If you work in a big enterprise, you will undoubtedly find yourself frustrated with the lack of agility in moments that would seem to demand immediate course corrections.  Although a measured response is often appropriate, what elements in the culture and structure of corporate and government behemoths prevent quick and decisive action when it is clearly needed? (more…)


Ever upgraded SSH, either due to a major patch or an operating system upgrade and run into the following?


Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /<user home directory>/.ssh/known_hosts to get
rid of this message.
Offending key in /root/.ssh/known_hosts:4
RSA host key for host.example.com has changed and you have requested
strict checking.
Host key verification failed.


Running Tomcat on a privileged port used to be as simple as modifying the connector in Tomcat’s server.xml file.  However, that meant running Tomcat as root — leaving open the possibility of privilege escalation and system compromise should exploitable vulnerabilities exist.  As of Tomcat 6.0.24, the Debian/Ubuntu package includes some changes in the way Tomcat starts, including how it binds to privileged ports. (more…)

Tomcat is a popular, lightweight Java servlet container.  It is often installed along with administrative applications.  Under Debian and Ubuntu, these are part of a separate package, tomcat6-admin (in the case of Tomcat 6).  Although the admin application is no longer available, both a manager and host-manager application is provided.  When deploying Tomcat in production, the best risk mitigation strategy is to remove them (or not install them in the first place).  However, if you choose to, or need to keep these services then additional controls are required.  Where and how? (more…)

The second release of the Building Security In Maturity Model, or BSIMM (pronounced “bee simm”) was unvealed yesterday.  The BSIMM is an observational study of real-world software security initiatives as implemented by Software Security Groups (SSGs) within 30 organizations from several vertical markets.

Software security is a relatively new practice that has evolved over the last ten years or so.  We now understand how important software security is and how expensive it is to address security after, rather than during the software development lifecycle.  The last point cannot be overstated.  Security is a property, not a feature that can added, such as using a particular protocol or bolting on cryptographic capabilities.  While the BSIMM will not tell you how to practice software security, or even what activities to embrace, it will tell you what others are doing.  This can be especially valuable if you operate in the same vertical market as one represented in the study.  Is this just a manifestation of the herd mentality?  That is doubtful since this study encompasses the leading edge of where practice is at today.  The 30 firms in the study go from Adobe to Wells Fargo with notables such as Google and Microsoft in between — certainly those with a great deal of experience in the field, so the BSIMM is not the blind leading the blind.

The BSIMM covers 109 areas in twelve practices outlined below.  These were described earlier by Gary McGraw and Brian Chess as a Software Security Framework.

Governance Intelligence SDL Touchpoints Deployment
Strategy and Metrics Attack Models Architecture Analysis Penetration Testing
Compliance and Policy Security Features and Design Code Review Software Environment
Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management

Of the 109 activities, fifteen were most commonly observed.  McGraw describes those in a separate article.

The good news is that the BSIMM is free.  You can download it and perform your own internal analysis or hire a consulting firm, like McGraw’s Cigital, to help provide an independent assessment of your internal practices.  With the data in hand, you can determine how you stack up against others and decide where you need to expend extra effort to mature your software security initiative.  The BSIMM provides some nice analysis tools to help with the comparison.  For instance, the averages for the 30 organizations in the study were graphed:

BSIMM "earth"

In short, the BSIMM is a good thing.  It will be interesting to note how the state of the practice changes as a result of this study and if it can cause maturation “down market” from these very large firms.

The Advanced Package Tool, or ‘apt’ on Debian-based systems is the mainstay for installing, upgrading and removing packages.  Behind the various apt tools, the Debian package manager, dpkg, carries out the heavy lifting.  You might wish to install new versions of packages periodically with the sequence:

  1. apt-get update
  2. apt-get upgrade

Recently, this and any other upgrade failed on Debian Lenny with:

E: Sub-process /usr/bin/dpkg returned an error code (100)

A quick look at /usr/bin/dpkg revealed the following!

---------- 1 root root 365324 2010-03-08 15:35 dpkg

A quick ‘chmod 755 /usr/bin/dpkg’ fixed the problem!  I know I did not change the permissions, so it must have been a recent patch.  Hopefully this gets fixed quickly!

Okay, I have to admit I was concerned.  We installed Windows Server 2008 R2, setup our applications, and then proceeded to add the required configuration to have Nagios monitor the host and associated services.  But Nagios claimed the host was down!  Simple pings returned a response.  Now what?


I configure Nagios to use check_tping to monitor hosts, not the standard ICMP ping.  Why, you ask?  Some network devices do not handle ICMP on their fast-path in silicon, leaving it to be processed by the CPU.  During periods when the CPU is busy, ICMP will not be a good measure of host or network responsiveness.  In some networks, ICMP may be handled with a different QoS profile.  The best gauge of response, over a network, is something close to what applications use.  Guess what?  The Transmission Control Protocol!  How is it leveraged for monitoring?  A SYN packet is directly at the host on a port that is closed (it could be an open port — more on that later).  A host operating system will typically respond with a TCP reset (RST ACK to be exact) — a simple two-packet exchange without extra overhead — this is a kind of network equivalent to “take pictures, leave [very few] footprints!”  If there is an intervening firewall device, the chosen port will have to be opened to allow the SYN packets to reach the destination host. (more…)