Sunday, March 31, 2019

SANS Mentor training comes to Novi, Michigan in September 2019

DEV522 Defending Web Applications Security Essentials

This class is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications.

*Save 10% on your tuition fees. Enter registration discount code 10mentor19 when you register

Who Should Attend:
  • Application developers
  • Application security analysts or managers
  • Application architects
  • Penetration testers who are interested in learning about defensive strategies
  • Security professionals who are interested in learning about web application security
  • Auditors who need to understand defensive mechanisms in web applications
  • Employees of PCI compliant organizations who need to be trained to comply with PCI requirements
  • Those wanting to earn the GWEB certification from SANS GIAC 
If you aren't familiar with the SANS Mentor course format, rather than six days in a lecture, you attend shorter sessions one evening per week.  We'll go over the hands-on lab exercises and answer your questions from the course material.  In between sessions you have time to study and digest the materials. You still get all the curriculum you would get at a large SANS conference, but without the expense of travel and time away from the office. For more information on the SANS Mentor program, go to

I have not yet settled on a venue for the class, but it will be in the Twelve Oaks area in Novi. More details on this as we get a little closer to the class dates.

For more details, visit the official SANS course page at

Sunday, May 28, 2017

C Programming tip: Pass struct pointer to a function as an argument

I'm taking a class in "operating systems" programming this spring, focused on Linux. So, this post may not be much use if you're working in Windows. In my previous assignment we used pthreads to practice multi-threading concepts. One question that came up for me was how to pass multiple arguments to a function called by pthread_create. The answer I kept finding was to pass a pointer to a struct. I had never done that before, wasn't really sure how it was supposed to work and just worked around it in other ways. But in working through my most recent assignment, I decided this was a technique I really wanted to use for the sake of flexibility, even though I wasn't using pthread_create.

The assignment was basically to write a command shell. I won't go into all the details in this post, but just want to stick to passing a struct pointer. The technique works well for pthread_create also.

Step 1: Create a struct with the multiple variables you want to pass as arguments
 25: struct params {  
 26:   int nums[4];  
 27:   char* chPtr;  
 28:   char** argt;  
 29:   char** argu;  
 30: };  

Step 2: Declare an instance of the struct and set some values for your struct member variables
 65: struct params genericParams;
 66: int o;
 67: for(o = 0; o < 4; o++) {
 68:    genericParams.nums[o] = 0;   //initialized to some known value
 69: }
 70: char startDir[512];
 71: memset(startDir, '\0', sizeof(startDir));   //ensure all indices hold the null terminator character
 72: getcwd(startDir, 512);
 73: genericParams.chPtr = startDir;
 74: char* argr[512];
 75: char* args[512];
 76: genericParams.argt = argr;
 77: genericParams.argu = args;

What's going on in this block? After declaring an instance of the struct and initializing the int array to all zeros, I set up a char to hold the path of the current working directory  and store that path in the char (lines 70 - 72). The reason for using memset to initialize all array indices to the null terminator character is to make sure no matter what we put into the array other functions that try to make use of the string will be able to recognize where it ends. If we skip this step we might wind up referencing uninitialized memory, which could hold anything at all.

Line 73 points the chPtr member at the startDir. In this way, we can later read and modify contents of startDir if we want without having to go through a lot of other steps to copy it properly into a struct member.

Lines 74 and 75 declare arrays of pointers to char. We can use each of these array location to hold a separate char*. Remember a char* is one way of representing a string in C.

Lines 76 and 77 point the char** members in our struct at argr and args, giving us a pair of pointers to arrays of char pointers. This provides a lot of flexibility when it comes to manipulating our strings later.

Step 3: Call your function
 163: retVal = childExec(&genericParams);  

By passing &genericParams in our function call, we're really passing the address of the struct instance.

Step 4: Receive the parameters and perform some processing
 433: int childExec(struct params *aStruct) {  
 434:     int o;
 435:     for(o = 0; o < 4; o++) {
 436:         printf("aStruct->nums[%d] = %d\n", o, aStruct->nums[o]);  
 437:     };
     //more code to make use of your other variable members ...
 489: }

Here we receive the address of the struct instance and store it in a pointer, aStruct. Line 436 then just prints the contents of each integer in the nums member array. Since aStruct is a pointer to struct, not itself a struct, we use the -> operator to reference member variables instead of a dot.

That's all there is to this. I hope someone finds it helpful. At least it will serve as a reminder to me on how the heck I did that thing. I will try to follow-up with tips on some of the other techniques I got to make use of in this project. So, do check back.

Tuesday, April 19, 2016

Application Threat Modeling in Risk Management

I presented this topic at West Michigan ISC2 Chapter meeting back in February and have been meaning to get the slide deck posted ever since. My apologies for taking so long with it. I wanted to clean up the references section and needed to add attribution in some places. Life gets in the way sometimes, but anyway.... I hope someone finds it useful. I continue to mine these ideas and the information sources that I cite within the slides.

