[For full disclosure I owned the engineering of one of Microsofts Threat Modeling tools called TAM while I was there. I will talk about tools later but the short story is that many people have seen the MSFT org charts (which are very accurate) and despite lots of feedback to me and my personal belief that TAM was a superior tool, I deprecated it to avoid the continued bun-fight and make it easier for customers to get behind a common message from MSFT. I was also involved in writing and reviewing the Threat Modeling Developer Guidance in 2005.]

Let me be crystal clear up-front: I think looking at a systems software architecture (reviewing the design, user stories & specs, visual models (whiteboard, napkins etc.), talking to the architects and developers etc.) upfront can be one of the highest value (low effort and high reward) security assessment activities that anyone can do. Pound for pound I reckon it’s right up there with anything, period. It is of course a totally different beast of an assessment technique that doesn’t replace static or dynamic analysis or pen testing but in the past I have been involved in assessment projects where we were quickly able to determine that we could shut down a service or lock out users or determine that the system wasn’t doing I/O validation and so was highly likely to have a lot of related issues. The issues identified typically don’t require proof or to be exhaustively pin-pointed for the development team to go back to the drawing board and redesign or re-implement.

So if this type of analysis is such a high value exercise then where does Threat Modeling break down?

-Why Just Threats?

-Models That Aren’t Really Models

-Retrofitting Analysis

-Tools

Why Just Threats?

I openly confess I have a very limited personal interest in what seems like an ongoing and never-ending debate about “what is risk?”. The GRC / compliance market surge of a few years ago just sucked any interest right out of me but it makes common sense (to me at least) that if we are looking to determine the potential security posture of a software design then you have to ground your analysis in more than just threats. Now I am about to enter the slippery slope of taxonomy and definition but if Risk is a function of the Vulnerabilities and the Threats.

NIST SP 800-30: Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Obsessing over Threats is only part of the job. Sadly in my experience it’s also the part that seems to be most open to subjective discussions of “this could happen” or “I don’t think that will ever happen”. It’s certainly helpful to think about the ways people will attack software but one part of the jigsaw. Then there is STRIDE. I don’t know about you but whenever I have sat with a developer and starting reading the acronyms I usefully get to Spoofing or Tampering before the eye-brows start to raise. It’s just not a clear set of definitions in my opinion to anyone but security people and if you have to explain it then I think something is wrong. What’s the difference between spoofing a user account by tampering with the URL? Some folks may say it doesn’t matter because you list the attack.

It would seem that an alternative approach would be to do Security Risk Analysis of Software where you look at potential Vulnerabilities, potential Threats and therefore determine the potential Risk. Based on that potential Risk you can make decisions on what to do or not to do.

Models That Aren’t Really Models

Most threat models I have seen aren’t models at all, at least not as in software models. They are diagrams and or lists. If we had security models that were derived from the code or code that was derived from the model then we would have a way to maintain a different representation of the application. When changes to the code were made, the model could change and the analysis updated. If the model was changed perhaps via modeling activity (trying different things is surely what modeling is all about after-all) then you could create code stubs for the new design or even refactor (although I suspect that is a long way off). This is the way UML works for instance. Yes people use UML as a diagramming language as well and yes UML is best in big water-fall like projects, but SecureUML was a promising modeling language for modeling authorization.

Retrofitting Analysis

I have heard from several big companies where threat modeling is prevalent that internal studies have shown that many models are simply retrofitted to meet a step in their security process. The developers or project leads take what has been built and create an artifact to meet the step required in the process. This of course defeats the purpose but I have had heard this several times which seems to indicate that many developers just don’t see the value in the process.

Tools

Despite several threat modeling tool projects like Threat Modeler and Trike) the MSFT SDL threat modeling tool seems to be the only serious option. That tool is designed to work at MSFT which is a unique beast and no one builds software like MSFT. You can take that as a compliment or a jab, I’ll let you decide as it was intended as both but what works for MSFT is unlikely to work for most companies as few people build OS’s that ship every 3 years. The reality for me is that if threat modeling was such a high value activity for security people or developers, then market forces would have figured out how to monetize it and the big security tools vendors or IDE vendors would have options. It would be an option in IDE’s, built-in like static analysis is to Visual Studio or it would be available as value-added plugins like HP WebInspect, Fortify or IBM AppScan.

