Curphey

Cryptography Section of Practical Software Security Book

Mark Curphey — Wed, 01 Feb 2012 00:17:05 +0000

Writing a CC book in the open is nice, you can ask questions! I started writing the cryptography section of the book today and here is the table of contents so far.

An Introduction & Brief History (I swear I will not start with a caesar cipher or ROT13!)
Symmetric Key Cryptography (Private Key Cryptography)
Asymmetric Key Cryptography (Public Key Cryptography)
Digest Algorithms (Hash Functions)
Digital Signatures, Non-Repudiation & MAC’s
Digital Certificates, SSL & PKI PGP & S/MIME
The Promise of Quantum Cryptography
Key Management
Cryptographic Standards
Why Cryptography Often Fails
A Word About Crypto Snake-Oil

What else does a developer need to understand (or be able to look up ) ?

Software Security Weekly

Mark Curphey — Tue, 31 Jan 2012 21:01:00 +0000

I just pushed out a sign-up form for a very simple weekly software security newsletter. Recently I started signing up to Peter Coopers excellent HTML5, JavaScript and Ruby Weekly newsletters and after reading about the Information Diet thought I would create something similar for Software Security.

The list is managed by MailChimp so you can always un-subscribe and I will only ever be sending one email a week.

It’s very simple. A few static pages with a sign-up form (that points to MailChimp), and an archives page. I used Heroku and wrote a little Rack app to publish the static pages. git push heroku master and it’s all ready to rock and roll! Doesn’t get easier than that. Code is on github as I suspect when I have some more time I will build something more sophisticated.

If you have news you would like included then mail me at news.desk@softwaresecurityweekly.com

Contributing Authors to the Practical Software Security Book

Mark Curphey — Wed, 25 Jan 2012 01:40:52 +0000

If you are a regular reader of this blog you should know I am working on a book for O’Reilly called Practical Software Security. It’s in the early stages and evolving as we start to get into the details. You can sign up to get notifications of progress here.

There are five main sections:

Introduction
Security Concepts
Languages & Frameworks (was called Tools & Technologies)
Building a Software Security Program
Engineering Scenarios

In the Security Concepts section we will introduce developers to things like cryptography, authentication, authorization and then in the Languages & Frameworks sections we will cover the security features available and how to use them properly for the popular development technologies. In the engineering scenarios well get to code level guidance of how to pull it all together to solve real world problems that all developers face like securing a REST API or creating a federated authentication system.

I am delighted that we have been able to recruit a fantastic list of subject matter experts to write and review the Languages & Frameworks section of the book. I will be writing the Security Concepts section (and the Ruby on Rails section) and the following folks will be writing or reviewing:

HTML5 (and friends) – Mark Curphey
Java – Pravir Chandra
.NET – David Rook (Security Ninja + Microsoft MVP for Developer Security)
JavaScript (Client + Node) – Gareth Heyes (The Spanner) with Rey Bango as a core reviewer (JQuery Core Team Member)
Ruby on Rails – Mark Curphey with Heiko Webers (wrote the official Rails security guide) as a core reviewer
PHP – Mike DeLibero with Chris Shiflett (wrote the O’Reilly PHP Security book) as a core reviewer
iOS & Android – Dan Cornell
Identity – Gunnar Peterson

Note: we will be doing C / C++ as there is still so much being produced but haven’t yet locked on that author and we will be figuring out how to deal with things like Spring or Cake (and where to draw the line).

In the Building a Software Security Program section we organize the section into People, Process & Tools. Justin Collins (author of Brakeman Scanner) is going to write the static code analysis section in Tools and Tasos Laskos (author of Arachni) will write about how dynamic web application scanners work. Many other tools will of course be covered! I will be writing extensively about integrating Agile practices and using TDD / BDD techniques and tools. I probably won’t start on this section until March / April. I am hoping we will have the Security Concepts section and the Languages & Frameworks section complete by the end of February so we can open up a site for a much broader set of reviewers (invite only but register to get on the invite request list here) around March.

OK, now to set up the git repo for the contributing authors, create a README.md for them and kick off the discussion about we want to structure things. Gentlemen start your engines!

