Sunday, March 28, 2010

Cloud computing: a secure thing?

Financial services are very interested in cloud computing.
But one of their main worrries, as Phil Wainewright says in his blog is the risk of data being exposed to third parties in a multi-tenant environment.
Secure authentication by SSO or PKI is one way to avoid this.
But what happens when you have a man-in-the-browser-attack?
An MitB is a trojan, infecting a web browser and capable to modify pages, modify transaction content or insert additional transactions,invisible to both user and host application. Mechanisms such as SSL/PKI and/or Two/Three Factor Authentication are useless against it, because it works on transaction level, not authentication level!
Solution? Simple, think out of the browser, by using another channel to verify the transaction process: an automated telephone call.
So, now you have a “three-factor” defense against criminal activities exploiting your SaaS-application.
All three 'factors' have to be tested individually and also as an end-to-end-process/chain to minimize possible defects and risks.

Just a (simplified) scene in which a security tester can find himself while testing a SaaS-application for an online bank for example.

Sunday, March 21, 2010

European e-identities

Writing a blog about your favorite testobjects has its advantages.
Roger Dean, executive Director of EEMA, read my blog about testing OpenID and invited me for the EEMA-congress eID interoperability near Brussels, Belgium.
There was only 1 catch , I had to give a presentation to the attendees about the risks of OpenID.
I said to mr. Dean: 'No worries Roger, I will come to Belgium and give you the presentation'.
And so I was in Belgium for 2 days, listening to experts on e-identity, learning a lot from them, and even holding a presentation myself about my favorite subject: testing e-identities.
The European Union wants to become more united, not only physical, but also digital.
This is a challenge: country-centric computersystems have to be interoperable with each other in a secure way. That's not easy, considering the differing European languages and legislations etc.
Perhaps, OpenID will play a big role in securing the digital connections in the European Union. As long as you minimize the risks involved!
EEMA, thank you for this opportunity!