The Blog self()

Secure development: why security awareness is a failure

Wed, 16 Jun 2010 22:30:27 +0200

I have finished reading a nice article from Dark Reading about secure development or, said otherwise, taking security into account when developing software.

Two major problems are brought forward:

your average developer doesn’t have the right mindset for understanding security which doesn’t play well with his artistic skills.
security awareness and training programs are a failure. Besides the budget constraints, developers would never chose security over meeting their deadlines.

I can see the logic behind the (partial?) failure of security awareness and training programs. Think about Time to Market, competitiveness, frequent evolution of technologies and needs and you’ll get the idea. In this context, adding a security brick to an already unsteady building which is way behind the defined deadlines is unrealistic. According to Caleb Sima, CEO of Armorize, a secure development software vendor:

“If I’m a developer, as soon as I’ve been assigned a project, I’m already behind. If there’s a faster way to do something, they’re going to take it, because for them speed is more important than security.”

So what options do we have?

According to Fortify, another secure development software vendor, many development companies add a security specialist to their development team. This person is in charge of bridging the gaps between the security and development teams but also helps identifying and correcting the vulnerabilities.

This approach has however some serious limitations as the security specialist might not identify all vulnerabilities given the diversity of projects and programming languages. But more importantly, she might become a bottleneck in the team as everyone is waiting for her feedback before moving forward and/or rushing to her with urgent requests given the deadlines.

To solve this problem, some organizations opt for secure development frameworks such as BSIMM but these are pretty heavy to implement and they require a formalized development process.

According to many of the interviewed experts, one solution consists of using vulnerability identification tools that nicely integrate with the IDEs and automatically identify vulnerabilities as code is written. While the experts here are heavily biased given that they work for companies that provide such tools, I think the point is valid nonetheless.

Given the time and budget constraints that most (if not all) software development projects have to take into account, such tools might really help a lot as they act as your off-the-shelf debugger or code quality checker and integrate nicely into the existing toolchain, specially if their output is not some security mumbo jumbo.

This approach is indeed limited to code validation/checking. Some important phases of the development process such as use cases or design are not covered but if you think that you can easily take security into account during those stages, be my guest.

This is a step in the right direction and a pragmatic one that take into account developer needs and constraints instead of the other way around.

Please, View it Large on Black. Mamiya C330, 80mm lens, f/22,...

Sat, 24 Apr 2010 14:29:11 +0200

Please, View it Large on Black.

Mamiya C330, 80mm lens, f/22, 1/500, Kodak Tri-X 400, no light metering (guess work).

Exposure number: 3.

Changes to the original: none.

I wanted an old-looking picture here that doesn’t look like it’s been taken in 2010. The Mini Cooper is an old model and in such an environment with old buildings I decided to give it a shot. Also, The café on the left is called “Le Progrès” which means “Progress” in French.

If I had followed strictly speaking the Sunny f/16 (well “strictly” might not apply for such a rule), I would have exposed for the shades and select f/8 or f/11 instead of f/22 and I am happy with the results as the picture is underexposed the way I wanted it.

Most-Industrial Intruders In a Post-Industrial Scene Please,...

Fri, 16 Apr 2010 14:40:56 +0200

Most-Industrial Intruders In a Post-Industrial Scene

Please, View it on black. Mamiya C330, 80mm lens, f/11, 1/125, Kodak Ektar 100, no light metering (Sunny f/16).

Exposure number: 2.

Changes to the original: B/W treatment, picture straightening.

I fell in love with this old house at first sight but then my vision was disturbed by the shiny Porsche car and the Renault Scenic on the left. They just didn’t fit in the scene. I was about to push the shutter button when my eye caught sight of the bike coming from afar. Remember that the Mamiya’s viewfinder is horizontal and you look at it from above, without your eyes being “stuck” in it like in your typical SLR/DSLR that’s how I could see the bike coming. So I waited for it to be between the two cars and there you go!

While the Kodak Ektar 100 is color neg and I liked the way this picture looked with colors on, I think that B/W is better for this kind of scene.

Please, view it on black! The following picture was taken in...

Wed, 14 Apr 2010 18:47:00 +0200

Please, view it on black!

The following picture was taken in Chateau d’Olonne, Vendée, France with a Panasonic Lumix DMC-LX3 compact camera.

On the day it was taken, there was some pretty heavy wind and the ocean was agitated.

This place is called Puits d’enfer (Hell Pit). It is pretty intriguing as the foam from the ocean’s water looks like milk.

Mamiya C330, 80mm lens, f/11, 1/125, Kodak Ektar 100, no light...

Tue, 13 Apr 2010 19:31:55 +0200

Mamiya C330, 80mm lens, f/11, 1/125, Kodak Ektar 100, no light metering (guess work).