The central concept is that software is still one of the most insecure areas in any enterprise. We put up firewalls, intrusion detection and prevention systems, implement lovely policies and tell our various boards of directors that we're doing all that can be reasonably done. But how do we know we're really applying the most cost effective mitigations to the right assets? How can we really express to non-technical stakeholders the true levels of risk they are accepting? As security professionals, we know the true picture of security sometimes looks pretty bleak, but we need to do better at quantifying that reality in business terms.

This presentation points to some tools and methods that help us do this. I believe these ideas can help management make more intelligent decisions about what kinds of business services or interfaces they want to offer, build the culture of risk management and the consensus needed to start raising the bar on security.

Download the presentation from the Downloads page, or directly here to get the notes:
or just the slides from SlideShare

Sunday, April 19, 2015

Reasonable Assurance Does Not Make Me Sleep Better

That was the title of a presentation I gave a few days ago at the Lansing Chapter of the Institute of Internal Auditors.  The idea for the theme came to me because I continue to hear the phrase "reasonable assurance" applied in several ways to audit work.  It just struck me that any audit of information technology security performed to a level of reasonable assurance does not make me feel any better about the actual security of the system.

Our adversaries are not "reasonable" in the lengths to which they will go to abuse the systems that we as IT professionals have worked so hard to build. Business customers and citizens interacting with government just want functionality to be able to get a product, a service or communicate with the organization.  But, because that's where the money is, criminals prefer to see these systems and applications as opportunities to steal money or proprietary information, embarrass the organization or bring them down.

If auditors are just trying to ensure that management has done a reasonably good job at implementing reasonable controls that are reasonably effective, we're sunk.  Of course, it's not the job of Audit to identify every vulnerability.  Audit is considered a third line of defense.  Stakeholders might believe Audit has their backs covered, but that's a different problem.  Audit is responsible to ensure stakeholders understand the true risk so that risk can be accepted, mitigated or transferred.  I believe this effort too often fails and I hope this presentation is useful in providing a perspective that may make it easier to achieve that limited goal.

The presentation can be downloaded from the share here:
If you go to my Downloads page, you'll be able to compare the sha1 checksum.

Slide 1 illustration courtesy of artist George Grie, from

Tuesday, January 27, 2015

Big updates to ISC2 CISSP Exam coming soon

The recently announced changes to the ISC2 CISSP exam are the most significant I've seen in years. They're moving to re-align test coverage to the newest issues in information security and current job practice areas. Some of the previous security domains have been expanded, while others have changed completely or been eliminated.  The new domains are:

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

  • Asset Security (Protecting Security of Assets)

  • Security Engineering (Engineering and Management of Security)

  • Communications and Network Security (Designing and Protecting Network Security)

  • Identity and Access Management (Controlling Access and Managing Identity)

  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

  • Dr. Eric Cole, author of SANS MGT414, is presenting the new curriculum through the vLive format in early March and other presenters will be field-testing it between now and September 9th when I launch the Mentor sessions in East Lansing, Michigan.

    If you saw my earlier post about the Mentor session I'm presenting for the CISSP exam prep, I've updated it to link to the new flyer and registration page.

    original post:

    Wednesday, January 14, 2015

    SANS Mentor Information Security Training in Mid-Michigan

    If you are planning information security training for yourself or employees this year, I hope you'll consider the CISSP® exam preparation course I'm presenting in East Lansing, Michigan, beginning Thursday, March 19 

    UPDATE: SANS Institute is in the process of updating the curriculum for this course to align with the changes being announced by ISC2 for test candidates beginning April 15, 2015. You want the newest course content that will get you through the new test.  Since we need to move the Lansing Mentor session for this test prep course, the best opening to do it looks like September, starting on Wednesday the 9th.  Hopefully, this means a few more people who were considering the course will be able to register.

    If you aren't familiar with the SANS Mentor course format, rather than five days in a lecture, you attend shorter presentations one evening per week.  Bring your questions to class and be prepared for discussion with your peers.  In between sessions you have time to study and digest the materials. You still get all the curriculum you would get at a large SANS conference costing thousands of dollars more, but without the need to take time away from the office.

    Details are at  Be sure to get the discount and registration codes from the flyer on my downloads page, or directly via:

    Tuesday, September 30, 2014

    Leadership Attributes

    This is just a place for me to note some of the characteristics of leadership that I want to keep in mind:
    • Taking respsonsibility
    • Drive to accomplish
    • Motivates others
    • Committed to objectives 
    • Decisive
    • Confident 
    • Stable
    • Empowering
    • Enabling
    • Developing others