PCI, Compliance, and Security from UncommonSenseSecurity
This is one of my favorite blog posts ever. I’m going to print it out and hand it to every single person who works with or around PCI. If you’re on Twitter, you’ve witnessed the back and forth(s), sometimes at nauseam. The reality of the situation is that both sides are right! Using standards, of any sorts, as the high stick for your security posture is bad. For the simple reason that each and every system, application, and infrastructure is different – simply applying a blanket set of requirements will inevitably leave some holes exposed. Security professionals should be able to take these standards and use them a crutch to convince executives and build an effective security program. Shouldn’t be hard, Mr. Carr thought that checkboxes made his customers’ data secure.

Yahoo!, Paypal, Google, Equifax, AOL, Verisign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity for Open Government from InformationCard.net
In case you missed the announcement this week, the U.S. Center for Information Technology (CIT), the National Institutes of Health (NIH), and the U.S. Department of Health and Human Services (HHS) partnered with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) to add support for OpenID and Information Card technologies. This partnership follows President Obama’s memorandum instructing Government websites to allow citizens to participate in said websites without having to create additional usernames and passwords. I would specifically like to highlight AOL’s participation in this initiative which has been spearheaded by my colleague George Fletcher (http://practicalid.blogspot.com/). Congrats George, all that hard work and meetings has paid off big!

Good vs. Good Enough from PreachSecurity
This is a really interesting (and simple) approach to scoping. Lets say your site is a mildly interactive blog, like a generic Honda Civic with the bare bones accessory package and a stick shift. Setting your club and locking your doors is really all you need to do, unless you’re one of those really paranoid people. On the other hand, if you drive a Ferrari with every luxury option and a laptop with $20k in cash on the passenger seat, you’re not only going to set your club and lock your doors, you’re also going to install an alarm, lo-jack, and possibly post a very large and menacing looking man to stand guard. Not only that, but if the laptop and the 20k in the passenger belong to me and you’re responsible for keeping them safe, I expect you to post 2 very large and menacing men outside your car. Here’s another great post from @rybolov with a similar tone, but focusing more on motives and opportunities – http://www.guerilla-ciso.com/archives/1312

Interview about AppSec DC with OWASPs Doug Wilson from NoVAInfoSecPortal
GREAT interview by my DC area peers @grecs and @dallendoug…but, I might be a little biased as I volunteer with Doug on the AppSec DC planning committee. The interview covers questions and answers ranging from a preview of the conference training and speaking engagements, the need for volunteers (REALLY, WE NEED VOLUNTEERS, INQUIRE WITHIN!), and who would benefit from attending the conference (spoiler alert! – EVERYONE can benefit from this conference, it’s going to be the best WebAppSec con the DC area has ever seen). Once you’ve read the interview, cruise on over to http://appsecdc.org/ and checkout the training courses and conference speaker lineup, I promise you won’t be disappointed.

Finally, I would be doing myself a disservice if I didn’t give a link to NoVAInfoSecPortal who was kind enough to have me as a guest blogger this week. Checkout “What?! No CI(S)O?*” – http://www.novainfosecportal.com/2009/09/09/what-no-ciso/

SMBs Opening Wallets for New Security from ChannelInsider.
As a perfect follow up to my previous commentary, this article provides analysis of the Spiceworks report on SMB (Small and Medium Businesses) IT spending. This article actually makes a great point in the middle of reporting that 32% of respondents plan on spending money on “add[ing] protective measures” – “What the Spiceworks survey indicates is that solution providers must impress upon SMBs the importance of comprehensive security measures that are tailored to their risk exposure and operational threats.” I do some consulting for a solutions provider (ZZServers.com) who offers dedicated and shared PCI environments to SMBs and online merchants. These services are aimed at alleviating the burden of maintaining a secure environment for payment processing vendors which in turn allows the SMBs to focus on their core business. OK, this might have sounded a bit like a sales pitch, but SMBs who cannot afford to secure their own environments might do well with outsourcing those functions to their hosting/solutions providers.

