Category Archives: Misc

Mt. Gox Meltdown

Why the Bitcoin Intrinsic Value Complaint is Irrelevant

In the aftermath of the Mt. Gox meltdown and subsequent bankruptcy filing, I have been reading a lot of commentary on Bitcoin. Even Paul Krugman has weighed in (against Bitcoin). Much of the criticism of Bitcoin centers around the idea that it has no ‘Intrinsic Value.’ While I have no particular opinion on whether or not Bitcoin is over or undervalued or whether it has long term viability, the Intrinsic Value criticisms are unfounded and based on a misunderstanding of Intrinsic Value, value and currency mechanisms.

A quick review of economic and financial principles will reveal that Bitcoin could have Intrinsic Value and be sustainable despite the fact that it is not backed by gold or a government’s power to tax.

Mt. Gox Meltdown

What is Intrinsic Value?

Intrinsic Value is a concept in finance that attempts to value an asset (usually a financial asset like a stock or bond) based on a mathematical analysis of the (usually cash) value derived from that asset over time. Usually, discounted cash flows are used. So, for example, if a company is expected to pay dividends of $1 per year forever and an investor applies a discount rate of 10% to those dividends, the stock will be worth $10 per share ($1/.1).

This approach can be applied to assets that do not throw off streams of cash. For example, if I own a right to have dinner for two at a restaurant once a year and I value that at $100 with a discount rate of 10%, that right is worth $1,000 ($100/.1).

It should be pointed out that many assets with Intrinsic Value are not entirely backed by another asset (like gold) and the vast majority are not backed by a government’s right to use force to collect taxes.

As we will see in a bit, using the standard definition of Intrinsic Value, Bitcoin may very well have Intrinsic Value even though it is not backed by something with established value (e.g. gold) or a government’s right of taxation. All that is necessary to use Intrinsic Value analysis is for the asset in question to have tangible benefits that accrue to the owner over time.

Are All Values Intrinsic?

Most items with monetary value do not have Intrinsic Value. In other words, they do not throw off cash flow or other measurable benefits over time. For an item to have monetary value it needs to have two things and two things only: scarcity and demand. That’s it. Economics is about understanding human behavior, not judgement. If a lot of people want a baseball card and are willing to pay $80,000 for it, it’s worth $80,000. Period, end of story. If people are willing to pay $1,000 for an ounce of gold, that is what it is worth.

It should be pointed out that gold is not valued by Intrinsic Value analysis. It’s good old (scarce) supply and demand, econ 101, day 1. Gold certainly has a more established value based on a long history of it being a store of value but that’s it.

Why Are Currencies Useful?

Switching gears a bit, let’s talk about currencies. There are two potential uses of currencies. They can be used 1) as a store of value and 2) as a medium of exchange. The store of value is obviously needed for it to be a useful medium of exchange over the short term because if you have $3,000 in your checking account that you need to pay the rent, you need to know that it will be worth roughly that when the rent comes due next week.

Having said that, currency values change daily in relation to each other and over longer periods in their own country. If the federal reserve doubles the money supply, it will cause inflation and my rent will go up as the US dollar will be worth less to my landlord (it will buy less).

The point of all of this is that just because Bitcoin’s value has been and will continue to be volatile, that does not mean that it has no use as a medium of exchange.

Taking another step, there are many factors that impact the utility of a currency as a medium of exchange. Let’s look at three of them.

  • Acceptance. Clearly if no one will accept a currency as payment, it is useless as a medium of exchange. The more entities that accept it, the more useful and valuable it is.

  • Transaction Costs. The less that it costs the buyer and seller to transact in a currency, the more useful it is. This is a major consideration and US dollar transaction costs can be significant. Credit card companies charge 2.5% or more to process a transaction.

  • Anonymity. For certain sectors of society, anonymity is highly valuable. Some people simply do not want their transactions traceable. Some of this demand may come from mere paranoia and certainly a significant portion of it relates to criminal activity.

Is Bitcoin Potentially Useful?

The answer, quite clearly, based on 1, 2 and 3 above is yes. While Bitcoin does not have the broad acceptance of the US Dollar at present, broad acceptance is not a requirement for it to have value. All that is required is for a meaningful subset of users to see value in using the currency for them to use it. Clearly transaction costs are lower and Bitcoin’s anonymity is very attractive.