Exposure number: 6.

Changes to the original: none.

I spotted this church entrance while strolling with my relatives in downtown Sables d’Olonne. Mostly aged persons went and came through this door. What drew my attention is of course the obvious association between the very old looking stones of this particular church’s walls (the Atlantic Ocean is probably 400 meters at most from this place) and the aged persons. So I decided to just stand there and wait. My back was on a closed shop’s window hence the rather tight framing and I was expecting someone like the woman featured on the picture. A few persons came out but though aged, they looked in a pretty good shape and then this woman came out and I closed the shutter and only then I realized that I had an Ektar 100 film loaded and not some nifty XP2 400 ;-).

While the picture doesn’t look particularly straight, that’s because the steps are a bit of a slope…

Mamiya C330, 80mm lens, f/4, 1/500, Ilford XP2 400, no...

Sun, 11 Apr 2010 08:14:56 +0200

Mamiya C330, 80mm lens, f/4, 1/500, Ilford XP2 400, no light metering (Sunny f/16).

Exposure number: 2.

Changes to the original: none.

Villa du Lavoir. Mamiya C330, 80mm lens, f/2.8, 1/500, Ilford...

Thu, 08 Apr 2010 15:18:53 +0200

Villa du Lavoir.

Mamiya C330, 80mm lens, f/2.8, 1/500, Ilford XP2 400, no light metering (guess work).

Exposure number: 3.

Changes to the original: exposure adjusted by -0.75 to show some details at the far end and the walls surrounding the woman.

The Story of Bottled Water, by the creators of the Story of...

Wed, 24 Mar 2010 10:04:24 +0100

The Story of Bottled Water, by the creators of the Story of Stuff.

Visual Pollution on Pont des Arts

Sat, 13 Mar 2010 01:17:00 +0100

A few days ago, I was taking a nice walk after lunch on Pont des Arts when I came across a rather huge number of padlocks hanging from the bridge’s sides. At first, I was puzzled. Who would hang so many padlocks to such a nice bridge and mess with the visual harmony of the scenery? Closing-up, I started noticing names written/engraved on most of them. Was it some sort of happening or some student party gone wrong? Giving a closer look to the names, a pattern began to emerge. The names always came in pairs. Two first names: a boy’s first name and a girl’s first name. Oh… Let me guess… lovers right?

When I got back to the office, I showed the pictures I got around to a few coworkers who haven’t had a single clue about what these padlocks mean. So I rubbed my Internet magic lamp (Bing, used to be something called Google before) and the answer was revealed to me.

These padlocks symbolize love hence their names, lovelocks (any relationship with Lovelock, Nevada ?). On Valentine’s Day, lovers would go for a nice romantic stroll to the bridge, hang their padlock engraved with their names to the side of the bridge and throw the key in the Seine (like it wasn’t polluted enough already…) and walk away leaving behind their ever-lasting love symbol behind (!).

OK, I let the Parisian inside of me speak here. I have nothing against love, far from it. However, I don’t like pollution, be it visual (ugly padlocks all over the sides of a wonderful bridge in the heart of Paris), physical (so many rotting keys in the Seine…) or otherwise.

I am calling out to all the padlock hangers out there. How about keeping your love to yourself for once or go back to engraving your names on trees (you do know that you hurt them by doing so right?). Let me take this idea back. I have a better one: permanent tattoos! That way, you will always see that symbol wherever you go and not on every full moon when you walk on Pont des Arts by pure coincidence and then remember that you had a padlock on the side of the bridge only to find out that the city janitors broke it and trashed it…

Considering Transportation Options

Thu, 11 Mar 2010 22:38:23 +0100

Considering Transportation Options

Nessus 4.2: Displaying Scan Differences Using XMLRPC

Thu, 11 Mar 2010 10:20:14 +0100

On Tenable Network Security’s Nessus Discussions Forum, user Steve Chan asks whether it is possible to use the XMLRPC interface of Nessus 4.2 to display the differences between a scan report and another one, used as a comparison baseline.

This is one of the new features offered by Nessus 4.2 and one that I haven’t felt the need to fiddle with since I do all my comparisons using home-cooked scripts during .nessus v2 file post-processing. But those of you who’d rather use the native XMLRPC interface have a way out as Renaud Deraison pointed out:

to compare reports f2525b2f-8f30-70a0-2e12-2324323c96599c9136dce42ef3db (old) and fbaacdfb-6fc2-2a0c-168b-de748fd0c00dc6f8f750bde6933f (new), you’d do

wget --post-data 'token=xxxx&report=diff-fbaacdfb-6fc2-2a0c-168b-de748fd0c00dc6f8f750bde6933f-f2525b2f-8f30-70a0-2e12-2324323c96599c9136dce42ef3db' https://your.scanner/file/report/download/

As you can see you’d need to keep track of the report UUIDs (unique identifiers to distinguish between each report) and if you are scanning multiple sites, you’d need to keep track of which UUID corresponds to which site and what is the baseline etc. This usually means some kind of a database.

