News and Events

SecuRisk Solutions today announced the release of their new podcast series entitled SharkTalk™ wherein cutting edge information security topics and issues are discussed with renowned authors, speakers, technologists, executives, contributors and pragmatists in the information security arena.

You can subscribe to these podcasts via iTunes or RSS.

For more information, please visit - Shark Talk with Mano Paul

Many major news carriers found it important to carry the news today that “Obama orders a 60-day cybersecurity review”. Some stated that “Cybersecurity is now one of the major national security problems facing the United States”, while in reality, it is actually a major INTERNATIONAL security problem facing the ENTIRE GLOBE (not just the United States). Other references were made to th need for the White House to

1. initiate a drive to develop next-generation secure computers and networking for national security applications; 
2. establish tough new standards for cyber security and physical resilience; 
3. battle corporate cyber espionage and 
4. target criminal activity on the Internet.

All of these are absolutely important and critical issues that cannot be ignored, but one major issue missing in these is the PEOPLE component of cybersecurity. As my whitepapers have repeatedly eluded to, People are the FIRST line of DEFENSE; technical security controls are rendered futile by people who are not aware of how to protect their own computing ecosystem.

I was  privileged to be in the audience of the Commission on Cybersecurity for the 44th Presidency on the day  (December 29), their report was released for public viewing, where the panelists - Rep. Jim Langevin (D. R.I), Rep. Michael McCaul (R. TX), Lt. General Harry D. Raduege Jr. USAF, retd.) Deloitte & Touche and Marcus Sachs, Verizon Comunications participated.

Highlights from the panel I captured are given below.

1. Cybersecurity is today’s greatest security threat.
2. There is a need for increased awareness among the American people.
3. Threats are real today in the virtual world.
4. Espionage and Digital Pearl Harbor is very likely.
5. Cyberspace is an national asset and needs apropriate protection not just for national security but also for economic security without compromise on privacy and civil liberties.
6. There is a need for buy-in from the International community as well as cyberspace does not end at the waters edge.
7. Partnerships with the private sector as well is extemely important and has been proven to be useful in past situations.
8. There is a need for a cyber mindset - safe and protected use of the cyberspace.
9. There is a need for education and awareness - across the nation and internationally.

“It is Imperative as a nation that cybersecurity is taken into account seriously for the liveability of the nation. If not we have failed as a nation.” 

From the press release it seems to be like President Obama is taken cybersecurity into account seriously. Only time will tell of the liveability of this nation and the world. It’s about time that cybersecurity was in the forefront.

Honestly, I dont even know where to start. Succintly, I must admit that the experiences in Algarve, Portugal and at the OWASP EU was varied, interesting, and a mixture of highs and hangovers from just a few hours of sleep each night (as some were working and preparing for talks and others were partying and some doing both:-)) to say the least.

Training at OWASP

It was a privilege to be one of the 80+ invitees to attend the OWASP EU Summit and deliver two training courses. One of it was - Web Application Security for Executives and Managers and the other was The Art and Science of Threat Modeling .

Texas Representation

Arriving in Lisbon, I met Matt Tesauro, leader of the OWASP Live CD project and Nishi Kumar, graphics contributor for the OWASP LiveCD project.

The Pride of Texas -  Mano “The Bull Rider” Paul

Need I say more - you be the judge of this …
On the bull for one minute and 20 seconds; 8 seconds is a joke … Enjoy the video. by clicking on Media Showcase once the page loads
Let’s just say that this was one of the highlights until …
Note:Voice of Tom Brennan, Marcin Wielgoszewski, Kuai Hinojosa and David Campbell (champion swimmer) in the back screaming - “hands in the air”, “i am getting this on video” and “ha ha ha ha ha …”
Payback will be sweet.

Sessions and Friends

Session I attended were in the following tracks - Education, Ceritification, SAMM, and OWASP Live CD, all of which had discussions (some heated) and very productive in chartering out the objectives, goals, scope and course for the coming years. Friendships were established that would last a lifetime.

All in all …
All in all - what can I say, Honestly, I dont even know where to end. Succintly put, I must admit that the experiences in Algarve, Portugal and at the OWASP EU was varied, interesting, and a mixture of highs and hangovers - a cornucopia of experiences - to say the least.

My keynote address on “Application Security Trends and Challenges”  and the training session on “Advanced Threat Modeling” went well and a few friends have posted some comments about their experience.

Check it out.
http://armorize-cht.blogspot.com/2008/09/owasp-appsec_22.html
http://projectbee.org/blog/archive/owasp-appsec-conf-delhi-day-2-and-more/
http://projectbee.org/blog/archive/owasp-appsec-conf-delhi-day-1/

Representing (ISC)², the global leader in security education and training as their Software Assurance Advisor, I will be delivering the keynote address on Application Security Trends and Challenges in OWASP India 2008.

If you plan to attend or you will be there, come by and say hello.

Dates - August 20th, 2008 @ 9:00 -10:00 a.m.
Venue - India Habitat Center, New Delhi
More Information, click here

What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bare Necessities of security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …

The Road Less Travelled by renowned poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.

At the Austin Open Web Application Security Project (OWASP) session on April 29th, 2008, I presented the following presentation that you can download by clicking on the link below.