Could Bitcoin Have Intrinsic Value?

The answer, according to finance theory, is a clear yes. Let’s recall that Intrinsic Value has nothing to do with something being backed by gold or the power of taxation. Again, all that is necessary to use Intrinsic Value analysis is for the asset in question to have tangible benefits that accrue to the owner over time.

Just looking at the transaction costs, we can measure the value of Bitcoin as the sum of the net present value of money saved over time by using it as compared to currencies with higher associated transaction costs. To create a simplistic example, let’s say that I keep a $3,000 worth of Bitcoins to use for a certain number of transactions per year. Think of it like a checking account. Let’s say that I do $15,000 worth of transactions a year and save 2%, on average, on each transaction for a total of $300 per year. Assuming a discount rate of 10%, the Bitcoins are worth $3,000 to me ($300/.1). It is actually quite possible to save 2% per year or more and $15,000 of annual transactions on a $3,000 account is very do-able as well.

The fact that the Bitcoins are not backed by gold or the power to tax is no more relevant to me than the fact that I have my retirement savings invested in General Electric Stock (which is neither backed by gold nor the power to tax). The Bitcoins have $3,000 worth of value (Intrinsic Value) because they deliver $300 per year of tangible benefits to me as an owner. If had a magic wand or totem that saved me $300 per year on transaction costs, that would be worth $3,000 to me as well using the same analysis.

The benefits for criminal activity are even greater as money launderers charge substantially more than 2% (at least according to my favorite television shows). And the IMF estimates that 2-5% of global economic activity involves money laundering ($1.4 – $3.5 trillion per year). Bitcoin is not a complete solution for criminals as it does not yield a stable asset post-transaction but criminals may be willing to take some Bitcoin volatility risk for a portion of their portfolios in order to save on transaction costs.

Now I may have some value risk or piracy risk on my Bitcoins but that is something that I may be willing to take to save money on transaction costs and/or to achieve anonymity.


I’ve never used Bitcoin and have no plans to do so. Having said that, as a business owner, I am well aware that transaction costs are material and a new transaction mechanism (that may or may not include a new currency) could have value and gain adoption. Bitcoin, or other digital currency like it, could certainly be that mechanism. Whether it will succeed or not, I have no idea. But focusing on a misunderstanding of both Intrinsic Value and why currencies are useful will certainly not shed any light on the subject.

application authentication

If at first you don’t succeed, you’re hosed: The criticality of authentication in web scanning

We appreciate Kevin Beaver’s recent blog post about NTOSpider’s unique ability to authenticate on some of the trickiest applications and stay properly logged-in throughout the scan.

At NTO we take pride in helping our customers by solving the automation problems that limit most scanners. While, we strongly believe that there are things in applications that must be tested by human hands with human logic, the more that we can automate the better. Web applications continue to proliferate and become more complex. Even with comprehensive and advanced automation, there is too much for even the most sophisticated application security teams to do. I believe the vendor community’s responsibility is to continue to innovate against even the toughest application security scanning challenges.

application authentication

First of all, many thanks to Kevin for sharing his feedback on NTOSpider! It gives me a great opportunity to discuss the topic of automated logins. In a blog post earlier this year, “Web Application Security Scanning: The Art of Automation,” I enumerated several challenges in automated web application scanning, which included authentication, but here is a summary of some of the challenges when dealing with authentication:

  • Reliable automated detection of the login form. There are many possible formats, and they must be distinguished from other forms.

  • Automate the determination of a successful login vs. failed login (diff flavors of failures). This is one of the more challenging tasks that give web application security scanning vendors all sorts of headaches.

  • Deal with login forms that include onsubmit events that do crazy stuff such as client-side encryption of the password to “protect” it over the wire, or calculate some predetermined key based on some other token.

  • Handling Single-Sign On (SSO) solutions which require going to another domain/host for the login process.

    • Only send credentials to the intended SSO site

    • Properly handle the cookies from each domain, including those added by javascript routines

    • Must not attack the SSO site, but only use it for the login process.

  • Providing flexible backup solutions for instances where automation fails.

By creating technologies for the various problems, we make it possible for most scans to run successfully when just providing a URL and credentials. For example; for one of our customers has hundreds of complex applications, it simply is not possible to manually test each application. With one of their very large applications, they were challenged to reach the desired level of automation with their previous solution. It was very difficult to configure a scan which typically required weeks of trial and error to get the right configuration. Once the scanner was finally configured, the scan ran for more than a week and often crashed before it was complete. In many instances, the login training had to be re-done for each new scan. When the scan was performed by NTOSpider, it was able to automate the login and run to completion in a few days and with almost no training.

 One of the things that makes NTO different is our support. We understand that you are dealing with custom applications. You’ll often hear me say that every application is an edge case. These edge cases often require a customized solutions. When needed, we work directly with you to enhance NTOSpider to handle custom applications. The same customer I mentioned above had another application that had a form of two-factor authentication which asked the user to answer a revolving question, such as the color of your first car. Since the question would be randomly selected from five revolving possibilities, they needed a custom login macro. At the time, our existing login macro did not support such a situation. In response our support & development team took on the challenge and within a week we had extended our login macro solution to be able to figure out the question being asked and answer accordingly!

Another example of NT OBJECTives, innovating the art of automation!

Information Security Podcast

An Information Security Place Podcast – 8-20-13

The podcasting returns! This is the first new episode of InfoSec Place and in a few days will be the return of my web security podcast here on Man Vs Webapp (formerly Mightyseek).

Show Notes:

InfoSec News Update

Discussion Topic

  • The Threat of Social Engineering – Jigsaw FTW
  • Link 1
  • Link 2

Music Notes: Special Thanks to the guys at RivetHead for use of their tracks –

  • Intro – Stay Alive – Rivethead
  • Segment 1 – – RivetHead
  • Segment 2 – – RivetHead
  • Outro – Zero Gravity – RivetHead

Hacking Fantasy – Hackers Only Fantasy Football League

This November I will be presenting at AppSec USA, Revenge of the Geeks: Hacking Fantasy Football Sports Sites. While I enjoy hacking fantasy football apps, I also enjoy playing the game. So this year, I am starting a hackers only fantasy football league. Come join us to have fun and maybe make a little money!

League details:


Social Fun:

  • Its all for the fun! Have a blast playing against fellow security pros and enjoying the banter and rivalry that fantasy football brings out in everyone that plays it.
  • Mid-season gathering to be held during AppSecUSA in New York. (Details to follow)
  • Post-season gathering to be held during RSA 2014 in San Francisco. (Details to follow)

If your interested in managing a team, fire a tweet at @dan_kuykendall to let me know.

League details:

Vulnerability Management Solution from Denim Group and NT OBJECTives

Vulnerability Management Solution from Denim Group and NT OBJECTives

Vulnerability Management Solution from Denim Group and NT OBJECTives

Software development teams are under increasing pressure to deliver applications faster. Agile development processes support these efforts, but application security tools typically do not. They produce either reams of data or a summary report, leaving your security analysts to identify high-risk vulnerabilities and translate those into actionable tasks for developers. All of this delays time to market and lengthens the software development process – time that you don’t have. We want to help change that.

Yesterday, we announced a partnership with our friends over at Denim Group, where we will provide enterprises with a comprehensive dynamic vulnerability management solution for web and mobile apps. Denim Group’s ThreadFix application vulnerability management platform can now import the results from our application scanner – NTOSpider – enabling you to compare and analyze the results of other testing efforts, and have a more complete picture of your application security testing program.

NTOSpider enables security teams to get more testing done in an automated, repeatable fashion while delivering the most accurate results. This reduces the time security analysts need to dedicate to these efforts. The integration with ThreadFix further frees up security analysts by importing dynamic testing results, along with static analysis and manual testing results, into ThreadFix’s centralized console. Duplicate findings are removed and vulnerabilities are prioritized.


But wait, ThreadFix doesn’t stop there! While it won’t patch holes in your clothing, the ThreadFix platform will export the prioritized security vulnerability list into your defect tracker, translating vulnerabilities into software defects and adding the security tasks into your developer’s regular workflow. The result: Your clothes may still have holes, but your applications won’t! At least, you’ll have time to take your clothes to someone who can fix them or go buy new ones!

