Saturday, September 7, 2013

#04: ... of nonces and mushrooms

We have been doing updates with regard to our web applications at work this week.  Deploying a more randomized token for our Tomcat applications.

A nonce is a random or pseudo-random token that is generated by the server when doing authentication to reduce the chance of replay attacks, like Cross Site Request Forgery and Session Fixation.  It's important that our clients, who are not technologically savvy, to be as protected as possible from replay attacks.

Also, as the discoverer of the issue on our application servers, I failed to understand that just because they have a dog in the fight, that they should be brought to the fight.  There are just some people that hinder the incident response and they will do what they think is the 'proper' way to do it.

This has given me the idea that a proper incident response plan is more necessary that ever before...  Every person knows their place in the process, and there is a proper level of escalation, and certain conditions must be met to reach a new escalation point.  I failed in that respect, and wished that I had not invited everyone to the incident.  After this, I will definitely do a lessons learned with management and draft a better incident response plan.  Some people in the org just need to be mushrooms.  Keep them in the dark...  They are happier that way.

All in all, an odd couple of weeks.  My plan next week is to school our testers and developers on using web security frameworks that will enhance our web applications.  Cause we want to have a more secure environment before they deploy.  We'll also be giving them a vuln scanner they can use to check against for possible future patching.  And also showing them Burp Suite so they can test against various inputs to check for XSS and other OWASP issues, like SQLI...

It's hard to believe how far this organization has come from a couple of years ago...

No comments: