Wednesday, August 20, 2008

Preparing for presentations

How many times, after giving a presentation, have you wished that it had been better? A presentation does not only give you the opportunity to present information but also gives you a chance to impress people who matter. Major business discussions, promotions, interviews etc are all based on how well you present. So, presentations have the power to make or break your chances of success.

Creating and delivering a powerful presentations is not as difficult as we all think. Most presentations go bad just because the presenter does not prepare well. So if you need an applause for your presentation, follow these simple rules -

  • Research the subject: Make sure that you have enough knowledge about the subject on which you will focus. Spend time researching and making notes, if required. Keep these notes handy as they will help you answer queries that might crop up during the presentation.
  • Understand the audience profile: A thorough knowledge of the audience profile helps you decide the visuals, format, layout etc for the presentation. It also helps you in anticipating the kind of questions and queries that may come up during the presentation and preparing for them in advance.
  • Create the presentation material: Keep the audience profile in mind when creating the presentation material. Make notes of important supporting things that you would like to refer to while presenting the material. Keep the text on screen to a minimum and try to use bullets points to list out the things that you want to discuss. Make sure that the screen is not cluttered with unnecessary information. Try to use more pictures and media elements as it keeps the audience hooked on to the presentation. Last, but not the least, arrange the presentation material-slides decks, visual aids etc - in a logical order and ensure that there is a proper flow when you transition from one point to another, one slide to another and so on.
  • Rehearse the presentation: Rehearse a couple of time before making the actual presentation. You can ask your friends and family to be a part of mock presentations and give inputs and feedback. You can also try rehearsing in front of the mirror to gain confidence. Practice everything that you can, starting from your opening line to your signing off dialogue.
  • Prepare the presentation room: Reach the presentation room before anyone else does. Arrange things the way you want. Test the presentation material and ensure that whatever you need for the presentation - projector, computer, screen etc - are all working fine. Knowledge and confidence is a lethal combination. Preparing properly for a presentation adds confidence to your knowledge and paves your way to a powerful presentation.

10 Ways to impress your boss

  • Prioritize work intelligently. Learn the way your boss measures work. Toil on the ones which is of utmost importance to him/her. If your boss is a numbers person then count your results and if he/she is a client oriented person then talk in those terms. Prioritizing work also helps in saying no to the lesser important tasks especially in situations when you have too much to do. You will receive appreciation for concentrating on your boss’s requirements.

  • Involve boss in your work. You could have done a brilliant job, but if your boss is unaware, it's like it never happened. Therefore, it is essential to beat your own trumpet. Keep your boss in the loop every time you win some client, save money, finish a project or do anything which might be of his/her interest.

  • Be aware. Know what is going around in the market, read and be informed of the latest in your area of work. Be prompt in asking intelligent questions at meetings and come up with bright ideas. Become an asset in the team.

  • Speak your boss’s language. Correspond with your superior in the medium that is preferred - e-mails, sms or phone. Communicating accordingly will ensure that information is received and noted.

  • Be pro-active. Undertake new responsibilities apart from the ones already designated to you. Make sure to manage all tasks efficiently. Mark the loopholes in the process and rectify it before your boss points out. By the time he/she does, your work will speak your worth in the company.

  • Carry the label of dependability. Fulfill your duties in any given situation. Be the one on whom your boss can count on in the time of crisis. Build your network for quick accomplishment of tasks that require inputs from the other departments.

  • Spread positivity. Stay happy. Do not get entangled in office politics. Be patient with people and assist them in their work. Be a source of positivity and inspiration to others.

  • Be punctual. Coming late to office is unacceptable. Always be available for work. You are sure to score some brownie points for being there when need be.

  • Use your time effectively. Do not waste your time chatting or gossiping in office. Instead, be productive .However, this does not mean you cannot take breaks. Limit your breaks to 2 or 3 and do not exceed its duration to more than 10 minutes.

  • Be a problem solver. Tackle all teething problems by yourself. Bail out your co-workers from tricky situations. Rush to your superiors only for bigger problems after attempting to solve them yourself. Build a name for resolving issues on your own.

Believe in yourself and work hard. Let work speak for you, and there is no way anyone will be able to ignore you. If you manage to impress your boss, you win the missing key to his good books.

5 ways to achieve success

1. Have a vision: It is important to have a dream or a vision. This should be both for yourself and for your organization. Always dream big and aim high.


