• grecs: LOL. RT @mckeay Ah the buddy system: I don’t have to run fast, I just have to run faster than my buddy. totw

For those of you who don’t understand the reference, this tweet is making a play on the classic security philosophy of the buddy system. The philosophy basically goes like this: If a cheetah goes to eat two gazelles, there’s a good chance that one gazelle will survive—if he’s faster than his buddy, that is. The cheetah will catch the slower of the two gazelles while the other gazelle is free to run away to live another day. We apply that to security by saying “always be faster than your buddy” which means that your security doesn’t always have to be 100 percent, it just needs to be more secure than others.

Now, on to the posts!

#3 – Vulnerability Apps Make Us Curse: Not really, but we were a little surprised when we came across the “DVWA – Damn Vulnerable Web App” post by @geminisecurity. Aside from what the name implies, the DVWA is actually a help, not a menace. A PHP/mySQL web application that is made to be attacked, @geminisecurity says that it is “intended to be run on a local (closed) network as a learning tool for exploits and vulnerabilities.” They go on to say that “[a]s it sits now, it pretty much contains a lot of the basics – brute force, command execution, file inclusion, SQL injection, and XSS.” While DVWA got pretty positive reviews overall, @geminisecurity did warn experienced users that they might not find DVWA as useful as someone who’s just starting out. You can read the full review here.

#2 – Bejtlich Strikes Again: Offering an awesome breakdown of what white hat could do with a million dollars in his post “White Hat Budgeting” last week, this week Bejtlich gave an interesting summary of the “SANS WhatWorks Summit in Forensics and Incident Response” in his post “SANS Forensics and Incident Response 2009 Summit Round-Up.” While he gives a brief overview of the event, what makes the post really interesting is the Q&A style that he uses. Saying that “I was given a few questions which I promised to answer on this blog,” Bejtlich gives thoughtful answers to questions that deal with everything from cyber command to the 2014 Verizon Data Breach Report. If you’re interested in hearing more of Bejtlich’s answers, you can read them here.

#1 – More Security, Stat: According to the “Surprise Report: Not Enough Security Staff” post by @rybolov, there isn’t enough security professionals to go around. There’s no getting around the fact that security is a quickly growing field and that we need more people to fill the growing job force. But the problem is that many jobs in the security field require years of expertise that recent grads may or may not have. Throw public verses private sector business into the mix and you have a recipe for disaster. @rybolov explains it much better than we can though, so be sure to check out his post to get the whole scoop.

Well, that’s all the NoVA Infosec Blog goodness for this week; if you want to find more great posts by local bloggers during the week, be sure to follow us @grecs.