Security Retentive

Laws of Supply and Demand Still Apply in Software Development

2009-06-14T11:57:00.000-07:00

I read Gunnar's post the other day "Still Waiting to Meet a Developer Who Wants to Write Insecure Code" and he echoed something I've also been saying for a long time. In all of the training events I've ever done, times I've worked with developers, I've rarely met a developer who wants to actively write insecure code.

At the same time, there is a lot of bad code out there, and as much as we'd like to just blame managers, users, short timelines, that isn't necessarily the whole story.

Let's take a look at another industry - the home construction business. We see a vast difference in the quality of home construction based sometimes on how much the buyer is willing to pay, but also based on the supply and demand elements of qualified builders, and workers themselves. During regular non-boom times, the construction quality of homes while not excellent, is generally consistently "decent." Regulatory systems in many states (throw out the recent Texas fiascos if you will) are reasonably good at ensuring building code are followed, worker safety isn't compromised, and that the consumer ends up with a decent product.

Compare that to the construction of the last 5-7 years. Especially out here in California where the housing boom was vast, and demand for new housing, and consequently people to build them, far outstripped the supply of workers with experience and skills. The results in terms of quality are quite striking. Looking around at much new construction even when it was brand-new shoed all sorts of shortcuts. Baseboards glued on instead of done with nails. Cheap flooring put down onto uneven subflooring. Carpets coming loose because of shody installation. Paint jobs that don't match-up across a big wall. Showers that crack after 6 months because they we're installed level or with the right bracing. You name it, it happened. Shortcuts were the norm as housing was put up faster than reasoable but unqualified laborers.

How does this happen? The demand for new housing vastly outstripped the supply of those qualified to build them. It was a problem across the whole country, and conseuently we ended up with a lot of poorly bult houses.

Why didn't buyers enforce quality standards? Why didn't their inspectors? Again, a problem of supply and demand. A good home inspector has knowledge in most areas of home construction. They have the same skills you'd expect out of a general contractor. They understand electrical wiring standards, plumbing standards, general carpentry standards, etc. They are also experienced, and know where to sniff out the problems in a house they are inspecting.

So, what happened during the housing boom? We had a shortage of qualified home inspectors. In jurisdictions that don't mandate particular skills, we ended up with lots of unqualified housing inspectors. We probably ended up with a lot of kickbacks and bribery too, though admittedly I haven't seen any direct evidence for that, its just a guess. On the buyer front, we ended up with a bunch of first-time house buyers, who didn't know the kinds of problems to look for in a new home.

So, based on more demand than could be supplied with quality construction, we ended up with substandard product.

Hopefully you see where I'm going with this as it relates to software supply and demand.

In software our demand for software vastly outstrips the supply of qualified workers to build it. Software is worse though because at least in the housing case, in a normall regulated market, we have regulations and inspectors we have to satisfy. When the electrical inspector shows up on your job site, he (or she) is going to ask first for the plans and drawings. If you don't even have those, then you do't pass Go, and you don't collect your $200. You go right back to start, and have to get that fixed before you've even allowed to keep working, whether the work is being done right at all. If you don't have documentation, you're dead in the water. Sure the electrical work might be getting done right. And maybe you had the customer give you feedback on every outlet (agile?) but if you do't have documentation about what you're building, you stop what you're doing, and you on't get to start again until you do.

This isn't to say that I think the way we regulate buildings is the same way we should regulate software or computing. It is merely to point out that when you have a large mismatch between supply and demand, you're probably going to make sacrifices somewhere, and quality is one of those places.

So, maybe I've never met a develoepr who wanted to develop insecure software, but I guess that doesn't always imply that they wanted to, or were acpable of, developing quality software. In fact, given that much software is full of stupid and simple bugs, and that most development processes aren't structured to even make sure those don't slip through (make the subfloor level, make sure 2x4's are spaced right and at 90 degree angles) is it any surprise that we end up with software with lots of quality defects, with lots of security defects?

I remain optimistic that we can solve ths problem through training/education. But it isn't going to happen overnight, and it isn't going to happen until some of our attitudes about building software change from hiring amateur contractors who haven't ever built anything before, to hiring professionals who really know what they are doing.

Headed South

2009-06-14T11:52:00.000-07:00

Starting June 19th I'll be headed to the ICANN meeting in Sydney, and then also off for a little side trip to Auckland, NZ. Its all part of my plans to fix Internet governance, or at the least, stop things from getting worse.

If you're also in Sydney or Auckland and have any good restaurant or tourist recommendations, I'm all ears.

Or, if anyone wants to meet up, that's cool - drop me a line.

Quick Thoughts on Safari-4 Final

2009-06-09T22:55:00.001-07:00

A few quick thoughts on Safari-4 on my Macbook.