New NTODefend Rules Improve Effectiveness of WAFs and IPSs

New NTODefend Rules Improve Effectiveness of WAFs and IPSs

New NTODefend Rules Improve Effectiveness of WAFs and IPSsWe all know that identifying the root cause of a vulnerability and remediating the problem in the code is preferable to patching the application. But fixing source code takes time – time you don’t have. Every minute you leave your application vulnerable increases your chances of being attacked. The new strengthened rule generator in NTODefend buys your team time to fix the problem while effectively blocking the vulnerability through your web application firewalls (WAF) or intrusion prevention systems (IPS).

NTODefend enables security teams to automatically generate custom rules for WAFs and IPSs that protect web application vulnerabilities discovered in NTOSpider scans. Most security teams agree that custom rules are critical because they enable you to more effectively block discovered vulnerabilities. NTOSpider with NTODefend is one of the few automated solutions that does more than turn on default packaged WAF and IPS rules. NTODefend’s generated rules are at least 39% more effective than the WAF/IPS default rules, according to Application Security Consultant Larry Suto.

The improved rules in NTODefend block over 95% of application vulnerabilities in tests with Sourcefire’s Next Gen Intrusion Prevention System (IPS) or ModSecurity’s Web Application Firewall (WAF). These rules will save your security team time, improve the effectiveness of your WAF or IPS, and better protect your web applications. All you have to do is take the results of the NTOSpider scan and import them into NTODefend to generate custom rules that target the application’s vulnerabilities.

Instead of spending the days or weeks it takes to build a custom rule for a WAF or IPS, or building a source code patch, developers can use the time to identify the root cause of the problem and fix it in the code – providing better security all around!

For more information, read the press release.

3 Big Trends in Application Security

3 Big Trends in Application Security

3 Big Trends in Application SecurityWith application security it seems there is never a dull moment. Different facets of web security continue to evolve from the hackers and the hacks to the techniques we use to combat them. Here are some of the trends we see emerging and maturing as best practices. Let us know if you are implementing these and how its going!


  1. Continuous Scanning – There’s a lot of buzz around the concept of continuous scanning, but in the world of application security, continuous scanning is sort of a misnomer because you don’t really want all of your applications scanned all the time and it would be an unreasonable use of hardware and bandwidth. In reality, continuous application scanning means constantly monitoring applications for changes and automatically launching a scan when the application has changed. Talk to your vendor about their ability to conduct this “continuous scanning” or site monitoring with automatic re-scans.

  1. jenkins-logohudson-logoContinuous Integration (CI) – Many organizations are pushing development to use Continuous Integration solutions (such as Hudson or Jenkins or home grown solutions) to streamline QA efforts and to reduce time to market. Security teams are wise to find ways to plug their scanning activity into the CI to ensure that every build is security tested before it goes into production. This requires a scanner that works well in “point and shoot” mode and offers open API’s for running scans. Ask your vendor how their scanner would fit into your CI environment.

  1. Wselenium-logoeb browser automation integration – Most enterprise testing teams already use test automation tools & scripts such as Selenium to create repeatable tests that can be executed in conjunction with nightly application builds. It only makes sense to integrate security tests into this as well so that security tests can run automatically every time the application changes. This is a great way to catch application security vulnerabilities early and often.

For more information on the key trends and best practices in application security, check out the new Application Security Buyers Guide and this blog, 5 Ways to Squeeze More Juice out of Your Application Security Program.

5 Ways to Squeeze More Juice Out of Your Application Security Scanning Program

5 Ways to Squeeze More Juice Out of Your Application Security Scanning Program

5 Ways to Squeeze More Juice Out of Your Application Security Scanning ProgramApplication security scanning comes in all shapes and sizes from desktop and enterprise software to SaaS and professional services. Regardless of which deployment model you choose, there are some ways to squeeze more value out of your application security testing efforts. One of the main premises is that today organizations are dealing with many applications. Security teams almost never have capacity to adequately test their applications for security vulnerabilities at regular intervals. That’s where sophisticated automation techniques can be helpful.

By leveraging these automation techniques, you can:

  • reduce scan times
  • find more vulnerabilities
  • scan more frequently
  • aid remediation efforts
  • and better protect your applications.

Whether you use multiple software solutions, outsource to a SaaS provider or use auditors to test your site, leveraging the following techniques will help you squeeze more juice out of your application security scanning program.

