As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

• Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
• No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
• Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.

Good Morning:
When was the last time you used a pay phone? For me it was a LONG time ago. I'm not sure why I thought about that, but sometimes entire industries just go away and we hardly notice. Pay phones were a very big business for the phone companies many years ago. I remember having my trusty phone card always by my side and finding those germ-ridden phone boxes wherever I could to check in.

Yes, this was before cell phones became ubiquitous and Blackberry's made 24 hour connectivity not only possible, but connected. This is why I always tell everyone to question everything. I'm sure the phone executives didn't figure their cash cow pay phone business would just go away. Even early in the cell phone revolution. I still used my calling card in hotels because the cell phone was too expensive to use all the time. Now, not so much.

So what can kill your business? What will you do if your main cash cow just goes away? If you work for a big business, these questions may not be that relevant (since I doubt a company like GE is going away, even if a portion of their businesses), but if you work for a small business - it certainly is relevant. I see this every day. Companies that were great businesses are rendered obsolete. And the businesspeople either adapt or they die.

Darwin would be proud. He was right. Have a great day.

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Read the original Days of Incite post on this topic.

6-month grade: C

I curse the PCI 6.6 clarification. Ugh. It was that one little clause of either WAF or code reviews/SDLC to be compliant with 6.6 that torpedoed this Incite. Fact is, I've written a lot about the fact that most organizations will opt for the path of least resistance, and that usually means a box - as opposed to a process change. And a WAF is a box, and an SDLC is a process change. Guess which one wins, when deemed reasonably equal in the eyes of the assessor?

Now has their been a lot of innovation in the WAF space? Not really. But who cares. It's the path of least resistance for many trying to outrun the specter of PCI - so it's not only have WAFs found their sea legs, but you are seeing integration with web app scanning and other parts of the eco-system. By the way, if being wrong about an Incite means things are moving forward - then I'm cool with it.

But what about secure development practices? What about SDLC and code reviews and the like? Yep, they are still important and I think that implementing these concepts now will pay dividends for years down the road. And I also know it's hard and that many dev teams will be resistant to changing the way they do things. All I can say is to keep fighting the good fight and focus. 

One approach is to build up a grass roots effort by focusing on those apps that directly handle critical data. You aren't going to totally and fundamentally change things overnight. Nor should you. Some apps don't need to be overhauled, since they are either not exposed or they don't handle sensitive data. But for those that do, keep banging away. Yes you get a headache, and probably a callas on your forehead. 

If it was easy, everyone would be doing it.

Photo credit: "Path of Least Resistance" by kisses are a better fate than wisdom