May « 2007

Web 2.0 personal financing solutions

May 30, 2007

How can you make sure your data is secure? Are they relable?

Excel or Google Spreadsheets. Perhaps the simplest tool of all. Create your own (I did) or find an excellent one already created: Pear Budget, Of Zen and Computing’s simple spreadsheet, Get Rich Slowly’s spreadsheet.
The appeal of this is that it’s extremely flexible, it’s simple, it’s
fast and easy, it’s free and, if you keep it really simple, you can put
it online with Google Spreadsheets.

Gnu Cash.
Now available for Windows for the first time, Gnu Cash was designed for
Linux and is available for OSX and other operating systems. It’s
totally free (under the GNU GPL), easy to use, even if it isn’t as
pretty as more expensive software. Very popular among the Linux crowd.
Beloved for its double-entry accounting system. This open-source
software can import data from Money and Quicken, and can export to
numerous data formats.

Wesabe. Web
2.0’s answer to money software, Wesabe takes the traditional approach
and turns it on its head with a social aspect. It can import all of
your financial institution data (banks, credit cards, etc.), and allows
you to tag each entry, so you can see how you’re spending your money.
Even more interesting is the social part: based on your tags, you can
see how others spend on similar tags, and see their best tips for that
type of tag. An interesting approach, but I’m not sold yet on this
concept.

Money Trackin.
A very easy-to-use site, this is perfect if you want your money
software to be online and accessible from anywhere, including your
mobile device. Just spent $30 at a restaurant? Enter that from the
restaurant itself. This online software allows you to enter all your
transactions, tag them, view reports, and see your financial situation
at a glance. And it doesn’t require you to enter your personal info to
set up an account.

AceMoney.
The lite version of AceMoney is freeware — and has the same features as
the paid version, except you can’t manage multiple accounts. So this
would be great for someone who just has one main account to track.
Track your spending, set up a budget, track investments, look at
graphs, import data from your bank, be reminded to pay your bill, plan
to pay off your debts, and more. Not the prettiest software, but hey,
it’s free! And it works.

Yodlee.
This is a slick solution. I haven’t tried it yet, but I’m severely
tempted (I just haven’t had time to give it a spin). A totally online
solution, you can track spending, monitor your budget, look at
portfolio charts, track your net worth, and more. Pretty nice.

If you’re willing to pay for your money software, there are a number of great paid alternatives, including but not limited to: You Need a Budget, Mvelopes, and myspendingplan.com

6 Great Free Alternatives to Quicken & MS Money | zen habits

Posted by Kartik Trivedi

Filed in Blogroll

1 Comment »

PCI…WAF or Code Review?

May 30, 2007

Good discussion on the WASC list…Here is the repoduction…

wanted to just express some info about WAFs. It’s been a while since I really deeply analyzed the WAF marketplace (http://www.networkcomputing.com/1404/1404f4.html), but I’m sure the current incarnations still harbor the same underlying principles and caveats.

I
always cringe when someone says “let’s just fix our web problems by
putting a WAF in front.” I’m not against WAFs–they’re a great tool
when used for the right job. But not everyone uses them correctly. It’s
very much akin to the naïve business mantra of the 90’s: “We have a
firewall, so we’re secure!” The mere presence of a firewall doesn’t
instantly make a company secure, nor does a WAF instantly make your web
applications safe. The firewall could allow all 65,535 ports through;
the WAF could allow all URL requests. The presence of a WAF or firewall
is irrelevant without a proper configuration of the WAF/firewall.

First,
a WAF doesn’t fix your security problems. It merely tries to block
access to them. That’s important to really understand: YOU ARE STILL
VULNERABLE. Exploitable, perhaps not…but vulnerable, yes. If you’re
going to play the WAF game, then you need to protect all ingress points
to your web applications with a WAF–even access from your internal
network. Putting a WAF between the internet and your web applications
in your DMZ does you no good when an internal employee gets snickered
into becoming a Jikto drone or the next generation of Slammer-esque
worm gets carried in through a VPN connection. At that point,
[automated] threats can originate from your internal network and
potentially access and exploit the web apps without having to go
through the WAF. So if you’re looking at WAFs, then you really must
trust no-one, and roll out WAFs in every direction. Look at TJX–they
were pwn3d from the inside via wireless. So if WAFs are your only
protection, then everything your webapp relies upon (all backend tiers
and sources) should be sitting behind the WAF too, completely
quarantined from the rest of the world, so the WAFs are the sole
ingress/egress point. Shortcuts around the WAF completely bypass and
negate any mitigation and security value the WAF has to offer.

Second,
WAFs need to be tuned/configured to match your web application. If you
want to really mitigate the security concerns that PCI explicitly is
concerned about (SQL tampering, XSS, etc.), then you’ll have to do it
on a parameter-by-parameter basis for all of your web apps (global
blacklists aside for the moment). Sure, many WAFs have configuration
mechanisms that attempt to make the configuration process easier
(auto-learning, etc.). But I have yet to see a comprehensive and
foolproof implementation that resulted in thorough protection.
Realistically, the only way to truly tune/configure a WAF to perfection
is by a quasi, ad-hoc code review to ensure what the WAF is
blocking/allowing matches what the code expects and accepts. Otherwise,
it’s way too easy to get flustered and start to over-loosen rules when
a big client calls because your WAF is mucking up his web app
transactions. Or, [deity] forbid, you flip your WAF over to a fail open
mode. There is no blacklist in the world that will stop all the bad
while allowing all the good…and in the heat of the moment, it’s very
tempting to allow some bad while trying to allow all the good (after
all, the good data is data from customers/users…and that usually
translates into business value, which means it gets higher priority).