To spare myself the hassle of maintaining yet another piece of software and yet more code to talk to a database, I opted for another option. I generate my own UUIDs but instead of random numbers and letters I use the site’s name and current date (up to the usec) as the readableName (the human-readable name you can associate with each scan you submit to Nessus 4.2).

"[…] when researchers extract a single food from a diet of proven value, it usually fails to..."

Wed, 03 Mar 2010 10:00:00 +0100

“[…] when researchers extract a single food from a diet of proven value, it usually fails to adequately explain why the people living on that diet live longer or have lower rates of heart disease or cancer than people eating a modern Western diet. The whole of a dietary pattern is evidently greater than the sum of its parts. [emphasis added]”

- Pollan, Michael. In Defense of Food: An Eater’s Manifesto, Paperback edition, page 178. Penguin Books.

"When Coca-Cola begins selling organic Coke, as it surely will, the company will have struck a blow..."

Tue, 02 Mar 2010 10:00:56 +0100

“When Coca-Cola begins selling organic Coke, as it surely will, the company will have struck a blow for the environment perhaps, but not for our health. Most consumers automatically assume that the word “organic” is synonymous with health, but it makes no difference to your insulin metabolism if the high-fructose corn syrup in your soda is organic. [emphasis added]”

- Pollan, Michael. In Defense of Food: An Eater’s Manifesto, Paperback edition, page 170. Penguin Books.

Nessus 4.2: .nessus v2 file format for the masses

Mon, 01 Mar 2010 17:44:00 +0100

Since the release of Nessus 4.2, a new report file format -dubbed v2 or .nessus v2- has been pushed forward. Quoting Tenable Network Security:

‘An updated .nessus file format (.nessus v2) is now available, which allows for easier parsing of report data Descriptions can now be split into different labels such as CVSS base scores, risk factors and more. A “HostProperties” section contains information about each host which can be extracted easily (MAC addresses, operating system, etc.)’

While maintaining the XML encoding of the old .nessus v1 format, the new .nessus v2 format is, as Tenable Network Security wrote, easier to parse. But enough talking and let’s delve a bit into this new format, shall we?

What Does It Look Like?

A picture is worth a thousand words, right? ;-)

If you were accustomed to the .nessus v1 format, one of the first things you would notice is that the root node is now NessusClientData_v2 instead of NessusClientData. Moreover, each scanned host (ReportHost node) has now a nice HostProperties subnode.

HostProperties provide a set of subnodes all named tag but which have different attributes. The following tag nodes are always present:

tag name="HOST_END": time at which the scan has finished
tag name="HOST_START": time at which the scan has started

The following tag nodes are not always present as they depend on whether or not Nessus is able to discover some extra information about the host:

tag name="operating-system"
tag name="mac-address"
tag name="host-ip"
tag name="host-fqdn"
tag name="netbios-name"

Vulnerabilities, Defined

Often, I use Nessus to detect remotely-exploitable vulnerabilities only (as I consider that once an attacker has a foothold on a system, it’s game over for the defender no matter what privileges the attacker had at the beginning). In this particular case, the ReportItem node has 7 attributes:

port: TCP/IP port on which the vulnerability was detected
svc_name: service name
protocol: do I really need to explain this one?
severity: a value ranging from 1 (low) to 3 (high) evaluating how critical the vulnerability is
pluginID: Nessus plugin identifier
pluginName: human-readable name of the plugin
pluginFamily: family to which the plugin belongs to.

Here is an example:

ReportItem port="80" svc_name="http?" protocol="tcp" severity="3" pluginID="33849" pluginName="PHP < 4.4.9 Multiple Vulnerabilities" pluginFamily="CGI abuses"

Each ReportItem node has several children, some of them not always present:

synopsis: a brief description of the vulnerability
description: a more thorough description of the vulnerability
solution: vulnerability remediation
risk_factor: human-readable form of the severity attribute (Low, High…)
cvss_vector: CVSS v2 vector
cvss_base_score: CVSS v2 base score
see_also: contains a URL for further reference. There might be zero or more of such elements
plugin_output: if present, this element provides the output of the plugin
plugin_version: plugin revision information. This can be useful when you need to check whether you have the latest version or not
bid: provides the Bugtraq ID. There might be zero or more of such elements
cve: provides CVE data. There might be zero or more of such elements
xfref: provides pointers to other vulnerability databases such as OSVDB
plugin_publication_date: well, I guess you can see what it may contain. Not always present
vuln_publication_date: same here ;-) and not always present too.