Wow is this thing ridiculously fast. I'm usually a Firefox user and I'm not bogged down with a bunch of extensions/add-ons. Safari-4 feels about 2-3 times faster for 2 major apps - Gmail, and Google Reader.
I still don't like the EV-Certificate support. I wish I had access to Apple's user testing of the EV-certificate user interface to see about the security usability factors. I don't find it nearly as obvious or useful as the interfaces in IE7, IE8, or Firefox-3. I don't know Chrome that well though, so who knows whether I like it better than than.
The user interface seems a lot cleaner than the beta releases. Additionally, the hidden close x-marks on tabs that don't reveal until you highlight a tab is a nice feature.
First impressions of the web-inspector is a lot like the little bit of Chrome I've played with - pretty sure this is a webkit feature. Very positively impressed so far.

So, other than a relatively dismal security track record, I may stick with Safari-4 for a few "trusted" sites just to get some better impressions.

A Little Shameless Self Promotion

2009-06-03T15:00:00.000-07:00

I was recently interview by Gary McGraw for his Reality Check podcast. Check it out here -

http://www.cigital.com/realitycheck/

Don't blame the judges

2009-06-02T22:00:00.000-07:00

Two California court decisions came down last week that have people making all sorts of crazy claims about our legal system.

The first was the decision by the California Supreme Court affirming Proposition-8, the amendment/revision to the California Constitution.

The second was a decision by a California court ruling that the service offered by LifeLock is illegal under California law. An article on that decision is here.

In the Wired article about the LifeLock decision, we have the following passage:

But Chris Hoofnagle, director of information privacy programs for the Berkeley Center for Law and Technology, says the ruling is a disappointment.

“The idea that we could some day see a market where we pay $10 a month to a company to opt us out of junk mail, to monitor our credit, to do all sorts of privacy-enhancing steps that we don’t have time to take … for that market to emerge, LifeLock’s business model and similar ones have to be legal,” Hoofnagle says.

I find this comment puzzling. All the judge did was interpret the law, he didn't make it. Nowhere does Mr. Hofnagle say the judges ruling was wrong on the facts, but he criticizes it anyway.

There was also rather a lot of this same type of commentary about the California Supreme Court's decision ruling that Proposition-8 is legal and will stand. Much of the complaining was along the lines of "but how can they take away our rights like that?" It isn't that I'm not fundamentally sympathetic to this position, but like it or not, the California constitution is a complete mess, the direct democracy system we have is a complete mess, and it all needs reworking.

This all points me to a couple of conclusions.

If you're not winning under the current rules of the game, change the rules. This can be through getting a law passed, or even through amending the constitution.
The California direct democracy experiment has gone horrible wrong, and its time to write a new constitution that eliminates this nonsense.
Richard Friedlander had it right in this perspective piece on KQED.

And lastly, all of this complaining about judges reminds me of a famous Richard J. Daley quote, which I'll tweak here for my own purpose:

The Judges aren't here to cause disorder, they're here to preserve disorder.

Information Overload Syndrome

2009-05-29T10:55:00.000-07:00

A nice little video from Xerox about a new neurological disorder :)

http://www.xerox.com/information-overload/enus.html

Important Ruling on 5th Amendment Case Involving Handling Over Encryption keys to Government

2009-02-24T13:39:00.000-08:00

Since I know I won't do it the justice it deserves, please check out this post on the Volokh Conspiracy blog.

Quick summary - the user doesn't have to hand over the keys, but most provide decrypted contents of a hard-drive.

What's Old is New Again

2009-02-19T13:43:00.001-08:00

What do you call a 14+ year old vulnerability? Sloppy, ridiculous? Not sure....

FreeBSD was just hit by essentially the same bug that was present in a large number of Unix variants back in 1995.

The original vulnerability is here:

CERT^® Advisory CA-1995-14 Telnetd Environment Vulnerability

The vulnerability allows a remote user to specify Unix environment variables to the the target system. If they override an environment variable such as LD_LIBRARY_PATH or LD_PRELOAD then they can override the behavior of programs that telnetd calls, such as /bin/login.

Looks like the FreeBSD guys just had a recurrence of almost exactly the same vuln.... Interesting to say the least.

FreeBSD-SA-09:05.telnetd

I thought I was the greatest hacker

2009-02-13T15:06:00.000-08:00

But according to Fox News, I'm definitely not.

Alas, not enough misspent youth....

Job Openings

2009-02-13T11:17:00.001-08:00

We're hiring some internal application and project security consultants and a security manager. I'll update this post with a link when I get one I can put up as a URL (silly brassring) but if you go to:

https://www.paypal.com/html/paypal_jobs.html

you can search PayPal jobs with a keyword of "information security" to find the job descriptions.

Update: Here are some easily clickable links:

Manager, Information Security - Phoenix
Principal Information Security Engineer - Phoenix
Principal Information Security Engineer - San Jose

Quick personal Plug - I'm Speaking at SD West

2009-01-29T10:51:00.000-08:00

A quick personal plug that I'm speaking at SD West on Friday March 13th. I'm co-presenting with Brad Hill and Scott Stender of iSec Partners.

