After publishing the SANS Top 25 Application security issues list, a small group of people in New York state have provided a set of contract language and requirements which organizations can use to ensure software development contracts have appropriate requirements for ensuring security. Although the vendor communities might not be thrilled by the prospect of having to train and maintain the security skills of their development staff, I would agree that this type of control goes a long way to ensuring issues get resolved at the source.
While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion. I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online. This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items. Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real? No harm in just asking some simple questions. Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th