Edits : 1/25 – Added HTML5 (and friends), 1/25 – Added Gunnar Peterson to Identity

OWASP Keynote Speech

Mark Curphey — Sat, 21 Jan 2012 22:41:50 +0000

I just found this online

Video streaming by Ustream

Kudos for guard-brakeman

Mark Curphey — Wed, 18 Jan 2012 19:08:28 +0000

Kudos to Niel Matatall for writing guard-brakeman. Neil has taken an open source static analysis tool, brakeman scanner and integrated it with the guard framework, a Ruby DSL for creating file-change events. Guard is typically used to automatically run the test suite as soon as a developer modifies any source code files and provides visual notifications on pass or fail conditions. What Neil has done is simple but I think very powerful which is why I think he deserves public kudos. When a developer adds guard-brakeman to his guard configuration any time he/she makes a change to his application the security tests will automatically run. TDD developers don’t commit code until all tests pass and so he has effectively provided an easy way to push security back up the chain for developers following TDD. It’s that one stage further back than running static analysis before a commit. The only place further back up the chain left to explore is intelli-sense type security advice in the editor.

We need more people doing more things like this in my opinion. Simple, elegant and effective. Kudos to Neil!

Git Cheat Sheet

Mark Curphey — Wed, 18 Jan 2012 00:51:29 +0000

I have started making some developer cheat sheets for my own personal use using EverNote. There is so much to remember and I am often reminded that the goal is to develop good software and not to remember thousands of commands (as big and superior as doing that makes some people feel). I need cheat sheets! I am working on my own cheat-sheets for git, zsh, rvm, aws and heroku as well as some language ones. A few folks asked me to share them so here goes starting with my git cheat sheet . Given they are primarily for myself they won’t contain all commands you may want to use so feel free to copy and modify (this is all copied from others in the first place). For instance in this git cheat sheet there is no rebasing and very little about resetting your local repository when things go horribly wrong. I am sure I will update it in due course. You can subscribe to the shared Evernote file if you are an EverNote user here. I will try and keep this page updated but that EverNote will be my source of truth!

If you do find mistakes, have smarter ways of doing things or can’t figure out why something is missing do let me know. I would love to make it better for me and anyone who is using it.

Useful Resources

http://gitref.org/

http://help.github.com/git-cheat-sheets/

http://progit.org/book/

(see shell customization cheat sheet for adding a good git prompt in the shell)

Global Settings

git config [--global]

User Details

user.name $name i.e git config –global user.name Mark Curphey

user.email $email i.e git config –global user.email mark@curphey.com

Github

github.user $user

github.token $token

or just edit the ~/.gitconfig file !

Creating Repositories

Create Local Repository from an Existing Local Project

cd ~/project_dir

git init

git add .

Clone Remote Repository

git clone git://github.com/user/repo.git

git clone https://github.com/user/repo.git

Clone a Local Repository

git clone ~/existing/repo ~/new/repo

git clone you@host.org:dir/project.git

Local Repositories

List Changes in Working Directory

git status

Add Files to Repository

git add [filename1] [filename2]

git add .

Delete Files in Repository

git rm [filename1] [filename2]

List Changes to Tracked Files

git diff

Commit Changes

git commit -am “commit message”

(-a is all files that are tracked, NOT all files, so you still need to add filename or add .)

(-m is with a commit message)

Return to Last Committed State

git reset –hard HEAD

Remote Repositories (Github)

List Remote Repositories Aliased

git remote

Add Remote Repository

git remote add [alias] [location] i.e. git remote add origin git://github.com/curphey/repo.git

Remove Remote Repository

git remote rm [alias] i.e. git remote rm origin

Pull from Remote Repository and Merge into Current Branch

git pull [alias] [location] i.e. git pull origin master

(once you have pulled once the alias and remote branch are no longer needed)

git fetch from Remote Repository is same as pull but without auto-merging

Push Local Changes to Remote

git push [alias] [branch]

If the server rejects your push, always try a git pull and then retry as 99 times out of 100 you didn’t have the latest remote!