Our talk title is "Managing a Software Development Security Program: Tactical Advice for the First 100 Days"

There has been plenty of discussion in forums such as WASC, OWASP, and the SC-L list about how to better evangelize secure development to the broad development community. Having a dedicated security track at a developer conference is a good step in that direction.

Is Vulnerability Fix Time Really the Best Software Security Metric?

2008-12-15T16:09:00.000-08:00

Johnathan Nightingale has a new post up over at the Mozilla Security Blog. His post is in response to a report by Bit9 about vulnerabilities in software and a comparison between packages and their published vulnerabilities.

Jonathan makes the claim (Apologies for quoting so much here):

To suggest that this openness is a weakness because it means that we have “reported vulnerabilities” is to miss the reality: that software has bugs. A product’s responsiveness to those bugs and its ability to contain them quickly and effectively is a much more meaningful metric than counting them.
The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced. That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? When people have asked that question, Firefox and Mozilla have consistently come out ahead.
Bug counting is unfortunately common because it’s easy, but it should not be a substitute for real security measurement.

I unfortunately have to take issue with Jonathan's definition. The vulnerability exposure isn't the only measure of software security, especially if the vulnerability exposure window ois only measured from the time a defect is disclosed, not the time it existed in the wild. Other important metrics are:

How many defects and of what severity are in the shipped product
What type of defects are they and why did they show up (and weren't found in testing
Defects discovered in the wild over time (is the software getting better or worse)

Software does get attacked with 0day exploits, witness last weeks IE exploits. For people exploited due to this vulnerability knowing Microsoft patched it quickly will be poor consolation for the damage they have suffered.

I don't doubt that Mozilla takes security seriously but a statement that "Software has bugs" isn't really responsive to the idea that over time software ought to have fewer of them.

DNSSEC and Root Zone Signing

2008-11-24T11:15:00.001-08:00

I posted a "Position on DNSSEC and Root Zone Signing" commentary over on the Security Practice Blog.

Frustration with PGP-9.6 and networking

2008-10-20T17:44:00.000-07:00

So, I recently upgraded from PGp-8.1 to PGp-9.6 and I thought I'd share a bit of the frustration.

I was running what I believe to be a fairly standard configuration.

Corporate desktop image
Outlook 2003
Symantec AV
PGP-8.1

I decided to upgrade my Outlook to 2007. Turns out that PGP-8.1 isn't compatible with Outlook 2003, so I needed upgrade.

Install PGP-9.6
reboot twice per instructions
Find that my networking completely doesn't work.

Turns out that in order to get PGP-9.6 working with things like Symantec's AV that hook the network stack you need to back out PGP's POP/IMAP network stack hooking.

regsvr32 /u PGPfsshl.dll
Run a Registry merge on c:\WINDOWS\system32\PGPlspRollback.reg
Reboot

Then of course, if you should happen to upgrade PGP to 9.9 because the update is out, you get to repeat all of those last few steps again.

This process of course is made a lot easier if you happen to have another machine with network connectivity, otherwise you're kind of SOL.

Just my bit of unfun for the afternoon.

It is of course working now and reasonably well. Kind of sucks that the install isn't a lot easier.

New blog, and thoughts on Firefox 3 self-signed cert behavior

2008-08-12T15:21:00.001-07:00

We launched a new blog to share some thoughts about the security practices at my employer.

The blog is here: http://www.thesecuritypractice.com/.

The basic introduction and purpose can be found here: http://www.thesecuritypractice.com/the_security_practice/who-are-we.html

And, a post about Firefox-3.0's handling of self-signed certificates can be found here.

This was in reaction to a piece published on Risks a bit ago - "Firefox 3's Step Backwards For Self-Signed Certificates".

Economist.com - Confessions of a Risk Manager

2008-08-11T08:42:00.000-07:00

I was reading the Economist this week and came across an excellent article titled "Confessions of a Risk Manager".

In the article a risk manager for a major financial institution talks about managing risks and how the risk department was viewed as an obstacle by the rest of the business. I'll just quote a section here so you can see that governance roles, especially those involving trade-offs of risk vs. return are difficult not just in security.

In their eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.
At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.
Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.

Every time I read about decision making like this I refer back to an some excellent presentations I've come across by Reidar Bratvold. He has done some excellent presentations on decision making in the face of risks/uncertainty.

[Offtopic] Beginning Hacker

2008-08-10T19:43:00.000-07:00

My daughter and I were playing a little online Dora computer game today. As we got to one of the screens where you're supposed the click the letters Dora tells you to, Elise decided it would be more fun to experiment with the game to see what happens when you click the wrong letters instead. She liked the reaction from the game as it repeatedly tried to tell her the "right" thing to do and she deliberately ignored it.