Tuning
a WAF is simple if your application is, well, simple. But if your
application is simple, then odds are the cost of a code review of the
application will be cheap too, compared to the TCO of a WAF (which
includes evaluating, procurement, configuration, testing, deployment,
and on-going maintenance). So code reviews and WAFs are a bit parallel
in overall effort in the low to medium-high range. Only with truly
high-end, large apps with massive codebases, that have more depth than
breadth, do WAFs start to win out in effort/cost. That’s because the
attack surface that needs to be protected by the WAF is notably smaller
and more manageable than the entire surface of the application
(including all back-end tiers, etc.) WAFs also make sense when you have
to protect closed-source third-party apps that the third-party can’t
(or won’t) fix.

On the flip side, a code review actually finds
the problems, and can ultimately lead to a FIX. That means you’re not
mitigating risk–you’re remediating it, and that’s a drastic
difference. Plus, code reviews can often just focus on the ingress and
egress points of the application; as long as those are properly secured
and all data is validated at those points, you’re generally good to go.
Code reviews usually also help quantify the general risk of an
application, if you don’t have any actual idea. They can also help you
better understand your applications attack surface, allow you to do
threat modeling, and in general, identify the problems/risks you’re
subject to. So unless you have an internal code review team that
already gave you this info (and if you do, then why are you wanting a
WAF instead of using them?), odds are it’s good to have a code review
at least the first time around to know just how bad things really are.
If they’re not so bad, then maybe fixing the code is no problem…and
then you’re done. If if the situation is grim and there’s no hope to
have all the discovered problems fixed, then you know you have to go
with a WAF in the meantime.

Plus, with a code review, the
reviewers can identify (recurrent) problems the developers have made,
which in turn can help educate the developers to not continue to make
the same problems. With a WAF, the developers don’t get that feedback
and will likely just carry on and keep making the same security
mistakes, leading to a growing problem. So, to answer your question, a
code review will ultimately lead to the most real improvement in
security.

All that aside, these types of questions scare
me…particularly because I hear them a lot. Obviously the spirit of PCI
is to make things more secure by reducing risk. When people are more
focused on the cheapest and easiest route to get a compliance checkbox
ticked off on a quarterly report (or wondering if they have to actually
fix the risks that are identified), odds are that organization is not
managing their risk appropriately–they might not even understand what
the potential risks are (and thus are open to a world of hurt). Plus,
just because the organization did manage to comply to the letter of the
PCI spec (rather than the spirit of the spec), I doubt the PCI council
will pardon an incident involving an obvious vulnerability even though
the organization claimed to comply.

Would TJX be off the hook
if they had a WAF, or because they had a code review but didn’t fix
anything? Highly unlikely. Complying to PCI is about preventing
incidents from happening in the first place; if you opt to live with
known risk and an incident occurs because of it, odds are the fact that
you complied to PCI previously will become irrelevant, and you’ll still
have to answer to someone. It’s up to you whether that’s a situation
your organization is willing to face.

cat /dev/random | grep security : Best for PCI: webapp firewall or code review?

Posted by Kartik Trivedi

Filed in Blogroll

3 things we will do different from our Parents

May 29, 2007

Interesting….I have always known these things, never been able to put them together..

College is Really Important – College is marginally important unless you’re going to to be a doctor or a lawyer. College was really important when it was the difference between working in the factory of GM or working in the office park. These days experience is really important. Everyone goes to college (your mom goes to college), the people that excel now get kick-ass work experience.

You Want a Steady Job – The days of working 50 years at IBM and getting a golden watch at retirement are long since dead. It worked for your dad, great. It doesn’t work anymore. These days “steady” means “static” and static means dying. You don’t want a steady job, you want a job that can push you to learn as fast as you can digest information and reward you for as much as you can deliver. As it happens, big companies don’t offer that opportunity, startup companies do.

You Need to Save for Retirement – Back when people retired at 65 and died at 75 you could save for your retirement and maybe be OK. With the advances in medicine by the time you hit 65 you’ll probably live to be 90 or 100. If you think saving alone is going to give you a 30-year salary you’re out of your mind. You can’t think about how you’re going to save enough money in your retirement, you better be thinking about how you’re going to make money in your retirement. Or just never retire, which is my preference!

Also, here are some of the new laws for the new generation

- You won’t own a car for more than 5 years; a car is now a recycled commodity

- You’ll never be in your house long enough to pay it off

- Retirement doesn’t mean much – you work in an office, not a factory or on the farm

- Blue Collar workers wear ties and work in cubicles now

- You’re going to make substantially more than your parents, not a little more

- Doctors and Lawyers are second rate income-producing jobs next to marketers and technologists

- The shelf life of your skill set is probably less than 15 years vs. an entire career for your parents

Entrepreneur’s Blog, startup business blog

Posted by Kartik Trivedi

Filed in Blogroll

KT

Categories

Archives

Business