Summary

It’s easy to throw stones and without a better proposal this is hardly my most constructive post, but given the high value I see in Security Risk Analysis of Software I think it’s time to think again about how to analyze software designs and I think Threat Modeling is Overrated.

gem list pg will return if the pg gem is installed

You may still get the following error

(Please install the pg adapter: `gem install activerecord-pg-adapter` (no such file to load — active_record/connection_adapters/pg_adapter))

This is because the gem is called pg but the adapter is called postgresql. Doh ! Just make sure your database.yml looks something like this :

Firstly Seconauts will not be like OWASP. It will not be an alternative to OWASP and won’t be suitable for everyone. At a high level of course it will be a predominately online community for software developers engaged in security so perhaps on the face similar but I would argue that OWASP is predominately security people involved in software and Seconauts will be software people involved in security. While fundamentally that may seem like semantics at this point I think it is important and if I get the setup right then that will happen on it’s own.

Having a strong vision to get behind with a clear focus that the project can use as it’s North Star is vital: a community roadmap if you will. Many successful online software projects like Apache and Rails have also worked well because of their strong leadership, a focused core team and a simple but effective set of practices to control quality, remove roadblocks to productivity,improve team health and improve the velocity of deliverables. Sounds like Agile right? It’s not a case of rules, in fact lots of rules seem to have a very negative effect on communities but its about a set of guiding principles and a mindset. Anyone can of course use software projects like Rails and Apache and they actively encourage wide participation by allowing anyone to submit a patch but few people have commit access to their code repositories. Anyone can write documentation and submit it to the projects but only when approved by a core team does it become that projects adopted work. It’s about having a simple way to work that allows people with different capabilities and motivations to engage without having a lowest common denominator model to accommodate everyone. Evolving a strong core team is key and so we are going to try something a little bit different, actually we are going to model those successful projects but try and automate it a little.

Projects will be open to anyone to consume for free and the Practical Software Security book will be the first published and will likely host a discussion system that anyone can join but documentation and code will be done by a core team.

That core team will be grown via an invite system and a rating system. We have built the basic site using Rails and Devise and already have an invite mechanism in place through Devise. I need to design and build the rating system as an extension to Devise but am thinking like this. After seeding the core team (current book authors + others), those core folks will have a limited set of invites to hand out. Each time someone hands out an invite their profile will be tagged to the person they invited (tainted) and so it’s in the best interests that people only invite A players to the game. If Joe invites Fred to the community and Fred turns out to be a rock star then it reflects on Joes profile but if Fred turns out to not contribute or contribute negatively then it will adversely affect Freds profile. Growth will of course be slower this way but I think controlled growth will avoid some of the things I have seen at OWASP and we should be able to adjust the way the system works as we learn. Activity will earn community points and community points may turn into more invites but mainly will reflect community kudos. It’s about rewarding the doers! I think we can create a wide set of events that will trigger points. For instance if you post to a discussion that activity is more valuable than lurking and so may earn you a set of points.Reading all discussion threads is valuable as well and so may earn you points, just not as many. Committing code may earn a certain amount of points, checking in via FourSquare to an event or meeting may earn another amount and writing a Gist or a blog another set. I think we can even allow discussion threads to be rated by everyone else in the discussion to further emphasize quality. Mark may rate Freds reply as a 5 star reply that earns Fred 10 points instead of just the normal 5 for a post. If Fred gets 5 stars from all the people on the thread then “voila” and so the system rewards quality. Gamification is such an buzz-word but I do want to try and create a community system where the good people are rewarded for good work and recognized by the community with community kudos and to get that right will take time.

