Tuesday, March 17, 2009

Banned hyperlinks could cost you $11,000 a day

Sigh and more sigh.

Seems our government isn't willing to let sleeping dogs lie, but rather, would beat the pitbull over the head with a big stick as it were.

Choice quote (from the article):

Wright was quick to pick up on the contradiction. "I don't get it either, but that doesn't stop ACMA from declaring whatever they like, or links to whatever they like as inappropriate. Today it's abortion sites. Tomorrow it's drug sites? Propaganda sites? Wikipedia?"

Indeed. :( Even during the filtering debate, it was never clearly stated whether the publishing of the blacklist or items from said blacklist was against the law (I believe they neatly side skirted that issue). To say nothing of the fact that blacklisting an anti abortion website seems to fall well into the realm of absurd.

BTW, the filtering discussion still goes on. While the debate may be shutdown in Parliament, there is an interesting article here which explores the options for the Rudd government to bypass Parliament to implement some form of filtering.

- J.

Wednesday, March 11, 2009

OWASP Presentation

Has been sent to the OWASP chapter managers. Here is a temporary link until that gets sorted.

- J.

Thursday, March 5, 2009

Vendor Contracts

I gave a presentation at the Melbourne OWASP chapter recently and at this presentation, I shared some lessons learned on vendor contracts. More specifically, when dealing with vendors that are responsible for application development or delivery of a solution or product:

1. If you get engaged early enough on a project and get to review any vendor contracts that come your way, two big clauses you need to include -

  1. adherence to your company information security policy (and other policies, statutes, etc).
  2. "right to audit" clause to ensure that you get to perform the appropriate penetration testing or security audit.

Without these you have no assurance any security will be built into your solution, beyond what the vendor considers to be "secure".

2. Don't start a project without a firm contract in place. By contract I mean a legally binding agreement above and beyond a statement of work. Statements of Work are fine for short term engagements, particularly if they are followed by a consultancy agreement or similar document. They are insufficient for large scale projects.

- J.