I was thinking last night of all the organizations that I’ve reviewed and the procedures at each one for managing the security aspects of their infrastructure. It has ranged from “Hey Timmy, will you go open up the firewall for FTP” to “Submit a change request for the modification of the firewall ruleset and it will get reviewed by the IT review committee at the end of the week for approval”. While the former is easier and quicker, I’d rather have the latter if I were a large organization. Firewalls and networks are obviously huge in large organization and ad-hoc changes can easily lead to a hole that might put the company at a level of risk that it might not be willing to accept. Documentation and approval of security changes in a large organization are paramount to the maintenance of its security posture, particularly when it’s not just “the IT guy” making the changes, but several members of an IT organization. Ultimately, those companies that put the time and effort into change and configuration management are much more aware of their security posture on an ongoing basis. Those companies that do not have such a process in place are driving an ‘85 Buick Skylark in a Nascar race. They can keep going…but it’ll catch up to them pretty fast in the end. ...

aka Yet Another SQL Injection Tool… It seems like SQL Injection tools have been crawling out of the woodwork the past few months and there’s yet another new one that I came across just the other day called PRIAMOS. I haven’t played with it yet, but it seems to be focused largely on usability. Some of the other ones that have come across my radar recently are: SQLBrute (Python) SQLiX (Perl - OWASP Project!) sqlmap (Python) - I really like the feel of this one, but haven't had a chance to dig into it too much Sqlninja (Perl) - Coolest name, in my opinion... These are all also up on my del.icio.us page as well. And of course, there's my personal tool, Blink (Perl), but I unfortunately never unleashed that on the world.

There was mention recently on SecuriTeam about the lack of effectiveness of web application scanners. While they are effective for identifying the low-hanging fruit, I agree that as applications have advanced web application scanners have not kept up. Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. --Dmitry Although I have not stopped using them completely (they'll pick up the easily identifiable XSS and SQL injection), their effectiveness is definitely limited. So without further ado, let me drop a list I came up with in the past five minutes of; What a web application scanner won’t find! ...

On a side note, mostly thanks to Whole Foods, I proclaim myself a culinary genius. OK, perhaps I’m exaggerating but this dinner was so good!

To my family. To my family. To those close and near. Thank you. I consider myself to be one of the luckiest people in the world…and it is because of you.

As noted, I met up recently with a bunch of people that were heading up to Whistler for a little ski/snowboard trip. Being that they were passing right through Seattle on their way up, there was no way I could pass up an open couch for some great snowboarding. I’d been to Whistler in the summer for some downhill Mountain Biking, but had yet to see it in all its powdery winter glory. ...

I once got a pic featured on Chicagoist and it seems I have done the same again with Seattlest. A picture I took of the octopus when JLeyrer was in town and we visited the aquarium recently got used on the Seattlest site. As Mike indicated - the legend continues. :)

Holy heck. I am alive Whistler was INSANE I just got in from driving back And I have to be at the office in an hour. p.s. Whistler was INSANE! EOF

Seattle finally got Effen in their liquor stores! YES! No more importing from Chicago. ;o)

I was on TV last night, after the superbowl on the local KIRO-TV here in Seattle. We did a little bit about Wireless security and it managed to come out pretty decent. You can find the associated story and video over on KIRO’s site - Protect Yourself Against Wi-Fi Hackers. Interestingly enough, I’ve done this a few times before between April and November of 2002…nearly five years ago now! Regardless, the risks are the same for the most part as are the recommendations. ...