  1. Quick Start – The best pen testers love to do things by hand and like to use new toys to aid their manual testing. The reality is that you need those smart pen testers to cover the work that can’t be done by automation. A good web application scanner’s real value is in its automated capabilities that reduce the need for manual testing. The best scanner is one that will work well in a “point and shoot” mode. In many cases, that is all that will be possible for understaffed security teams. Make sure the scanner you choose will work well against your applications with a simple “point and shoot” test.

  1. Authentication and Session Management (Developer’s Funzone, Security’s Nightmare) – Developers seem to revel in creating innovative, complex and difficult to automate schemes for authentication and session management. Scanners need to have advanced capabilities to authenticate automatically as well as backup plans (macros and advanced settings) to tweak in case there is a clever edge case. Make sure your scanner can automate the login process and maintain a session on your applications. It is also important to make sure the scanner has a macro recorder that supports user events to better handle complex authentication scenarios.

  1. Customer Support and Customization – The reality of application scanning today is that your applications are highly customized and it is extremely difficult for scanners to address 100% of these cases. Each custom application uses unique technical approaches that can trip scanners up and cause them to crash. Find a vendor that is willing and able to tweak the scanner to enable it to complete comprehensive scans on your applications. Also, make sure you understand how this process will work once you are a customer. Lastly, find out if there will be add-on charges to customize the scanner to work for you with new versions of the vendor’s software and your applications.

  1. Interactive and Usable Reporting – As you know all too well, some vulnerability reports are very, very long PDF files that are difficult to work with. A good scanner will provide you with results that can be used by auditors and developers alike. The report should make it easy to navigate through the results and reproduce the attacks with a few clicks. It should be easy to see what the issues are with the ability to see summaries, drill into details and look at the information in different ways. Developers with limited security training often have a difficult time replicating vulnerabilities. This can slow down or stop remediation and certainly will put a strain on the resources of the security team. When choosing a scanner, make sure the reports are interactive, easy to use and useful for review and remediation. To watch a video that shows NTOSpider’s interactive reports, click here.

  1. WAF/IPS Linking with Custom Rules and Quick Retest – Due to the volume of applications and vulnerabilities, many organizations are relying on WAF’s and IPS devices to help protect them against vulnerabilities that haven’t yet been patched. The WAF’s and IPS devices come with default rules. These rules will not give your custom application all the protection you need because they are generic and less effective than custom rules. You will likely require a custom rule that combines knowledge of the WAF/IPS device and of the application. Be sure you understand how rules are created and applied. Look for an automatic rule generation solution that goes beyond turning on a default rule from a WAF/IPS to create truly custom rules.

Let us know if you are using these techniques and how they are working. For more information about how we implement these, visit this NTOSpider page.

3 Tips for Finding the Best Website Security Scanner

3 Tips for Finding the Best Website Security Scanner

3 Tips for Finding the Best Website Security ScannerWhile it takes some work to find the best website security scanner for your organization, if you follow these three simple guidelines, you’ll be off to a good start.

Although accurate automated application security testing has been common practice for many organizations for over 10 years, it remains a very difficult and complex process. There are automation techniques that ensure a scan is as automated as possible, reduces scan times, increases results accuracy and saves you time and money on manual testing.

If you are involved in website security scanning in any way, you know all too well, that it’s difficult to create an effective test environment. When you are evaluating alternative solutions, we always recommend the following:

  • Allow enough time. It is difficult to test for accuracy under a compressed timeframe. It takes time to get comfortable with different configuration techniques and compare results. It takes a lot of time to check and re-check reports for accuracy. To read more about how to ensure the most accurate results, check out our blog, “7 Features of Accurate Application Security Software, SaaS and Services.
  • Use a real application, not a public test app. Use one of your real applications that you know has vulnerabilities. Scanning vendors are very familiar with the few test applications that exist and most make sure their scanners find the vulnerabilities in those test applications.
  • Find a vendor you trust. Unfortunately, you will be, in certain instances, forced to rely on the word of the scanning vendor because the way a scanner crawls an application and executes attacks can be a black box. For this reason, you’ll find the best website security scanner for your needs if you spend some time on the phone or in person with vendors to learn about what works and what doesn’t. Usually, this just means find a technical enough person to spend some time with you to explain how it actually works, where it performs well and which type of applications might give it trouble.