2. Set a measurable milestone: before starting a new project, be sure of the end result. Define measurable milestones. Keep enough time in between two projects. Don't lose customer focus - always keep in mind what your output will be and how it will make a difference to your customers (co-workers/departments).


3. Take responsibility: you should be a leader and inspire people around you. Try to build team spirit and constantly encourage your team-mates. Communicate and share success, plans, visions and problems with your team members. Always give a macro picture to your team. It's important that the members know the big picture and where they fit in.


4. Play on your strengths: be passionate about and committed to your dreams and goals. Be determined to make a difference in whatever you do and don't be afraid of making mistakes. Believe in yourself and play on your strengths. Have a style — do things differently — create an identity for yourself.


5. Keep a check: always keep a check on what you are doing. Assess your progress and measure it against the objectives and goals you had set. Seek a feedback and make the necessary corrections. Learn from your own as well as other's successes and failures.

कभी किसी को मुकमल

कभी किसी को मुकम्मल जहाँ नही मिलता.....
कहीं ज़मीन तो कहीं आसमान नही मिलता.....
तेरे जहाँ मैं ऐसा नही के प्यार न हो.................
जहाँ उम्मीद हो उसकी, वहां नही मिलता.........

Wednesday, August 6, 2008

Free Web application security testing tools you need to get to know

I've always touted the fact that you need good tools to get good security testing results. By and large, I've found that commercial products tend to provide better results than their freeware and open source counterparts. This seems to be especially important when testing Web applications.

That said, I know budget constraints and time-to-test are often a factor. This is where a handful of free and open source Web application security test tools prove to be useful. The following are tools that should be in your toolkit -- or at least on your radar -- especially if you're not able to justify forking out the money required by commercial alternatives. It may be a little more time-consuming and painful, but in the end you're still going to get good results.

I almost always get my Web application assessments started with a Web site mirroring tool. This type of tool allows you to quickly root out sensitive files on your site that shouldn't be publicly accessible. I've found the HTTrack Website Copier as shown in Figure 1 to be fast and reliable.

Figure 1: HTTrack Website Copier mirroring tool

A complimentary tool that digs into the Google cache searching for sensitive information that's publicly accessible on your site -- at least has been at some point in time -- is Foundstone's SiteDigger. If you prefer UNIX tools, the BackTrack Live CD (see more below) has a good collection of Google-related tools: Goog Mail Enum, Google-Search, Googrape and Gooscan. All of those are very beneficial in maximizing your Google hacking capabilities.

As you get rolling into your testing and want to dig deeper into your Web servers and applications, httprint is useful for determining Web server version information. Likewise for the Netcraft "What's that site running?" site. If you want to root out more, Wikto (shown in Figure 2) and Nikto are good tools to uncover weaknesses that'd be difficult to track down otherwise.

Figure 2: SensePost's Wikto Web vulnerability scanner

Web application authentication hacking may or may not be on your to-do list, but if it is, the best free tool I've found is Brutus as shown in Figure 3.

Figure 3: Brutus Web application password cracker

Brutus performs dictionary password cracking, as many others do. However, it's the only free tool that I'm aware of that also performs brute force password cracking. This can be very handy, as I've found that dictionary cracking is often limited in use.

Once you get into the manual assessment phase of your testing, the tried and true Paros Proxy comes in handy for manipulating HTTP traffic en route. There's also THCSSLCheck, which determines supported ciphers on Web servers, as well as Absinthe, which is a GUI-based automated SQL injector. Another one I really like is the Web Developer extension for the Firefox browser as shown in Figure 4.

Figure 4: The Firefox Web Developer extension

The Web Developer extension contains tools that you'll likely need to use every time you're testing a Web application, including the following:

  • Cookie manipulation
  • Form manipulation
  • Java and JavaScript parsing
  • Source code viewing
  • Code validator
  • Hidden field viewer

These Firefox extension tools provide a great way to poke and prod an application all within one interface.

Finally, many of the Web application security testing tools that I've outlined here are available via the latest version of BackTrack as shown in Figure 5.

Figure 5: BackTrack Live CD's numerous Web application tools

The thing I love about BackTrack is that you can tap into the power of a large portion of the Linux/UNIX-based tools without the hassle of getting Linux or UNIX up and running. Of all the tools in your toolbox, the BackTrack suite should be top priority.

Regardless of whether or not you have to pay for a security testing tool, the overall goal is to have the right tool for the job. These tools do just that. They're specific enough to find the vulnerabilities at the right time without having to spend a dime. Check them out -- you won't regret it.

What are different scenarios for security testing Web-based applications?

