple services, stores, devices, and applications.
    • wonder how much traction I’d get if I did an updated series including descriptions/guides to how all of the wacky two-factor-authentication variations currently work.  Actually, I don’t think I could… unless I enlist some additional people.  Some (er, many) of the Apple ID Authentication scenarios vary based on hardware and iOS version, and cannot be recreated in the Xcode simulator.
  6. Big surprise ( /sarcasm ), Google really dominates search.
  7. Web Crawlers generate so much comment spam that I thought they would account for a lot of views/visits… but not so much… actually a minuscule amount of traffic.
  8. Apparently VMware and Excel spreadsheets are both quite popular.  Fortunately, VMware related traffic edged out the Excel related traffic.  LOL.
    • Unfortunately, Excel edged out serious security topics.
  9. Wow, if I’d enabled Apple App Store bounty links (kinda like Amazon referral links), I could have reaped, hmm… carry the three… I could have reaped about $0.03 in referral bounties this summer.  LOL.
  10. Cross posting (WordPress Sharing) to Twitter yields dramatically more blog views than Facebook, LinkedIn, or Google+.
    • Twitter yielded more than the other three combined.
    • That one surprised me a bit; but then I’ve never really gotten into the twitter client usage.  I usually bail out and go back to information sources which use sentences and paragraphs. ( /snark )
  11. Overall, most of my posts are literally just notes on how I performed some specific technical task.  Occasionally I take notes (which don’t contain any customer proprietary information) and post them in case I might need to refer back to that sequence again six or eighteen months later.
    • those HowTo / InstallConfig notes account for more than 95% of my views and visits.
    • I’ll pretend everyone found those notes really helpful.
  12. A couple of my posts with the best traffic were closer to being long form articles.  Despite being very heavy in dry technical topics, the traffic and comments were quite positive.
  13. Fortunately, on my blog at least, a mention of laser beams beat out a mention of YouTube.  There is hope for humanity after all.  LOL.

Well, that was interesting review.  I’ve accumulated hundreds of notes on various design, development, testing,  installation, configuration, and maintenance issues.  It appears that it would be worthwhile to sort thru and find a few dozen relevant items for posting.  queue things to do on the eleventh snow day.

T-Mobile Binge On free video streaming? How about free system, security, and app updates?

Free video?  I’ll be impressed when a carrier enables free system, security, and application updates for all devices connecting to their network.


Ok.  I get why people are going to think the T-Mobile “free” Binge On video streaming is great.

But, do you know what would be really good for users?

Free OS and App updates over mobile data plans.  Yes.  Really.

Show me a carrier with a data plan that doesn’t burn your quota against downloads and updates from the app stores out there.  A good beginning would include the mobile app stores from Google, Apple, Motorola, Samsung, Microsoft, Blackberry.  When fully deployed, this should extend to any and all devices connected to a mobile hotspot.

The top carriers already have the kind of infrastructure needed to build this.  It would be easy compared to T-Mobile’s streaming video solution.  By combining “CDN” infrastructure with “QoS/MPLS” traffic management features, carriers could allow app stores to deliver device updates in the background at a lower priority than other data streams. Carriers and app store operators would both be able to shift most of the update traffic to non-peak network times, thereby avoiding the need for additional network capacity (at least in most areas outside of LA and NY).

The carriers stand to gain enormously from the increasingly number of connected devices entering the market.  And if the “Internet of Things” (IoT) is to really get off the ground with even a mediocre chance of remaining secure and reliable, then carrier provisions for free OS and security updates should be considered a core requirement.

As for our typical cell phone and tablet usages… here’s a common situation, and an alternative.

scenario one (the status quo):

CUSTOMER:  my phone doesn’t work right, it’s acting weird.

CARRIER REP:  have you updated it?

CUSTOMER:  uhm, how?

CARRIER REP:  uhm, ?  (mutters a lot of gibberish)

scenario two (carrier’s mobile data allows free updates): 

CUSTOMER:  my phone doesn’t work right, it’s acting weird.

CARRIER REP:  have you updated it?

CUSTOMER:  uhm, how?

CARRIER REP:  Uhm, turn it on, and let it connect to the network, and click ok when it offers to update your software.


Given that many people and organizations have strong concerns about the security and reliability of the networks they allow their devices to connect with… the carrier who implements a strong solution for system updates, security updates, and app updates is going have a substantial advantage over those who continue to pretend they have no customer facing responsibilities for this issue.