Branching and Merging

List Available Branches

git branch

Create a Branch

git branch [branch name] i.e git branch [experimental]

Switch to Work in a Branch

git checkout [branch name] i.e git checkout experimental

Create and Immediately Switch to New Branch (i.e both of last two steps)

git checkout -b [branch name]

Merge Branch

git merge [branch to merge] i.e. git merge experimental will merge experimental back into working branch

Track Original Repository of an Open Source Project on Github

Fork repository, create an upstream remote, fetch and merge (or pull) changes into your fork.

git remote add upstream https://github.com/rails/rails.git

git fetch upstream

git merge upstream/master

Show Log of Activity

git log

Tag a Commit i.e. v.0_beta1

git tag [note]

Solid Application Security Frame ?

Mark Curphey — Tue, 17 Jan 2012 04:11:35 +0000

The Practical Software Security book will have five main sections *subject to change and a work in progress of course*. To recap the book is being aimed at pure developers (not security people) and aiming to be a single book developers and development teams need for their security knowledge. Those five main sections are:

Introduction
Security Concepts
Tools & Technologies
Building a Software Security Program
Engineering Scenarios

I want to syncronize the book so that the generic security advice in the security concepts section is then made specific in the tools & technologies section and then further builds with code level samples in the engineering scenarios section. For example in the “Security Concepts” section there is a sub-section on cryptography in which we describe the key concepts and types of cryptography, how those types of cryptography works and when certain types of cryptography can and should be used. In the “Tools & Technologies” and technologies section we will cover a security overview of major development frameworks such as Java, JavaScript and PHP in which I want help the developers know how to implement those cryptographic concepts described earlier in their scoped framework and describe important cryptographic libraries and what they support.

I would love to hear peoples opinions about the “security frame” I plan to use (see below). The frame will be used to tie together the sections of the book. I have been using this (or a variant of it) for many years and it has always worked for me. J.D.Meier used a similar one in Building Secure ASP.NET Applications (I was a reviewer of this back in 2006).

Cryptography
Authentication
User Management
Authorization
Configuration Management
Audit and Logging
Data Validation
Data Security (in transport & storage)
Session Management
Error Handling

Does it work for you?

Is it missing any sections?

Would you add any sections?

At the end of the day it is just a taxonomy and over the years doing things like OASIS WAS and similar projects, I have concluded that more important than the taxonomy is using any taxonomy consistently. No taxonomy will ever work for everyone, I just want to make sure this works for the majority. Please throw darts at this. Ask me where I would put x or y or z. If I don’t have a good answer I have a problem!

Cheers!

Mark

The Learn to Code Movement and Software Security

Mark Curphey — Sun, 15 Jan 2012 23:59:45 +0000

I think this is a really exciting time to be living. The pace of technology advances are so fast that things I could only imagine as a child (or dismissed even a few years ago as pure science-fiction) are actually coming true. We take so much amazing technology for granted and don’t appreciate it. I now use Siri to send texts and check the traffic while in my car, my iPad is used by the children to talk to their grand-mother in the UK using video conference (Skype) as if it’s “normal”, my wife sometimes tracks me using “where are my friends” on our iPhone’s to have a hot cup of tea ready for me when I walk in the door from a tough day at work and I often scan my food using the Daily Burn to determine the calories and nutrients. I could go on and on and on.

The commonality with much of the software I have grown to love is that it is more often than not first created by people who wanted to solve a specific problem and this is the main reason I am so excited to see the Learn to Code movement take off. CodeYear.com has seen over half a million people set a New Year resolution to learn to code including New York’s Major, Michael Bloomberg. The scheme sends prospective developers a weekly set of tasks via email that have started with basic JavaScript lessons.

If you try to view the world as “a glass half-full” then you will, like me, be excited to think about the great software that will be created by a broad range of people that will be able to put their ideas into prototypes and production services in the future. The amount of ideas for unique software trapped in the brains of 500,000 people is a significant number to bet that some will become staples that many of us will use and rely on tomorrow. Realistically of course only a proportion of those that sign up will continue on the course (like any new years resolution) and a much smaller proportion will actually ship anything. Of that proportion an even smaller number will ship something that might be considered a killer app but with a starting funnel of 500,000 its hard to imagine their won’t be some real success stories.

Over the last few weeks I have seen several tweets from “security people” questioning the type of developers that this movement will produce. They were of course inferring that an army of new and inexperienced developers will result in a sea of insecure code. It maybe a valid concern but the security industry is notoriously “glass half-empty” or pessimistic. I keep circling back to two points.