Important Note

As Renaud Deraison pointed out, the list of subnodes under ReportItem is meant to be “open”. Tenable Network Security can and will add new fields to it from time to time. So if you are writing a .nessus v2 format parser, it must ignore unhandled nodes instead of raising errors.

Well…

… I think this is pretty much what you need to know about the Nessus v2 report file format. If you spot any mistake or any missing important piece of information, please let me know by commenting on this blog entry.

Until, then I wish you some happy parsing and fiddling with XPath ;-)

—> Edited on 2010/03/02 to Add: Note about the list of ReportItem subnodes being “open” + remove XML tag “<” and “>” in the ReportItem example and the tag subnodes because they are not displayed correctly by Google Reader.

Protect Your Tumblr Private Email Address. Dearly.

Mon, 01 Mar 2010 15:10:21 +0100

It’s been a few days that I decided to host my blog on Tumblr. The feature set, UI and companion applications offered by this popular blogging platform suits my needs and give me a lot of flexibility with regard to my posting patterns.

One of the features it offers is the possibility to publish posts by sending emails to a private email address. This is particularly nice if you are on the road with no or intermittent Internet access for example. You can just write the email and “send” it. It will be then queued for delivery by your mail client. Moreover, email posting is very flexible as you can use Markdown to nicely format your post.

However this flexibility comes at a cost in terms of security. Earlier today, Sascha and I tested the security of this service. I gave him my private email address -something an “attacker” might obtain while shoulder surfing for example- and he successfully posted to my blog using his own email address and without faking the email headers of my regular mail client. And as my blog is configured to automatically push posts to Twitter and FaceBook, his fake post appeared there as well.

Tumblr doesn’t notify when someone posts from an email address that was never used before and there is no access list functionality that allows you to whitelist the email addresses authorized to post to your blog. Last but not least, I haven’t found a way to turn off email posting altogether.

Sascha has a very nice write-up about this. Highly recommended read!

Conclusion: Protect your Tumblr private email address dearly.

"Is a steak from a feedlot steer that consumed a diet of corn, various industrial waste products,..."

Mon, 01 Mar 2010 10:00:00 +0100

“Is a steak from a feedlot steer that consumed a diet of corn, various industrial waste products, antibiotics, and hormones still a “whole food”? I’m not so sure. The steer has itself been raised on a Western diet, and that diet has rendered its meat substantially different -in the type and amount of fat in it as well as its vitamin content- from the beef our ancestors ate. The steer’s industrial upbringing has also rendered its meat so cheap that we’re likely to eat more of it more often than our ancestors ever would have.”

- Pollan, Michael. In Defense of Food: An Eater’s Manifesto, Paperback edition, page 143. Penguin Books.

"Diabetes is well on its way to becoming normalized in the West -recognized as a whole new..."

Sun, 28 Feb 2010 10:00:00 +0100

“Diabetes is well on its way to becoming normalized in the West -recognized as a whole new demographic and so a major marketing opportunity. Apparently it is easier, or at least a lot more profitable, to change a disease of civilization into a lifestyle that it is to change the way that civilization eats.”

- Pollan, Michael. In Defense of Food: An Eater’s Manifesto, Paperback edition, page 136. Penguin Books.

"Much more so than the human body, capitalism is marvelously adaptive, able to turn the problems it..."

Sat, 27 Feb 2010 10:00:00 +0100

“Much more so than the human body, capitalism is marvelously adaptive, able to turn the problems it creates into new business opportunities: diet pills, heart bypass operations, insulin pumps, bariatric surgery. But though fast food may be good business for the health care industry, the cost to society -an estimated $250 billion a year in diet-related health care costs and rising rapidly- cannot be sustained indefinitely.”

- Pollan, Michael. In Defense of Food: An Eater’s Manifesto, Paperback edition, pages 135-136. Penguin Books.

FireFox: Taskfox and Ubiquity

Fri, 26 Feb 2010 13:59:16 +0100

FireFox: Taskfox and Ubiquity:

Call me a caveman but I knew nothing about these two Mozilla projects until a few minutes while catching up with OSNews. You can spare reading the text on that page and get a look at the two videos at the bottom.

Christian Scott is one of the best Jazz artists I know of. His...

Fri, 26 Feb 2010 10:00:00 +0100

Christian Scott is one of the best Jazz artists I know of. His latest release, Yesterday You Said Tomorrow, is simply a masterpiece. I’ve seen him play live at the New Morning in Paris twice (last year and a few days ago). Totally awesome! As of this writing, I’ve listened to his latest album 36 times since adding it to my iTunes library on Feb 7th, 2010…