Makes me pretty proud - don't do what the software expects you to do, break the rules instead and see what happens.

Courtesy of my friends at iSec Partners, here she is dressed in her hacker garb.

Offtopic: 0xe0030005

2008-05-29T22:09:00.000-07:00

Question: What is the sound of a disk drive crashing?
Answer: Not much.

Question: What does it do?
Answer: It spits out "disk0s2: 0xe0030005 (UNDEFINED) and then it just locks up and won't boot.

Question: When/Why does it do this?
Answer: If its a Macbook whose hard drive just went bad.

Delightfully Apple's Disk Utility still shows the drive as good, as does the S.M.A.R.T. monitoring.

Alas - off to the store for a replacement drive.

Ok, I can't let this post go by without making some sort of web security note....

The above "dialog" would have been much better if your browser supported the draft HTML5 spec. Then I'd have been able to use the

Notes from IEEE Web 2.0 Security and Privacy Workshop (W2SP2008)

2008-05-27T22:45:00.000-07:00

Thursday 5/22 I was at the IEEE Web 2.0 Security and Privacy Workshop. I figured I'd learn a few things, and also make sure that no new exploits were announced against my employer, and/or make sure we weren't the only examples people gave of problems.

I was pretty successful on goal #1, not 100% successful on goal #2.

This post is mostly brain dump of notes about the talks followed by a few things of architectural interest that I think were discussed enough at the workshop. A quick preview - the first half of the conference was spent talking about general security holes in Web-1.0 that we still haven't solved technically/architecturally/culturally. With that in mind its hard to see how we're going to have much success with Web-2.0 security.

I'll start by saying though that I was ever so slightly disappointed with the makeup of the attendees. Conferences and workshops held by the IEEE and ACM do generally tend towards the seriously geeky and academic side of things. You're much more likely to find papers that are suitable for journals with plenty of academic references, peer review, CS technical terms, formulas, etc. At the same time though workshops do tend towards the less academic and more practical side. It was disappointing therefore that, though the workshop focused a lot of time on things like secure mashups, social networks, and Web-2.0 security models, to the best of my knowledge very few of the players in this space were present. I didn't meet anyone from any of the really interesting mashup companies and none of the social networks were there (minus google, who was well represented). Perhaps in the future people attending and organizing workshops like these can actually get the folks at the relevant companies interested, specifically invite them, etc.

Now, onto the papers/presentations themselves:

Quick Note: In attending the conference each author presented slides and talked about their paper. I only read a few of the papers so far, so don't take the commentary below too seriously, since I'm sure I missed some things that were covered more fully in the papers than the presentations.

Session 1: Authentication and Authorization

Daniel Sandler and Dan S. Wallach. <input type="password"> must die!
Daniel presented some good idea on how to move password authentication into the browser chrome to improve our defenses against javascript malware such as javascript keyloggers, etc.

While the work Daniel did was quite cool in that it doesn't require any protocol modifications, to be truly useful in implementing authentication inside browser chrome you probably need involvement from the site itself to hint, tweak, etc. Once you start doing that though, you start looking at doing stuff like cardspaces to actually get to a better architectural solution.

Ben Adida. Web Authentication by Email Address

Ben focused on usability concerns in OpenID and the idea that email addresses (or things that look like email addresses) are much better identifiers than URLs. He sketched out how to modify OpenID to use email addresses or lookalikes for authentication rather than URLs. Some of his proposals hinge on using DNS lookups for a domain to find the authentication server much like we use MX records for email. While potentially risky, DNSSEC could theoretically be used to mitigate some of the problems.

I must say I haven't kept up with OpenID as much as I'd like to, and so I'm 99% sure lots of the nuance of Ben's proposal was lost on me.

Session 2: Browser Security Models and Isolation

Collin Jackson and Adam Barth. Beware of Finer-Grained Origins

Collin Jackson presented some work he and Adam have done on how the browser security model, namely the same-origin policy, isn't nearly granular enough to handle most web applications and sites that host them.

For example:

http://cs.stanford.edu/~abarth
http://cs.stanford.edu/~cjackson

both have the same origin from the browsers point of view, but don't necessarily have the same security policy per use intent. Because the web browser can't really distinguish between them, we don't have a clean way of separating the security policies here.

Collin went on to show a multitude of problems in the same origin policy between sites, and problems in the upgrade/downgrade of security indicators in a browser. I won't rehash all of his results but suffice it to say we desperately need things like ForceHTTPS embeded in browsers in the near future to prevent some of these problems.

Kapil Singh and Wenke Lee. On the Design of a Web Browser: Lessons learned from Operating Systems

Kapil presented some research his team has been doing on modeling web browsers more like operating systems. You might have seen some related work recently as part of the OP Browser project. The idea is that the internal implementation of most browsers is pretty dicey from a security perspective. There is no clean separation between policy and mechanism. All code operates at the same privilege level. Plugins cannot be constrained in what they can do, etc.