Pwning Opera Unite with Inferno’s Eleven from SecureThoughts.com.
This was one of my favorite reads this week. Opera Unite is likely going to be a pretty widely used service – after all, doesn’t everyone want pictures of their cats, fun quips, and documents posted online with the added benefit of choosing who can access them without having to worry about some social network’s terms of service and god like ability to erase all the content you’ve worked so hard to amass? (*cough*Facebook*cough) In any event, Inferno tore up Opera Unite finding CSRF vulnerabilities, XSS vulnerabilities, CSRF, insecure communication path for authentication, ability to host phish pages, and Clickjacking. One item that he didn’t touch on was the potential for using this service to host and distribute child pornography. Wonder if Opera has followed suit with Google, AOL, and Yahoo! to join forces with NCMEC.

Cross-protocol XSS with non-standard service ports from omg.wtf.bbq.
File this under “yet another awesome use for XSS”! Seriously, Arshan’s managed to leverage an XSS vulnerability to log into an FTP server (*provided the FTP server is hosted on a non-standard port)! Let’s consider another service that uses plain text to enable client/server communications: SMTP. Now lets consider that quite often, internal SMTP servers don’t (always) enforce authentication and authorization when relaying emails. Finally, consider that most modern business communications happen via email. This really spells disaster above and beyond the usual “Email from the CEO” pranks. What about account brute forcing? I’m glad you asked! Think of the POP3 service that might be exposed on your internal networks to support all those non-Windows folks. Seems like this approach could be used to perform password brute forcing on any service that uses text for client/server interactions.

Like Stealing Candy from a Baby from Digital Soapbox
Identity Thefts Use Dead Cardholders’ Data to Open Accounts from HostExploit.com
I can’t believe we haven’t solved this problem yet. For as far back as I can remember (and even before the proliferation of computers into our every day lives) there have been accounts of identity theft against the deceased. Whether it be to pad the vote count in elections, or simply assume a new identity in efforts to subvert the law, creditors, or a crazy ex-wife. What makes things worse is that the Federal Government could easily impose some basic regulations around proper care and protection of PII in this industry. Are we really making any headway in data privacy, or are we falling further behind due to new data systems being stood up quicker than we can secure them?

The Trials And Tribulations Of Public Sector CISOs from The Forrester Blog
I’m not sure why the author decided to go specifically with public sector CISOs, each of the 6 challenges laid out apply in the private sector as well!

1. Governor and Administration changes every four years. I know of companies where the leadership changes every 1 to 2 years. It’s not uncommon for the board of Directors to get frustrated with slow moving leadership and making swift moves to oust them. Furthermore, employee turnover happens almost yearly, it’s very difficult to lay out and execute a comprehensive strategy for information security with this kind of turmoil.
2. You are competing for budgets against pretty important priorities. Lets not forget that in the private sector, security is still viewed as a necessary cost center. Regulations such as PCI and SOX have given security departments some additional leverage for funds, but as we all know, “being XXX compliant” does not translate to a comprehensive security strategy roll out.
3. The IT environment consists of several dozen smaller agencies working independently. Unfortunately, this also applies in medium to large private companies as well. There are several silos with different roles and responsibilities who typically do not share many of the same processes and procedures.
4. No room for error. A mistake in the public sector might result in news headlines and leaders loosing their jobs. A mistake in the private sector could result in the company going out of business and hundreds (if not thousands) of employees loosing their jobs. You tell me which is worse.
5. Procurement processes are cumbersome. At least there’s money to procure. With the economic downturn, we in the private sector just feel fortunate to still have our jobs. We’re not even thinking of being able to purchase anything!
6. Public sector is subject to additional regulations. Well, I can’t disagree with you there, those FISMA checkboxes are hard to fill in.

