At a recent Dagstuhl seminar on web application security, I spoke with Jasvir Nagra (one of the people at Google working on Caja) about the best way to run a public security contest. The goal of the contest would be to encourage people to find as many bugs as possible, with additional rewards for more severe security vulnerabilities. As a starting point, we discussed the ongoing Google Native Client (NaCl) security contest. For this contest, the top five bug-finders over a ten-week period receive recognition and cash prizes of $8192, $4096, $2048, $1024, and $1024. While this model has a few strong points, it also is problematic in the way that it incentivizes security research. This article discusses how to more effectively design a security contest.

(more…)

I thought it would be appropriate to write my first article about penetration testing (background available here) because my first job in the computer security field was in an office that did penetration testing.

There are a number of serious problems associated with penetration testing that can lead to a lower-quality security evaluation that costs you more money. In fact, the chances are that you do not need penetration testing at all. Take a close look at these penetration testing follies before considering an expensive security evaluation for your network. (more…)

This post provides some background if you are unfamiliar with penetration testing.

Penetration testing is when a group of security professionals (or sometimes an individual) is commissioned to hack into a computer system or network of computer systems to test security. (more…)