I haven't seen any analysis yet comparing what MS did with IE7 on Vista in protected mode as compared to OP or Kapil's work. It is pretty clear that MS didn't fully segment IE7, but I wonder how close they got to ideal on the sandboxing side of things.

That said, I think our biggest problem in browser security isn't the implementation and internal segmentation. Our biggest problem is that we don't have any idea what security policies we really want to implement. Sure, having a flexible architecture under the hood makes it easier to implement flexible and finer-grained policies, but unless we have some idea what those are, perhaps we're putting the cart before the horse in terms of robust internal implementation.

Mike Ter Louw, Prithvi Bisht and V.N. Venkatakrishnan. Analysis of Hypertext Markup Isolation Techniques for XSS Prevention

My favorite presentation of the day was this one by Mike Ter Louw. Mike talked all about the multiple ideas circulating out there related to content restrictions. He showed the different failure modes for several of the proposals, showed how some of them can be rescued, and pointed towards areas that need more research.

The idea of content restrictions and server-indicated security policy that clients interpret and enforce is a really hot idea right now, and I'm hoping to catch up with Mike in the not too distant future.

Mike - if you see this, drop me a note :)

Session 3: Social Computing Privacy Issues

Adrienne Felt and David Evans. Privacy Protection for Social Networking Platform

Adrienne presented some work she's done on weaknesses in the security model of social networks and paltforms such as Facebook. She analyzed a bunch of Facebook applications to understand whether they really ought to be granted all of the rights over user data that they are. She proposed some mechanisms for limiting what types of applications get access to what data by enhancing the FBML tags to allow an application to get more data without API access. She also showed how you can solve some data sharing rules with just FBML and a few permissions extensions without resorting to full API access.

What Adrienne didn't come out and say is that in some contexts things like vetting are actually important. Most people in the social networking space and Web-2.0 space don't want to look at things like vetting, legal relationships, etc. as a model for achieving security. While a preventative model looks great on paper, solving some of the data safety/privacy concerns can really only be handled through contracts, vetting, etc. No amount of hoping developers will do the right thing and develop least-privilege applications will solve this problem.

Monica Chew, Dirk Balfanz, and Ben Laurie. (Under)mining Privacy in Social Networks

Monica presented some research on how we can inadvertently leak data from social networks by a multitude of means. While it was an interesting talk on how you can aggregate data from multiple locations to pin down more details than you ought to, since I'm not a heavy user of social networks I found myself less than interested in the general problem. If you're going to post large amounts of personal data online in multiple online sources, you're going to have people aggregating them together. There is only so much we can do to protect ourselves against that sort of aggregation.

Session 4: Mashups and Privacy

D. K. Smetters. Building Secure Mashups

D.K.'s talk was quite short on technical details and yet was one of the better talks of the day. Whereas I had a few complaints about Kapil's talk earlier in the day being a solution looking for a problem, D.K.'s talk was about the problem itself - namely - how do we actually define the security policy we're trying to achieve in the mashup space, what sorts of general rules ought to govern application behavior, security properties, etc.

This was the first talk of the day to really talk about user expectations for security, what we should generally understand to be user intent, and how to actually try and implement that in a mashup application.

Tyler Close. Web-key: Mashing with Permission

Tyler's talk may have been the most entertaining of the day, if only because of his obvious frustration with what the web has become. Tyler's main claim was that we ought to be using capability URLs to handle our authentication and authorization concerns. URLs that encode both authentication and authorization data bring us back to the original intent of the web, where the link is everything.

It was nice to see someone railing against a bit of what the web has become, but it almost felt like an original internet user lamenting the end of the end-to-end internet. A decent architectural argument, and yet one that isn't likely to yield a lot of converts. I don't think I understood a few of Tyler's points about how to prevent these URLs from leaking out and/or how to revoke access should they happen to. There are a multitude of user acceptance, behavior, and expectation questions to be answered. It was a nice twist though on how to perhaps make access-controlled content more in keeping with the spirit of the web.

Mihai Christodorescu. Private Use of Untrusted Web Servers via Opportunistic Encryption

Mihai's presentation was about how to take advantage of networked services/web-applications while proividing them with only opaque data references created with cryptography. His main example was about how to use Google's Calendar product without ever sending them your real data, and sending them only client-side encrypted data instead.

While it seems like a nice idea, and while parts of his solution were technically elegant, I think again it was a solution looking for a problem. If you're so concerned about a networked service having your data that you're willing to reverse engineer the service to make it store your individual data elements encrypted, then perhaps a networked service isn't the one for you. TYhe architectural challenges in achieving what he was able to with Google's calendar are nearly impossible with a more complicated service. And, in order to make it work you have to give up many of the feature's you'd really like from a service - full text searching, etc.