Apple App Store problems – expired app certificates are causing installed purchases to break.

As described by AppleInsider today (2015 November 12), the Apple App Store is creating problems for users due to expired app certificates.

I unknowingly encountered this yesterday (2015 November 11).  While opening Bento, I was prompted to authenticate with the App Store with a message that “this app was purchased on a different computer.”

Today, I’ve received the “this app is broken or damaged” message when trying to open BBEdit, Coda, and Sketchbook Pro.

Although the error messages were different, each of these apps have one thing in common.  They are older apps which are no longer available for purchase on the app.  Yes, I can “re-download” them from my purchases history… but this does increase my concern about how Apple treats past purchases of apps which are no longer sold or updated by their developers.

An additional annoyance… I’m currently traveling, so re-downloading these apps requires tethering the macbook to a wireless hotspot or phone and consuming a data service which is currently costing $10/GB.

This is not the first time Apple users have experienced problems due to app certificate expirations.  Until Apple solves this problem, this issue should raise concerns for anyone needing long term reliability from their software purchases.  What happens to users and businesses when the next batch of affected apps include password keepers, electronic healthcare apps, or the app which unlocks your home security system?

Hydrologic Sensor Engineering

Many improvements in remote sensing available, but not quite ready for the Internet of Things (IoT). Data availability and data privacy aren’t big obstacles. But, for data integrity, still need solutions for issuing and managing digital signing keys for remote sensors.

Situations where JIRA doesn’t meet the needs of a project (JRA-846).

When evaluating tools like JIRA, HP ALM, or IBM Rational, it’s important evaluate project needs vs product capabilities.  Obviously the costs of getting started with JIRA are much lower than some alternatives.  But sometimes, being penny-wise can result in being pound-foolish.

For a simple “MVC” type application with a limited set of components, it’s likely JIRA’s features will be adequate. Or project needs can be met with some minor customizations and/or plugins.

However, when managing ongoing development of systems which contain many levels of hierarchical components, the JIRA limitations may present significant obstacles.  For many years, there have been open feature requests regarding support for hierarchies.  As of March 4, 2014, JIRA’s response is that it will be another 12 months before they “fit this into their roadmap”.

Jira JRA-846 Support for subcomponents

For large distributed systems, with complex dependencies, this presents a significant challenge.

While setting up a new JIRA/Atlassian environment for a solution comprised of 8 major applications, I’ve found that it is not possible to create a hierarchy of subcomponents.  Nor is it possible to establish versioning for those subcomponents.  Instead, the JIRA data model and workflows are designed for all components of a project to exist as a flat list.  And for all components to be on the same version / release cycle.

For our solution, many of the major applications start with a commercial product, incorporate multiple modules, integrate an SDK, integrate 3rd Party plugins, and finish with custom coding of multiple subcomponents.  The design pattern is to establish interface boundaries, decouple the components, and enable components to be updated independently (some people call this SOA).

Now I’m am getting a clearer picture of when it is time to consider alternatives such as HP ALM or IBM Rational.  In the past, I’ve encountered several very successful JIRA implementations.  And I’ve encountered a number of failures.

Comparing my current experience of setting up a new “systems development” project in JIRA with those past experiences, now I understand the tipping point was a matter of component complexity.  JIRA’s architecture needs to be changed such that components can be containers for other objects, and can be versioned independently.  There are elegant/simple ways to introduce a data model which supports this, it will likely require them to refactor most (if not all) of their application stack.  Given their success with smaller projects, it’s easy to understand their business decision to defer these feature requests.

JIRA continues to recommended workarounds, and several 3rd party plugins attempt to address the gap.  Unfortunately, each of these workarounds are dependent upon the products internal data model and workflows.  JIRA themselves have discontinued development of features which support one of their suggested workarounds.  And some 3rd Party plugins have stopped development, most likely due to difficulties staying in sync with internal JIRA dependencies.

It can take six months to two years to get an HP ALM or IBM Rational solution running smoothly, and there are ongoing costs of operational support and training new developers.  However, there are use cases which justify those higher costs of doing business.

It’s unfortunate my current project will have to make do with creative workarounds.  But it has provided me an opportunity to better understand how these tools compare, and where the boundaries are for considering one versus the other.