The first is that “security < performance < functionality”. Many security people will argue to death that this isn’t valid but I am yet to agree with any arguments. “It is hard to convince a man of something if his salary depends on him not understanding it.” – Upton Sinclair. If you don’t have a functional product then you will by definition not attract users. 100% of nothing is nothing and so even if we see thousands of apps with swiss cheese style security holes, if they don’t attract users it won’t matter in the big picture.

The second point follows is closely related. Those products that will gain users will almost definitely be written by those talented people that had a dormant gift for software. These people will also seek out and incorporate security and performance into their software. I don’t think anyone should stereo-type these new developers. I will bet serious money that some of tomorrows rock-star developers are office workers, farmers or grocery store shelf-stackers today. I learnt that lesson when we moved to France for a year in 2006. The Brit’s are notoriously poor at foreign languages and it is certainly true that many British people living in France can utter little more than “der baget” or “der beer”. However some people from electricians to young kids pick up French at such a pace that they become fluent in no time. The electrician re-wiring our house was such an example and we put my 6 year old (at the time) straight into the local school where he became so fluent in 3 months that the local farmer didn’t know he was British! Bear in mind in the South West of France they have a strong regional accent (Touloussian) so that is no minor feat.

I think the security industry should embrace the Learn To Code movement as a great opportunity to provide software security training to a new breed of developers.

I am on the look out for a good developer to create a set of code based online training like codecademy.com that we can release for free on the seconauts community when we launch. If you are a good Rails developer and interested then do let me know!

Sad Facts About the American Diet (and an additional blog theme)

Mark Curphey — Sat, 31 Dec 2011 05:02:51 +0000

At this time of year many people look towards diet experts and the diet industry to shed a few pounds. My wife is no exception. The trend in the UK among her friends (we live in the US but are British) seems to be the Dukan Diet. You can go online and answer a few questions and magically it will tell you your “ideal weight”.

For fun we submitted the same results to the UK (http://www.dukandiet.co.uk/) and US ( http://www.dukandiet.com/) versions of the site and to our surprise found that the US site gave an ideal weight that was 7lbs more than the UK site (130 lb for the US vs 123 lb for the UK). She is already at the US ideal weight! We submitted a support ticket suggesting they might have a bug and got back the mail below.

“Due to the American diet, we have adjusted our True Weight a little bit as it may be harder to stabilize and maintain a lower True Weight. People who eat in France or the UK can take advantage of fresher and healthier ingredients (no hormones, no pesticides, etc.) as opposed to their American peers.”

While we have Whole Foods, and farmers markets (we get a organic vegetable box delivered weekly) it is indeed MUCH harder to eat well in the US. It’s all about quantity and not quality, there is sadly little general awareness of where your food comes from, people accept highly processed food as “normal” and even seemingly healthy choices like many Whole Foods own brands are stuffed with evaporate cane juice. Organic cane juice is still refined sugar!

Come on Americans, it really is time for a real food revolution. I am tired of seeing all the over-weight people on the streets, all the junk food in restaurants and stores and the lack of awareness about where your food comes from.

I plan to now post regularly on healthy eating.

Practical Software Security – Scenarios

Mark Curphey — Sun, 18 Dec 2011 22:06:49 +0000

A major part of the Practical Software Security book will be a collection of discrete guidance topics covering design and implementation of end-to-end scenarios that most modern development teams will face. Over time we expect to expand on the scenarios in the book and probably maintain an online repository (including technology specific versions).

I just started building an initial list of scenarios and would love input on important scenarios you think we should cover. My initial list is below.

- Managing Sensitive Data
- Practical Cryptographic Key Management
- Federated Authentication (OAuth & FaceBook Connect)
- Designing User Management Systems (passwords, password resets & profile management)
- Authorization Models
- Avoiding Input Validation Vulnerabilities
- Connecting Web Services Across the Internet
- Safely Storing Data on a Client (Browser + Mobile)
- Preventing Bots and Making Sure Your Users are Humans
- Signing Code and Distributing Applications
- Setting up a Cloud Deployment Environment

Cheers!

Mark