There are two types of security testing that can be performed on Web applications: static analysis and dynamic analysis. In addition, there are two ways of performing security tests: automated and manual.

Dynamic analysis involves performing tests on a running instance of an application and is also known as black box testing. The security test will involve sending requests to the application and observing the responses to see if there was any indication that a security vulnerability may be present. Dynamic analysis can be an effective way to test applications, but it is important to understand some limitations. First of all, because the testing is based on analyzing request and response patterns, the results obtained are really only a guess about the internal state of the application -- the tester typically has no knowledge of the actual application source code and what the actual internal state of the application is. In addition, because the tester is only looking at the observable behavior of the application and cannot know the entire attack surface, there is a chance that areas of the application and components of its functionality will be excluded from the test. Also some responses might not obviously indicate that a security vulnerability is present. These factors lead to the potential for false negatives -– situations where there is a security vulnerability that goes unnoticed and unreported.

Dynamic analysis can either be performed in an automated manner or manually. Web application scanning tools like those from Watchfire and SPI Dynamics are good example of automated dynamic analysis tools. Automated tools are good for finding many common vulnerabilities such as SQL injection and cross-site scripting (XSS). They will often also look for well-known security or configuration problems with the Web and application servers and operating systems of the applications they are testing. Reports from these tools often also flag things such as critical patches that have not been applied. This can lead to the identification of only technical flaws in the application. Automated tools are limited in that they have no understanding of the business logic the applications they are testing. Logical flaws in applications that can be just as common and potentially even more damaging will be overlooked. This is an important point for organizations implementing application security initiatives to take to heart -- even if the scanner says you are clean you still need to look deeper in order to do a credible job of assessing the security of an application.

Manual testing of Web applications is typically performed using a Web browser and a Web proxy tool like Paros or OWASP's WebScarab. The commercial scanning tools also typically come with proxies as well so that analysts using their scanners can augment the scanner results with manual tests. Proxies allow the security analyst to create and send arbitrary requests to the application and inspect the results to look for evidence of security issues. As mentioned above, these manual tests to look for data leakage, failures to authorize activities and so on are required for a credible application security assessment.

Where dynamic analysis is performed against an actually running installation of an application, static analysis involves reviewing application assets like source code, configuration files and so on when they are static -- or at rest. This is also known as source code analysis or white box testing. Static analysis opens up opportunities for a more thorough analysis because the analysis being performed has access to the "ground truth" of the source code. Analysts do not have to observe the behavior of an application and make guesses about the internal state of the system; instead the analyst has access to the actual instructions the software will follow when put into production. This can help to reduce false positives as well as reduce false negatives. One drawback to static analysis is that it can fail to identify security issues that are bound up in the specific configuration of the deployed system -- for example, static analysis will not be able to identify issues that would arise due to administrators failing to install Web server or operating system patches.

Just as with dynamic or black box testing, static analysis can be performed by both automated tools and by manual review. Because non-trivial applications can have tens or hundreds of thousands -- or even millions -- of lines of source code, manual reviews are typically only conducted against a subset of the application source code that is considered to be security critical. Automated static analysis tools such as those from Fortify Software and Ounce Labs have the advantage of being able to be run against large source code bases and the analysis is performed consistently and tirelessly against the entire source code base. Automated static analysis tools can only execute a set of rules that look for general quality and security flaws -- they have no understanding of the context of the application or the business rules the application should be enforcing. For this reason automated static analysis tools have the same blindness to logical flaws in applications that their dynamic analysis counterparts do. They are great at finding flaws like SQL injection, cross-site scripting and buffer overflows, but fall short in other critical areas.

Actual assessments of the security of Web applications often combine one or more of the previously enumerated techniques, and selecting what sort of assessment to perform should be based on several factors such as the resources available to perform the assessment and access to either the source code or a running system that can be used for testing. Running automated scans of either source code or running applications can be a relatively low cost way to get some insight into the security state of the system, but suffer from the critical inability to find logical application flaws outlined above. In many organizations it may be difficult to get access to actual source code for systems because it is considered highly proprietary. In cases such as these, only dynamic analysis could be performed. Conversely, in other organizations it may be unacceptable for various reasons to run tests against live systems, and no suitable pre-deployment instances of the application may be available. In cases such as this static analysis would be the only option. Manual review – of both live applications and source code – can become expensive for large applications and so must be properly targeted. It is critical for organizations to understand the goals of their security assessment and the level of security assurance they need and select an application testing strategy appropriate to their goals and available resources.