Software and web application security

December 30, 2006

Running a security consulting business

Filed under: general — chrisweber @ 2:20 pm

Casaba Security has been in business now for five years. We’ve applied a formula aimed at quality rather than quantity, and loyalty and availability to our clients. Operationally, we grow slow and steady,  we just focus on what we know which is doing good work.

I don’t have much advice for anyone who wants to own a software security consulting firm. I see a lot of people doing it, and some success stories. The basic recipe for a growth-focused success is:

  • find some funding
  • hire top talent
  • blog, publish, speak, do anything to get in the public spotlight
  • hire juniors, train them
  • build the consulting practice by getting more work
  • refine methodologies, build some cool tools and release or sell them
  • keep the momentum and if your executive team is good they’ll be making deals

While I don’t subscribe to some of those ingredients, I can see their value. You can see some of the same people out there applying this formula again and again, flipping companies, repeat.

I’m on a different path though, one which has kept me learning and developing over the years, and staying focused on what really matters – great work for our clients.


December 26, 2006

CSIDL – Shell constants, enumerations, and flags

Filed under: penetration testing, reverse engineering, software security — chrisweber @ 2:08 pm

I worked on an application which had a couple of requirements:

  1. Allow users access to their local drive content within a defined scope (e.g. either the entire drive, or the My Documents folder only)
  2. Prevent users from accessing files outside of the defined scope. So they shouldn’t be able to access network drives, USB keys, etc.

To acheive this, the shell constants were used, as defined in the Windows SDK.

This worked well, and after we looked at the code we actually ran a battery of tests to confirm. So for example we tried the following types of canonicalizations:

  • \\host\share\file
  • \\?\folder\file
  • \\\share\file
  • \\.\folder\file

We kept going, and tried breaking out of the local scope as well:

  • ..\..\..\..\boot.ini
  • ../../../../boot.ini
  • ..%2fboot.ini

And all that sort of stuff. Using the CSIDL constants proved successful, and we could see this through debugging. Everything we entered was merely relative to the constant value, there was no way to change it.

Create a free website or blog at