Seconauts will also be different in that it will focus on a small number of software and documentation projects and not be a clearing house. If I look at OWASP today many projects are either abandoned or of such low quality that it taints the good ones. Just navigating through the trees to find the wood is almost impossible and some key projects like the OWASP Guide have frankly very questionable advice. I have always through that it is more effective to focus your limited resources into fewer projects and ensure they are high quality and well maintained. I think OWASP has tried to be everything to everyone. We will pick off a few things and do those few things really well!

So when will it launch? When it’s ready of course! Mike DeLibero has been working hard on building out a Rails based discussion site that integrates web based discussion and email discussions. User management and invites are via Devise and we have the user auth working using GitHub, Google and FaceBook via OmniAuth. I will be doing some CSS work this weekend and we will start using this in a few weeks for the current authors and reviewers of the book content. Mike will build book publishing system next taking the raw markdown and creating HTML, PDF and eReader formats. When the book is done (ETA summer) then we will launch as that being the first project.

Thanks for your patience but I think it will be worthwhile. Blue skies!

I have had an unconventional career to date by many peoples standards. After being thrown out of school in my late teens and a few years of questionable (I mean really questionable) ‘mis-spent youth’, I went to University in my mid-twenties. After a first degree in Engineering and a Masters Degree in Information Security (where I specialized in cryptography) I was 28 before I started a serious career (I am 43 now). For the first few years I spent most of my time working on very technical computer security or crypto projects as both a consultant and for a bank before moving to run a small security consulting team in the US. For the last decade I have unintenionally found myself in roles running consulting and software engineering teams / businesses from small to large, local to global and seemingly everything in between. It was never an intentional plan to be a “manager” but it seemed like I had a natural skill to lead teams of technical people and have had success at doing it.

When I was younger I used to think that people management and business management was the only aspirational goal worth striving for. The head honchos had power and kudos. It was Yoda meets Richard Branson. The glamorous and ritzy side of work-life. The harsh reality (for me at least) has been that people management and business management is mundane and boring. Over the last decade I graduated to spending more and more time hacking spreadsheets than code, more time in meaningless meetings, dealing with lawyers, HR and filling in forms than feeling like a productive creative human making a dent in the world.

Good people management is tough and sadly rare. It’s not about giving orders or instructions but about providing a nurturing environment in which people can be their best. It’s about mentoring, caring (a shoulder to cry on and a set of ears to bounce ideas off), facilitating, removing roadblocks. It’s like parenting. It’s about taking care of people. Few people really like to take care of people at work. Most managers like to direct people with tasks and instructions. MSFT was a very toxic place to work for me in the last year and I know many others who feel the same. The brain drain from MSFT in recent times has been as meteoric as its fall from grace and relevance in the technology world.

Business management is also tough. Companies generally optimize for profit and not happiness. Investments in the long term can easily be passed over with little short term affect but the debt comes back with a negative culture that spirals, affecting company performance. Balancing tangible profits against intangible costs (great computers and cool offices) is granted tough but its not always about money. Simple things like saying thank-you, being open and honest, treating people with dignity and respect, sending flowers or gifting a Kindle book doesn’t cost much but has lasting effects. Having employees spend their lives in meetings when they could be spending time being creative kills both productivity and kills morale. MSFT had amazing healthcare and paid me very well but at the same time had me in a 70′s styled office with beige walls and grey carpet and fed us with what can only be described as ‘school dinners’.

Early last year I told my wife I was depressed with the prospects of continuing my career trend and that I needed to make a bold change. I need to change my role and the type of company I worked for. Sadly I needed to wait for my green card to come in before I could act (it finally arrived in December).

When I look back at my work life I have been the happiest when I have been creating things. I have been passionate about software for over a decade. The intellectual challenge and the nature of the medium means that you are only limited by your imagination making it the perfect tool for an aspirational mind. I am fascinated by the building blocks of development frameworks like Rails and now Node.js, I love the emergence of identity technologies like OAUth and am fascinated by the emerging API economy. I think we are at the very start of the equivalent of a mega-scale industrial revolution and have just seen the tip of the ice-berg of the change that is possible. It’s a really exciting time to be living. I believe in the ideals of open source software and despite a break for the last few years from software security I realized that it really is in my DNA. I love Agile and software development process.