http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/
One thing that Robert doesn’t really touch on is the ethical responsibility of product and software companies. While I concede that a machine ID and a user ID isn’t much in the grand scheme of things, but it’s yet another data element that Google has tied to our identities. Since I’m an avid Google Reader user, I decided to take a peak at the ever expanding social functionality in the app to connect with a few contacts. Google kept telling me I should customize my profile, so I did. In the portion where you provide your favorite URLs, there was a list of my accounts on various other sites (Twitter, Facebook, LinkedIn, Tumblr, etc). I was a little surprised to see all that information listed right there, even though I’ve searched for my name numerous times before and have seen them returned in results. Still, I can’t help wonder why they need to track that information? And more importantly at what point is aggregating that much public information a privacy issue? Think about it, Google AdSense is on the vast majority of webpages.

http://www.cio.com/article/499829/8_Dirty_Secrets_of_the_IT_Security_Industry
Dirty little secrets? Not so much, mostly just common sense. Companies that spend money on compliance tools end up sending out mass notices to their customers to inform them that their financial information has been stolen – soon enough, that knowledge will be as common as needing a network firewall. I’m not insinuating that compliance with industry guidelines and tools don’t have their place in the picture, but they need to be part of a comprehensive, planned, and human operated solution, not just a hodge podge of red/yellow/green status lights and checkboxes. The same money that is spend on the all ‘fix it fast’ and ‘compliance me’ (TM) solutions that really give you nothing except avoiding a fine can be re-invested into security staff that can plan and execute true solutions that will not only help you avoid fines, but will also give you true enterprise security.

http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security / http://danielmiessler.com/blog/password-reset-mechanisms-the-online-security-threat-nobodys-talking-about
I’m really glad this topic is getting some press. I wrote about ASQs a few months ago and have since been noticing some changes in the options available for password reset functionality. Google allows you to select between secondary email reset, SMS, and ASQ. Additionally, there’s a 24hrs waiting period after the email notification is sent out to the secondary email address before you can leverage the other 2 methods. Very nice. MyOpenID (my OpenID provider) offers password, certificate based authentication, and telephone based authentication – pretty awesome options! Alas, the recover password functionality simply sends an email with a 11 character variable that you click to recover your account. Not too happy about that. There you have it, Google has given some serious thought to security in password recovery, MyOpenID, not so much.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1366077,00.html#
Paper – http://conferences.sigcomm.org/sigcomm/2009/workshops/wosn/papers/p7.pdf
I applaud this kind of research. I think it’s critical that those of us who understand the importance of unique identifiers, data aggregation, cookies, URLs, and data privacy need to keep an eye out to the kind of data these sites are forcing our browsers to transmit without our knowledge. That being said, hopefully the majority of you are using AdBlock, RequestPolicy, NoScript and have your browser destroying cookies periodically. I will say that my curiosity got the best of me, and I spent some time running around the social networks with my local web proxy recording traffic and subsequently analyzing a lot of HTTP headers. Yes, there are unique identifiers, yes there are referrers, but at no point did I see any of the beacons even being provided any sort of PII. Do certain applications put PII in URLs? Sure, but I’m a little skeptical about just how much PII could be harvested. None the less, good study.

http://www.briansolis.com/2009/08/why-authenticity-matters/
This is a very interesting post, especially for those of us in the security community that are largely known by our screen name of choice. When I started blogging and joining up to the various social networks, I was compelled to use my own name…or the wadew variation – Woolwine is sometimes a lot for people to consume. I was determined for folks who read and follow my work online to be able to make the immediate connection should they ever meet me in person. But back to the article at hand, how do YOU know that I’m really Wade Woolwine? Honestly, you don’t. Even though I’ve executed on most of the items in the list (at least the personal blogging part) and have ClaimID, domain registrar, and OpenID, you still “trust” that I’m not John Smith who renamed himself Wade Woolwine to appear at the top of Google search results.

http://www.thetechherald.com/article.php/200935/4323/Criminals-sending-malicious-CDs-to-credit-unions
Social engineering is a required pillar in a number of different attacks. From XSS to SQLi, malware proliferation to CSRF all of these attacks (often) require that the attacker trick the user into visiting a URL crafted for disaster. So what are we (security professionals) doing about it? Security awareness training of course! But ask anyone around your company to give you 3 words to describe that training and you’ll likely hear terms like “boring”, “mandatory”, “pointless”, “waste of time”. How do we change this? How do we become more effective at socializing basic security practices like not clicking on random links without investigating them?

