Wednesday, November 13, 2013

Mozilla Firefox Lightbeam

Lightbeam is a new add-on for Firefox. It provides a light (pun intended) on what third party companies you interact with when visiting web sites. Lightbeam works by recording all tracking cookies saved on your computer through the Firefox browser to see which advertisers or other third parties are connected to which cookies. Amazedly it can differentiate between “behavioral” tracking cookies (those which record specific actions on a site) and other tracking cookies. The data can be viewed visually and in text format.

I visited one the large brick-and-mortar companies that also has a decent e-commerce web site. Below is what I found out. I tried to organization the cookie data the best I could. Some of the companies are familiar to all of us like DoubleClick. But al lot of these companies I had no clue about most of these companies until I looked them up.

I would recommend that your turn on Lightbeam for a day and use Firefox exclusively. At the end of the day you will be amazed by how many companies are tracking you. Of course don’t be too surprise, the top companies in the tracking space bring in over 39 billion in revenue. This is big business. Don’t get me wrong I depend of these companies to profit by seeing what I do online. I don’t want to pay to use Google, Yahoo, or Bing to search the web. I like having services like Hotmail, Gmail for free. I want to have Amazon recommend books to me based on prior buys and searches. 

I also want to have a say into who is tracking me, what I do, how the information can be used and by who. The issue now is how big and powerful these business has gotten without anyone really realizing it. Now add that with powerful behavioral software and we are facing a monster. Like Pogo said, “we have met the enemy and he is us”. Privacy and the need for it are still valid in our connected world. How much of our privacy we keep is going to be decided on how much we are willing to get involved and learn what and who are behind the curtain. I would say right now we are facing an uphill battle.

Tag Management: 

Brand Management/Protection 

Ad content providers: 
* Tribal Fusion is a global online advertising provider. 
* Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end-users with low latency; high data transfer speeds, and no commitments. 
* apad’s proprietary technologies, advertisers can now employ consistent ads across multiple platforms: home computers, tablets, smartphones, and now even smart televisions

Tracking Management. (Technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web.) 
* is a domain used by Doubleclick. 
* is a domain used by AOL Advertising. 
* is a domain used by MediaMath. 
* s a domain used by Lotame. 
* is a domain used by Google Adsense. 
* s a domain used by ValueClick Media. 
* is a domain used by SpecificClick. 
* ATDMT is a tracking cookie served by Microsoft subsidiary Atlas Solutions. 
* A Google Company.

SEO Services. 
* GoogleLeadServices (not connected with Google Inc.) provides SEO services.

Big Data/Market analytics. 
* Ecommerce connecting customers to sales. 
* big data marketing platform. 
* is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising. 
* market analytics.

Consumer profiling/preference/psychology software. 
* Liveclicker is there to provide all the tools necessary to create one-of-kind interactive shopping experiences. 
* Inventory check based on buying preferences on web site visitor. 
* Tumri, an interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.

Saturday, November 2, 2013

Secure SDLC Processes

 I was reading about the differences between weak and strong typed computer languages and I came across the following sentence in Wikipedia “Programming languages are often colloquially referred to as strongly typed or weakly typed. In general, these terms do not have a precise definition”. This got me to thinking about a recent conversation I had about Software Development Life Cycle (SDLC) and mentoring. 

The terms SDLC and mentoring are used often in conversations but like strongly typed or weakly typed languages both terms do not have a precise definitions, worse is the definitions between organizations both commercial and academia can differ vastly. 

Mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge. Often it is the senior person given the responsibility to mentor the junior person. To begin this conversation lets settle on a broad definition of mentoring…. A relationship in which a more experienced person helps to guide a less experienced. However, true mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge.

How do we mentor secure coding/development to an organization? Who do we need to mentor? Upper management to add development time and cost to make sure the delivered product is secure for the organization, users both internal and external. With upper management we certainty need to use formal and informal transmission of knowledge and social capital. But we are hardly in a true mentoring relationship.

Peers, Peers have their eyes set on the goal of getting their projects into production. Most project incentives are based of development cost, meeting timelines, getting thru QA and getting user acceptance, not on being secure. Add all those pressures together and trying to throw secure coding into the mix except a few points about sql injections usually falls of to the floor while more pressing issues to ship the product take front stage. 

Let’s move off mentoring for a moment and move to SDLC. With SDLC, we have XP, Agile, JAD, RAD to mention a few. But now with Secure Software Development Life Cycle we can add OWASP’s OpenSAMM, Microsofts SDL, CIGITAL BSIMM just to name a few. To make matters worse every organization I have every been associated with takes various pieces of each SDLC and uses the methods they like best and even within those methods they not fully use the entire method as it was defined. To further muddy the waters most development organizations add their own brand of project management to their SDLC processes.

So how do we have a meaningful conversation on these? Maybe we don’t. Do we have each party give out a fully disclosed document on their definitions? Are our definitions only related to each other past experience or a combination of experience and professional research and training? Or at best muddle thru hoping each person understands the other.

I know I really don’t have an answer but the conversations are always fun. Maybe that is part of the answer instead of looking for the right answers lets talk about what strategies have work for us and what in the past did not work and where we want to go. 

What strategies do you use in your organization? Do mentoring and SDLC and security come together or is each item separate? Can you write down what your organization definition of the SDLC is? The steps it follows and where it defers from the published guidelines for that SDLC? If not is your organization using an ingrown ad-hoc SDLC that is documented and does your organization follow that document to the tee or a partial implementation? Remember seat of the pants is not really the way to go. No matter what S-SDLC you use, a plan is better than no plan at all. 

Tim Rains of Microsoft just release a blog post on developers using secure SDLC. Microsoft’s survey showed “security wasn’t considered a “top priority” when building software by 42% of developers worldwide.” His blog post goes on to say “While security development processes have been shown to reduce the number and severity of vulnerabilities found in software, almost half of all developers (44%) don’t use a secure application program/process today.”

I am speaking at APPSECUSA 2013. Nov 18-2013.