Cerrudo’s talk prompts Microsoft to admit serious flaw on Windows

Hack in the Box???It’s Sunday evening and I have spent the last hour going through the slides of Cesar Cerrudo’s talk at HiTBSecConf 2008 that took place this week in Dubai. I know it’s sad, but the title of this blog is “passionate about information security”, isn’t it?

Let me give you a bit of background before going further. It’s been almost a month since Cesar Cerrudo, security researcher and CEO of Argeniss publicly warned that the latest Microsoft operating system, Windows Server 2008, might not be as secure as it seems. On an advisory released on March 24, he stated:

“The problem discovered by Argeniss results from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services (NETWORK SERVICE and LOCAL SERVICE) to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.”

[Read more...]

Integrating ISO 17799 into your Software Development Lifecycle

[IN]Secure Magazine - Issue 11I open the new section Papers & Presentations of this blog posting my latest article published on INSECURE Magazine: “Integrating ISO 17799 into your Software Development Lifecycle”.

In this paper, published on the 11th issue of INSECURE Magazine (May 2007), I explain how information security controls can be integrated in the Software Development Lifecycle (SDLC) using ISO/IEC 17799 (now ISO/IEC 27002). The article includes a summary table linking specific clauses in the standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to system disposal at the end of its life.

[Read more...]