I've been working hard to get more security related work back into my schedule.

And so..... I'm starting a new "season" of the Digital Blackbelt webcast series.

If we get enough interest I'll do some give-a-ways and such !

SIGN UP NOW !!!! Here are the first 3 dates !

11/3/2008; 11:00 AM (PST)
Convincing Management: The Business Case for Adding Security to the Development Life Cycle
[ Click HERE to Register ]

11/10/2008; 11:00 AM (PST)
Security Development Lifecycle: Building an Intentionally Secure Development Process
[ Click HERE to Register ]

11/24/2008; 11:00 AM (PST)
Threat Modeling for Software Developers
[ Click HERE to Register ]

This book is OFF THE HOOK !

Wanna REALLY dissect a running application ?

IDA Pro is THE tool of choice for disassembly and the crackers choice because of it's raw power.

Whether you need to solve a tough runtime defect or examine your application security from teh inside out IDA Pro is a great tool and this book is THE guide for coming up to speed.

From the book description ....

I haven't tried it yet, but what a great idea !!

http://pcdecrapifier.com/

Application Development Trends reports on Google Chrome Security Issues

Read the complete story here - http://adtmag.com/article.aspx?id=23205

The Deep Fried Bytes guys caught  up with me at DevLink and we had a talk about developer security needs, mistakes, activities, etc !

Listen Here http://deepfriedbytes.com/

ZDNEt Reports .....

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

• Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

[ Read the article on ZDNet ]

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

[ Read the full article HERE at ZDNet ]

Data Structures and Algorithms: Annotated Reference with Examples

This book written by Granville Barnett and Luca Del Tongo is part of an effort to provide all developers with a core understanding of algorithms that operate on various common, and uncommon data structures.

Data Structures and Algorithms: Annotated Reference with Examples is completely free!

[ CILICK HERE ]

#8 | Changing Membership Settings in the Default Membership Schema

#9 | Configuring SQL To Work with Membership Schemas

#10 | Understanding ASP.NET Memberships

[ Get them here ]

Lots, even MOST PHP applications are Open Souce but what if you want to distribute your application but don't want to distribute your PHP Source Code ?

Check out Nu-Coder from NuSphere.

Nu-Coder converts the source code of PHP Script into compiled PHP bytecodes for both accelerated runtime performance and maximum security.

http://www.nusphere.com/products/nucoder.htm

Dolores Labs posted recently "Amazon’s S3 Web Service, our #1 cause of failure" [ Click HERE to READ ]

Amazon.com is a great company and a early innovator in the Web Services Community. (God knows I send them ALOT of money.)

So this is not an indictment of Amazon as a technology provider. In fact, it is because a Amazon is a great company with a solid infrastructure that this is significant.

As Geeks, we tend to get all jazzed about the latest buzz - and cloud computing is certainly one of them. But, I think it's important to remember, while services in the cloud can be very cost effective. You can't control the cloud.

When you build it and own it you always have options when you're not getting the service level you need. In the cloud, you're held hostage by 3rd party service levels.... ad as we all know, stuff happens.

When you're using a cloud hosted service, remember to build support for graceful degradation your application. You application need not fail completely because you can't fetch images, ads, etc.

Not only is this good design practice, but it mitigates a DOS security threat. If I wanna bring your web application down and you haven't built resilience into your site, all I need to to is successfully attack any one service your application depends on and your application is down !!

Dies UAC give you a rash ?

It does me !!!

It's not that it isn't a good idea - it is. But I really wish I could train it or over ride it.

Maybe in a future Windows version - in the mean time, I'm trying Tweak UAC which provides a "Quiet Mode" for UAC.

[ Click HERE to get Tweak UAC ]

Note: UAC is a Security feature. Strictly speaking "Quiet Mode"  reduces your system's security.

Please checkout the first videos in my new Web Developer's Security Video Series.

http://www.asp.net/learn/security-videos/

I'm hoping to do 100 Videos this year !

PLEASE SEND YOUR REQUESTS !!!