In short I want to build software, be involved in building software, create great things (new ideas, businesses, ways to do things) and I want to be involved in some ways with software security.

I have tried over the last few years to graduate from a part-time hobbyist developer to a serious developer but the reality is that when you are a relatively senior manager and have teams relying on you, then you always have a prioritized backlog and personal development early makes the sprint. I am no slacker, I typically crank out long work hours (although hours is hardly a measurement of results) but juggling a management career and juggling learning to become serious coder is no easy task and one I couldn’t manage. I tried courses, tutoring with friends (thanks Mike) and other less conventional options (fixing bugs in popular open source projects under a pseudonym) but “if you don’t use it you loose it” and the transition was simply taking too long. I decided on a two step plan.

The first step is to return to security consulting for a few years and the second step down the road will be a software start-up. I took step one on Monday returning to Foundstone.

Step 1 – Over the years I have spent a lot of time leading projects and teams creating software security programs and so there is a lot of value I can bring to a consulting company and it’s customers. When combined with the experience of OWASP and the book I am writing “Practical Software Security” for O’Reilly it seems like a no brainer. It will get me away from managing people and managing businesses and closer to creating software and software security. While it hard to plan the future I have set a rough plan for myself that will hopeful see my work-life something like this. In the early days I expect to spend most of my time involved in creating software security programs for companies and as time moves on I expect to expect more and more time writing and re-factoring code, creating tools and generally operating as a security developer.

During this period (my Step 1), I have decided to invest in becoming a serious Ruby on Rails and JavaScript developer. My personal goals are to be considered among the top few security people in the world in those technologies (within 18 months) but that’s not important. While I make this transition I will able to do a lot more writing, public speaking, contribute to and start more open source development projects (I have several ideas), launch the Seconauts community I have been planning for a while and finish my book.

Deciding which consulting firm to join was actually easy. We sold Foundstone to McAfee in 2004 and it’s since been acquired by Intel. There are a bunch of people still there I consider friends, a bunch of people I respect and I know the culture. Company culture is so important to me and Foundstone is so NOT Microsoft! There is a lack of beauacracy, fun, innovation and aspiration to do great things. Nowhere is perfect but I know it will be a great place to hang my hat for a few years and make a dent on the world and I am excited to be back; only this time as an individual consultant and not the VP in charge!

Step two is a way off at this point but it’s surprising how quickly time passes when you are having fun.

Everyone deserves happiness and life is too short to not pursue happiness at work.

I got back from vacation to yet another hard drive issue on my MacBook Pro that required a re-install. Don’t ask…..I think I have what is called an ‘Apple Lemon’ hybrid. New motherboard, new uni-body (although that was my fault for being drunk and in charge of a laptop), replacement drive and the list goes on. I really need to learn to backup but with everything in the ‘cloud’ these days it’s only the apps and not the data that goes South, so I figured that with a quick install script “life should be good” right? I cloned an install script from the ThoughtBot guys, removed some things I consider cruft, fixed it up to install Ruby 1.9.2 (I messed with 1.9.3 and clang options but gave up) and setup my shell preferences to Zsh……and BANG, a nice template dev environment on any MacBook in 15 mins or less. I just ran a fresh install on my new MacBook Air!

Code is here – https://github.com/curphey/laptop

Note 1 : You must install GCC for Lion first (I install XCode as well but several of the the scripts /configure will spew errors without GCC) https://github.com/downloads/kennethreitz/osx-gcc-installer/GCC-10.7-v2.pkg

Note 2 : You need root to change the shell defaults so there will be a prompt. I’ll try and automate this away somehow….

Warning : It works for me, may not for you so use with caution!