I'm guessing there are a few places where's Mihai's ideas are feasible, but its hard for me to see the value prop in building what he proposed.

Some Final Thoughts:

We haven't come close to solving the security problems in a Web-1.0 world
We don't know what the security policies really ought to look like for the web, consequently we don't know what the architecture and implementation look like either.
Browsers are lacking fundamental architecture and policy around security.
Web-2.0 only makes things worse

Apart from all of the unsolved security challenges, the biggest point that struck me from the workshop was the general belief (or I assume belief, I didn't challenge people on it) that mashups are here to stay, and that we're just going to have to back into a security model for them.

I remain unconvinced that a client-side application mashup between datasets is the only way to build new and innovative applications, and that if there were any liability concerns or even contracts that held some of these companies/services even semi-accountable, perhaps we'd have a very different architecture than we're seeing as part of the mashup space.

We're spending time and money working on specs like XDR, HTML5-access-control, and we still haven't solved some of the fundamental security problems of the web. I didn't see anything at this workshop to dissuade me from that perception either.

Its like the old saying goes - "If it ain't fixed - don't break it more". Well, ok, that isn't an old saying, but maybe a few of the people working on mashups and social networks could actually operate with that as their motto we'd make some progress on all of this.

A Small Rant About Conference/Journal Papers and Timestamps

2008-05-12T20:18:00.000-07:00

Why is it that most/all papers published in Journals and/or as part of conferences never have a date/timetamp attached?

Its rather a bit frustrating to read a paper you've been sent, or had a link for, only to have no idea when/where it was published...

Just Friday I was pointed at an article by Dan Geer - http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=436

Awesome article, but you won't see any real date information on it. January/February Edition on the ACM Queue. Which year? Hmm, can't tell can you, at least not from that page. Hell, the date at the top is the date you loaded the page, not the date of the article. More than a little frustrating.

Ok, rant mode off. The next post will probably be about the article above.

More on Application Security Metrics

2008-05-08T20:05:00.000-07:00

Eric Bidstrup of Microsoft has a blog entry up titled "How Secure is Secure?" In it he makes a number of points related, essentially, to measuring the security of software and what the appropriate metrics might be.

I'd been asking the Microsoft guys for a while whether they had any decent metrics to break down the difference between:

Architectural/Design Defects
Implementation Defects

I hadn't gotten good answers up to this point because measuring those internally during the development process is a constantly moving target. If your testing methodology is always changing, then its hard to say whether you're seeing more or fewer defects of a given type than before, especially as a percentage. That is, if you weren't catching a certain class of issue with the previous version of a static analysis tool but now you are, its hard to correlate the results to previous versions of the software.

Eric says:

Microsoft has been releasing security bulletins since 1999. Based on some informal analysis that members of our organization have done, we believe well over 50% of *all* security bulletins have resulted from implementation vulnerabilities and by some estimates as high as 70-80%. (Some cases are questionable and we debate if they are truly “implementation issues” vs. “design issues” – hence this metric isn’t precise, but still useful). I have also heard similar ratios described in casual discussions with other software developers.

In general I think you're likely to find this trend across the board. Part of the reason though is that in general implementation defects are easier to find and exploit. Exploiting input validation failures that result in buffer overflows is a lot easier than complicated business logic attacks, multi-step attacks against distributed systems, etc.

We haven't answered whether there are more Architectural/Design defects or Implementation defects, but from an exploitability standpoint, its fairly clear that implementation defects are probably the first issues we want to fix.

At the same time, we do need to balance that against the damage that can be done by an architectural flaw, and just how difficult they can be to fix, especially in deployed software. Take as an example Lanman authentication. Even if implemented without defects, the security design isn't nearly good enough to resist exploit. Completely removing Lanman authentication from Windows and getting everyone switched over to it has taken an extremely long time in most businesses because of legacy deployment, etc. So, as much as implementation defects are the ones generally exploited and that need patching, architectural defects can in some cases cause a lot more damage and be harder to address/remediate once discovered/exploited.

Another defect to throw into this category would be something like WEP. Standard WEP implementations aren't defect ridden. They don't suffer from buffer overflows, race conditions, etc. They suffer from fundamental design defects that can't be corrected without a fundamental rewrite. The number of attacks resulting from WEP probably isn't known. Even throwing out high profile cases such as TJ Maxx and Home Depot, I'm guessing the damage done is substantial.

So far then things aren't looking good for using implementation defects as a measuring stick of how secure a piece of software is. Especially for widely deployed products that have a long lifetime and complicated architecture.

Though I suppose I can come up counter-examples as well. SQL-Slammer after all was a worm that exploited a buffer overflow in MS-SQL Server via a function that was open by default to the world. It was one of the biggest worms ever (if not the biggest, I stopped paying attention years ago) and it exploited an implementation defect, though one that was exploitable because it was part of the unauthenticated attack surface of the application - a design defect.