Security Management (Managing Elephants)?	Sleep Swimming (Vigilant Software)

Software Security - The Road Less Traveled

In the current day and age, the chief drivers for software development projects are meeting business requirements and deadlines. Security is generally an afterthought for software development projects. Incorporating security from inception is more cost effective.This session will address the various security controls and activities associated with each phase of the software development lifecycle (SDLC). The controls and activities include but are not limited to; modeling use/abuse cases, threat modeling, security code review, security testing, etc.

I presented at the Texas Regional Infrastructure Security Conference (TRISC) on SD3LC - Secure By Design, Development and Deployment. You can download the presentation by clicking on the link below.

Integral - As part of the SDLC
SD3LC - Secure by Design, Development and Deployment

TRISC was held in San Antonio, Texas from April 21-23, 2008. The key note session by Mary Ann Davidson (Oracle CSO) and Dan Korem’s workshop session on the Art of Profiling (from Rage of the Random Actor) was excellent. Getting to meet Woody (Elwood G. Norris), master inventor and technologist with 47 U.S. Patents and 100 others pending was an honor. Another highlight of the event was meeting DefCon’s ‘Deviant’ Ollam who had a training on Lockpicking (Physical Security) through The Open Organisation Of Lockpickers (TOOOL) and learning how to pick a padlock using an aluminium can.

Robert Hansen’s (RSnake) talk on “Why I dont use Web App Scanners, all the time” was a great talk and Doug Landoll’s case study on “Why Technology has Failed to Solve Security Problems” was rife with real world examples and extremely relatable. There were other great sessions by DenimGroup and Whitehat Security and all of the sessions, I could attend were informative and useful. In addition to the conference, it was Fiesta week honoring the memory of the heroes on the Alamo and the Battle of San Jacinto, and so the city was extremely festive and my family and I had a fantastic time in the city, especially the River Walk.

Excerpt from the official press release ( Jan 29, 2008 )

(ISC)²® (”ISC-squared”), the non-profit global leader in educating and certifying information security professionals throughout their careers, today announced the launch of a new online self-assessment tool known as studISCope (pronounced “study scope”). The tool aims to enable security staffs and individuals to assess their knowledge of the (ISC)² CBK®, a taxonomy of information security topics that serves as the foundation for all (ISC)² certifications.

“studISCope is beneficial to both certification candidates and employers,” said Eddie Zeitler, CISSP, executive director of
(ISC)². “It helps candidates focus their study efforts more precisely and enhances their comfort level prior to sitting for the official certification exam.”

For more information, read the entire press release at https://www.isc2.org/PressReleaseDetails.aspx?id=1316
For more information about studISCope and current promotions go to https://www.isc2.org/studISCope

The CSI 2007 conference held in Arlington, VA from Nov 3-9 2007 was a blast. In addition to the conference session being very educational, it was a great networking event affording one the opportunity to network with the brightest minds in the industry apropos security. You can access the conference posting here.

I presented on Application Risk Modeling as an integral part of the SDLC (System or Software Development Life Cycle) introducing the Tic-Tive^TM Risk Spectrum.

A preview of the presentation contents is given below.

Figure 1. The SecuRisk^TM Methodology of Application Risk Modeling

Figure 2. The Tic-Tive^TM Risk Spectrum. Where does your organization/company fall in this spectrum?

You can download the entire presentation by clicking on the link below.
Application Risk Modeling; An Integral Part of the SDLC - By Mano Paul

Session Abstract -
The methodology introduced in this session is designed to provide proactive risk analysis and modeling techniques for applications. It addresses obstacles experienced by security professionals due to lack of automation and objective risk modeling fundamentals. Attendees will understand how application risk management results in reducing overall risk within an enterprise and transferring risk to the appropriate business segment.

The Burton Group Catalyst Europe conference held in Barcelona from Oct 22-25, 2007 was a blast. The conference sessions were informative and very educational as always. You will need to have a Burton Group login to access the conference postings. In addition to the conference, the city of Barcelona is so beautiful, that my family and I throughly enjoyed every minute there.

I presented on Stopping SQL Injection and Crossing over Cross-Site Scripting demonstrating the attacks and discussing the control measures. You can download the presentation by clicking on the link below.

Defenses against SQL Injection and Cross-site Scripting (XSS)

Stopping SQL Injection and Crossing over Cross-site Scripting (XSS) - Catalyst EU Presentation By Mano Paul

Session Abstract -
Two of the most prevalent application attacks in this day and age are SQL Injection and Cross-Site Scripting (XSS). Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer no protection against such attacks. The risk of sensitive information theft, alteration, insertion of data along with other effects such as URL redirection, website defacement and authentication theft are high and will be demonstrated. This session would demonstrate the effects of SQL Injection and XSS attacks and provide insight into the control measures to successful mitigate the risk against such attacks. It will also provide insight into the different process control measures that are necessary across the systems development life cycle to harden the code from within, so that such susceptibilities are addressed. Session takeaways include a complete understanding of the anatomy of SQL Injection and XSS attack, their effects when exploited and the mitigation control measures to stop SQL Injection and cross over XSS.