Open your Terminal and run “bash < <(curl -s https://raw.github.com/curphey/laptop/master/mac)”

• SSH public key (for authenticating with services like Github and Heroku)
• WGet
• Homebrew (for managing operating system libraries)
• Git (so Homebrew gets me the latest version)
• Zsh (change default shell and installs oh-my-zsh)
• Postgres
• RVM
• Ruby 1.9.2

I will probably add a few tweaks to add a Node installation, setup my favorite oh-my-zsh theme and a few tweaks but in the meantime I hope you find this useful.

Tweaks, requests and pull requests welcome!

• An Introduction & Brief History (I swear I will not start with a caesar cipher or ROT13!)
• Symmetric Key Cryptography (Private Key Cryptography)
• Asymmetric Key Cryptography (Public Key Cryptography)
• Digest Algorithms (Hash Functions)
• Digital Signatures, Non-Repudiation & MAC’s
• Digital Certificates, SSL & PKI PGP & S/MIME
• The Promise of Quantum Cryptography
• Key Management
• Cryptographic Standards
• Why Cryptography Often Fails
• A Word About Crypto Snake-Oil

What else does a developer need to understand (or be able to look up ) ?

The list is managed by MailChimp so you can always un-subscribe and I will only ever be sending one email a week.

It’s very simple. A few static pages with a sign-up form (that points to MailChimp), and an archives page. I used Heroku and wrote a little Rack app to publish the static pages.  git push heroku master and it’s all ready to rock and roll! Doesn’t get easier than that. Code is on github as I suspect when I have some more time I will build something more sophisticated.

If you have news you would like included then mail me at news.desk@softwaresecurityweekly.com

There are five main sections:

• Introduction
• Security Concepts
• Languages & Frameworks (was called Tools & Technologies)
• Building a Software Security Program
• Engineering Scenarios

In the Security Concepts section we will introduce developers to things like cryptography, authentication, authorization and then in the Languages & Frameworks sections we will cover the security features available and how to use them properly for the popular development technologies. In the engineering scenarios well get to code level guidance of how to pull it all together to solve real world problems that all developers face like securing a REST API or creating a federated authentication system.

I am delighted that we have been able to recruit a fantastic list of subject matter experts to write and review the Languages & Frameworks section of the book. I will be writing the Security Concepts section (and the Ruby on Rails section) and the following folks will be writing or reviewing:

• HTML5 (and friends) – Mark Curphey
• Java – Pravir Chandra
• .NET – David Rook (Security Ninja + Microsoft MVP for Developer Security)
• JavaScript (Client + Node) – Gareth Heyes (The Spanner) with Rey Bango as a core reviewer (JQuery Core Team Member)
• Ruby on Rails – Mark Curphey with Heiko Webers (wrote the official Rails security guide) as a core reviewer
• PHP – Mike DeLibero with Chris Shiflett (wrote the O’Reilly PHP Security book) as a core reviewer
• iOS & Android – Dan Cornell
• Identity – Gunnar Peterson

Note: we will be doing C / C++ as there is still so much being produced but haven’t yet locked on that author and we will be figuring out how to deal with things like Spring or Cake (and where to draw the line).

In the Building a Software Security Program section we organize the section into People, Process & Tools. Justin Collins (author of Brakeman Scanner) is going to write the static code analysis section in Tools and Tasos Laskos (author of Arachni) will write about how dynamic web application scanners work. Many other tools will of course be covered! I will be writing extensively about integrating Agile practices and using TDD / BDD techniques and tools. I probably won’t start on this section until March / April. I am hoping we will have the Security Concepts section and the Languages & Frameworks section complete by the end of February so we can open up a site for a much broader set of reviewers (invite only but register to get on the invite request list here) around March.

OK, now to set up the git repo for the contributing authors, create a README.md for them and kick off the discussion about we want to structure things. Gentlemen start your engines!

Edits : 1/25 – Added HTML5 (and friends), 1/25 – Added Gunnar Peterson to Identity

Video streaming by Ustream

We need more people doing more things like this in my opinion. Simple, elegant and effective. Kudos to Neil!