All this really proves is that determining which of these types of defects to measure, prioritize, and fix is a tricky business and as always, you mileage may vary.

As Eric clearly points out the threat landscape isn't static either. So, what you think is a priority today might change tomorrow. And, its different for different types of software. The appropriate methodology for assessing and prioritizing defects for a desktop application is substantially different than that for a centrally hosted web application. Differences related to exploitability, time-to-fix, etc.

More on that in a post to follow.

Metrics and Audience

2008-04-19T09:52:00.000-07:00

There has been some chatter recently about a post Pete Lindstrom made about Microsoft's SDL and their publicly disclosed metrics. I chimed in on Pete's blog as well as on the Microsoft SDL blog, here is a little more.

The fundamental confusion here is about the audience for the vulnerability numbers, and metrics in general.

There are several audiences here:

Microsoft's customers, competitors, and the public at large.
Security folks, especially software security folks that want to improve the quality of their software.
People who want more metrics about all things generally, the costs of security, etc.

Microsoft's vulnerabilities in shipped software metric is really only targeted to audience #1. Like it or not, what customers care about, as Michael Howard rightly points out, is how likely they are to get attacked/hacked, and how many patches they have to deploy. Microsoft for its part also cares about #1 for the reasons above, and the fact that releasing patches is extraordinarily expensive.

Security folks, especially those working on their own software security initiatives find the vulnerabilities metric mostly useless. It gives us no insight into *how* Microsoft has achieved the reduction in vulnerabilities. What we'd all love to know is how much each element of the SDL contributes to reducing vulnerabilities. A percentage break out on how effective each element is, Training, Threat Modeling, Testing, at reducing vulnerability counts, especially as broken out by design/architecture defects and implementation defects.

At the same time, I'm willing to acknowledge that developing these metrics is a full time job for multiple people. And, tracking the metrics over time is difficult, since its hard to normalize the defects between products and across time. New attacks are always surfacing, so how do you track the impact of new attack types across time. How do you track the impact of better code scanning/static-analysis tools over time. As the tool improves you'll find more defects when you run it, but that will skew your metrics somewhat.

The fundamentally unanswered question though is how do we actually measure the security of software. From a general customer standpoint what you care about is how likely you are to get attacked and compromised for one piece of software vs. another, what that software is going to cost to buy and run, etc.

For the security community what we're looking for is a metric that more closely tracks the "real" security properties of a piece of software. How hard it is for the expert to attack, how it does in real world deployments, etc.

Unfortunately no one metric is going to capture this. As I've previously mentioned the QoP workshop is a great place to go if you're looking for answers to the "how do we measure software security" question. But if what you want to know is how much is it generally going to cost me to run/implement a piece of software, looking at things like number of required patches and their frequency/severity, then perhaps Microsoft's vulnerability metric is for you.

My Favorite RSA Sessions

2008-04-12T21:58:00.001-07:00

I spent the whole week up at the RSA conference including the Monday before attending a few pre-conference activities. If you didn't get to go but know someone who did, I thought I'd recommend a few of the sessions I found most informative. I attended more sessions than the ones below but the talks below seemed to resonate the most for me.

DEV-201 Implementing a Secure SDLC: From Principle to Practice

This session was a fantastic overview of the SDL practices that EMC has been implementing for the last 2 years. A pretty good overview of what it takes to rollout the SDL against a bunch of products.

DEV-301 Effective Integration of Fuzzing into Development Life Cycle

A really good overview of what fuzzing is, how to think about the different types of fuzzing, and what types of applications it works best on.

AUTH-403 Knowledge-Based Authentication (KBA) in Action at Bank of New York Mellon

An excellent overview of what BNY-Mellon went through in implementing KBA for part of their authentication process. They deployed Verid to help customers sign up to the site. If you're not familiar with KBA, think about how the credit reporting agencies authenticate you for getting your credit report. They ask you a bunch of questions about your bills, payments, etc. that they figure only you will know. A KBA system such as Verid can do the same but pulls data from a lot more sources so it can ask things about former addresses, phone numbers, employers, etc. BNY-Mellon has put together a pretty good program, they are collecting great metrics about the success of the program, and the presenters were also excellent. Probably the best session I saw all around, even though it was one of the least technical.

GOV-401 Will Your Web Research Land You in Jail?

Sara Peters, the editor of the 2007 CSI report on web vulnerability research and the law gave an overview presentation of the report. On the one hand I was a little disappointed because this material was actually relatively dated because RSA makes people submit their papers/presentations so early. On the other hand it was nice to revisit this topic since it was this report that prompted the vulnerability disclosure policy I helped author last year.

Measuring the Wrong Things?

2008-03-24T21:04:00.000-07:00

I'm not sure why I'm always finding interesting articles in NPR about medicine that seem to resonate so much in relation to software security. Nonetheless that seems to be how things go, so here comes another one.