When you follow these three simple guidelines, you improve your chances of getting the most automated, accurate and easy to manage application security testing solution for any deployment model combination of software, SaaS and services. To read our top 15 tips for evaluating application security scanners, download this white paper, “Web Application Security Solutions Buyers Guide.

7 Ways to Improve the Accuracy of your Application Security Tests

7 Ways to Improve the Accuracy of your Application Security Tests

7 Ways to Improve the Accuracy of your Application Security TestsFor more than 10 years, many organizations have been leveraging application security software to identify and remediate vulnerabilities in their web applications. While, its difficult to figure out the best web security software for your organization, there are seven key techniques that not only increase accuracy of testing in most applications, but also also enable teams to leverage expert resources to test necessary areas by hand.

IT security experts who conduct application security testing or are trying to figure out the best application security solution should consider these techniques important and aim to use a solution that leverages as many of them as possible.

Application Security Scanning Requirements:

  1. Coverage of Modern Web Technologies – Coverage is the first step of accuracy. Application security software can’t test what it can’t find or doesn’t understand. Most scanners were built to scan HTML and they do so very effectively. Unfortunately, very few applications are built solely in HTML. Today’s applications have gone way beyond brochure-ware to mobile API’s and web services that make use of new application technologies. These applications are powered by JavaScript and AJAX on the client-side and often have interfaces built in JSON, REST and SOAP with CSRF protection thrown in for good measure. The best web security software solutions are capable of interpreting and attacking these modern technologies and find an internal or vendor neutral test application with vulnerabilities that include these technologies to confirm coverage.

  1. Future-Proof – Application security software should have the ability to easily understand and adapt to new technologies as they become popular. The reality is that we will continue to see an increase in application complexity and the emergence of new technologies. Most scanners can understand and attack the classic web app of the past but a modern scanner needs to be architected so that new technologies can be bolted on like drill bits on a drill. Ask your vendor how their architecture provides the flexibility to handle new technologies.

  1. Sophisticated Attack Techniques – All web security software must find a balance between comprehensiveness and performance. In order to improve performance, the best web security software solutions randomly limit the set of attacks to send based on proprietary choices. Other scanners intelligently profile the application to determine which attacks are useful and dynamically adjust attacks for each input. This latter approach increases not only the efficiency of the scan, but also its ability to find valid vulnerabilities. Be sure you understand how your application security software selects its attacks and how configurable the attacks are to fit your needs.

  1. Recursive False Positive Checking – False positives are the bane of automated scanning and a time suck for security teams. Web applications often behave in mysterious ways and smart scanners must check and recheck findings to avoid false positives. Your vendor should be willing to stand by the findings and constantly improve based on your feedback.

  1. Relevant Data Input – During an automated scan there are usually two phases: crawl and attack. During the crawl phase, it is imperative that the scanner provide valid data for each input field as expected by the application. For example, when the form is asking for a shipping address, some scanners enter random values into each input instead of the expected values. Certain fields such as the ZIP code would be invalid and the application would reject a request due with an invalid ZIP code. In this case, the scan is actually halted, resulting in a less comprehensive scan and the potential for missed vulnerabilities. Ask application security software vendors what kind of data they use in their attack phase to determine if they are using both expected and unexpected datasets and if they are attacking one input at a time.

  1. Check Every Parameter on Every Page – The point of automation is to handle the repetitive tasks against every input, but this can lead to slower scan times. To save time, some web application security solutions only check the first several parameters on each page. Each parameter could use different filters so the scanner could be arbitrarily missing vulnerabilities. This time savings is not worth it! Make sure the solution you choose checks every parameter on every page. Read more about parameter checking in this blog, “Watch Your SaaS: Partial parameter checking: The case of unfinished homework.

  1. Custom Mobile Applications, the New Frontier – Custom mobile applications are the new frontier for security teams. They provide native mobile interfaces, but then communicate with web services or API’s (JSON, REST/XML, AMF, etc.) that have the same range of potential vulnerabilities (SQLi, authentication and session management weaknesses) that web applications do. The best web security software is capable of testing these back-end interfaces or API’s because that’s where the real weaknesses are likely to be found. To learn more about the vulnerabilities in mobile applications, check out this Man vs Web App blog, “Mobile Application Security: Lock the Back Door!

For more information about what to look for in an application security scanner, check out our “Web Application Security Solutions Buyers Guide.