NPR ran a story the other day titled "Doctors' 'Treat the Numbers' Approach Challenged". The main idea in the story is that doctors have been treating patients and using the results of certain tests as the metrics by which they judge health. They treat a patient with drugs, therapies, etc. to get to the diagnostic numbers they want, but now we're finding out that perhaps the numbers are not necessarily representing what we'd like them to.

The example from the article was:

Doctors call it "treating the numbers" — trying to get a patient's test results to a certain target, which they assume will treat — or prevent — disease. But earlier this year, a study on a widely used cholesterol drug challenged that assumption.
Vytorin, a combination of two cholesterol-lowering agents, certainly lowers cholesterol. But patients taking it didn't have any less plaque in a major artery than those taking a less-potent drug.

I'm assuming that less plaque generally does translate to fewer adverse events, but the article doesn't cover this. Helpfully, in medicine we generally have a pretty clear definition of an adverse event, and we're not dealing with intelligent active threats. Active threats (virus, bacteria, fungus, parasite), but not intelligent... We don't try to design cholesterol treatments to fend off a malicious food company that has designed a new more dangerous form of cholesterol that our drug can't fight :)

Knowing what to measure in security is hard though. We've covered a little of this before here.

If you're looking for more formal treatments of security metrics - check out the Quality of Protection (QoP) workshop held as part of the ACM CCS Conference.

"The goal of the QoP Workshop is to help security research progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or measures in Empirical Software Engineering."

Over the next few posts I'll take a few of the papers from the workshop and discuss a bit of their results. If you're interested in the TOC for the workshop, you can find it here.

Banning function calls, assurance, and retrofitting

2008-03-18T19:48:00.000-07:00

I've been working on some C/C++ secure coding standards lately, and trying to mesh those up with the results from the static analyzer I'm using. As it turns out there is a fine line to be drawn between what you consider best practices, what a static analyzer can find, how much context the static analyzer has, and how much manual review you really want to put up with.

Let me give a specific example.

Coverity's Prevent analyzer has a number of built-in "unsafe" functions defined. The list includes the standard cast such as scanf, strcpy, strcat, etc. On top of that though they add some things that didn't make Microsoft's list; for example, rand().

I don't technically have a problem with including rand() in the list of things to be extremely careful about, but whereas it is nearly impossible to guarantee that someone has used strcpy() right, rand() actually has some pretty legitimate uses.

Consider the case where we want to do a randomized delay in processing something, or where we wish to randomly assign work to different people when it comes in, or randomly pull an item off a work queue for a customer service agent. None of these cases requires a cryptographically sound random number generator. For the most part, using rand() is a perfectly reasonable choice in this sort of situation.

When you decide that you want to ban certain function calls, or call them out in findings in a static analyzer, you're treading a fine line with your developers and the people you're going to ask to go and clean up the old code you have around. You can choose to go several routes.

File defects against the old code for any use of a banned function, without investigating the specific use
File defects against old code only after verifying that in the context you have a potential vulnerability
Get a dedicated team together to just go and clean up old code

Each of these approaches has its plusses and minuses.

If you choose to file defects against your developers for code that is years old and wasn't necessarily written by them without verifying the vulnerabilities, you run the risk of them not taking the secure coding rules seriously. Many of the items they find are going to be false positives from a currently-exploitable perspective, and they are going to be cranky with you.

If you choose to go through the validate each and every defect and the types of defect are pervasive, you're going to spend almost as much verifying the defect as fixing it. Especially if you're going through and simply replacing strcpy() with strlcpy() for example. For both this and the case above though, developers are going to be going through the code, and with the proper training/awareness, they might actually learn more about some of the old code, or at least start to have a better sense of some real security issues in the code.

If you choose to get a dedicated team together to fix the old code, you're likely to save money in the short run. A dedicated team is going to get used to fixing the coding defects of this type, and you're going to make a lot shorter job of it. The downside being that the regular developers aren't getting some of the code review experience you'd really like.

To top things off, if you go route #2, wherein you only fix things that are currently exploitable, you run the risk of the code being used in a different way elsewhere and causing problems down the road.

Back to my rand() example. In every case where I've found rand() used it hasn't been in a security critical context. Do I want to leave these instances of rand() in my code as examples that others might follow, next time in a security sensitive context? Or, do I want to take a relatively dogmatic approach to this and all other banned/"unsafe" functions and eliminate them entirely from my codebase?

I'm leaning towards some sort of middle ground. If I can find the time for a dedicated team to go through the code to clean up old issues, then I'm likely to remove all instances of things that could be unsafe, just so we don't leave things around that could be copied into an truly unsafe context.

Its a tricky balancing act to determine how dogmatic you want to be about fixing up the use of certain "unsafe" functions. Getting it wrong either way can have long term consequences for your secure development program. As always, the right answer depends on a lot of factors.