While I fully support and endorse the content of the article, I can already see the responses from some executives:

“Wow, this is really great, and I fully buy into it, but as it stands, there is REALLY no money extra money in the budget.”

What now? Hopefully, there are employees in your company who are responsible for managing servers, the domain, the networks/firewalls/IDS/IPS, and development efforts; but most importantly, you, who is concerned about the state of application security. Why not use some of the best resources from those groups to form an application security working group? I’ve found that no matter what the company, there are ALWAYS people that are interested in being able to devote some time to learning about how those sneaky hackers are able to break into so many systems. Furthermore, what (good) technologist wouldn’t be interested in expanding their skills?

I’m sure that you’ll encounter some resistance from employees and management alike, after all, time is valuable, but remember, Jeremiah and Jeff have already given you all the ammo you need; use it wisely.

Now that you’ve identified folks who are willing to donate some of their valuable time to this effort, your first step will be educating them about the various activities and processes involved with a complete application security program. Here’s a quick reminder:

• Design and architecture reviews and threat models where you work to identify flaws in the application design and architecture as well as imposing security requirements.
• Secure coding standards where you work to ensure that developers implement features such as input validation, authentication, authorization, and avoid creating flaws in the business logic as they move through implementation.
• Code reviews where through either automated or manual means, developers review their code with a focus on identifying any security issues.
• Testing and validation where you ensure that all requirements have been implemented according to design specs.
• Deployment and maintenance where you ensure that logs are being monitored, system patches are being kept up to date, and 3rd party libraries used in the application are kept up to date.

The chances are good that some of the folks that have chosen to join the security working group already have some valuable input to provide. For example, the sysadmins might have expertise in Apache, host configuration management, or IPTables. The network folks might have been exposed to web application firewall technology. The developers might have some great security specific libraries that they’ve used on past projects. All of this knowledge is valuable and already at your finger tips. For other topics, search around your social network, if you’re on Twitter, checkout @securitytwits, if you’re a member of OWASP, attend the meetings, talk to folks, try to get an idea of their expertise. Many of the seasoned security professionals who attend these meeting would be happy to come in and present at one of your groups meeting.

So, get out there, talk to people both within and outside of your company, not only will you expand your social network and improve your companies application security program, but you’ll also be giving new opportunities to those who join the security working group.

Jeremiah Grossman of WhiteHat Security will be in town and presenting his “Top 10 Web Application Hacking Techniques of 2008″ at the OWASP NoVA chapter meeting. Following the presentation, Jeremiah, myself and some other industry representatives will hold a panel discussion on the evolution of pen testing.

I invite you all to join me and the OWASP NoVA chapter members on April 8th at 6PM.

Here are the particulars:
Location:

Booz Allen and Hamilton
13200 Woodland Park Road
Herndon, VA 20171

RSVP:

This event does require an RSVP, please join the OWASP NoVA chapter mailing list and confirm your attendance.

You can also keep an eye on the OWASP NoVA Chapter website and @OWASPNoVA on Twitter.

Unfortunately, far too often, security folk forget that last one – the product users. All the quality assurance and security testing in the world won’t account for (hopefully) thousands of users and a few (hopefully) conscientious hackers who might be reporting issues.

So how would one go about accomplishing this task?

• Establish a public, well documented process for bugs to be reported
  This process might be as simple as providing an email address for reporting issues or as complex as a form which creates a ticket in a tracking system. The point is, you MUST have a way for feedback to be provided
• LISTEN AND RESPOND TO ALL FEEDBACK
  I can’t stress this enough! When you give users an avenue to report issues, you must accept and acknowledge all reports. When you ignore feedback, your customers get pissed. When you customers get pissed, they turn to any and all online avenues to bash the service and your lack of response. With services like Twitter, Facebook, and MySpace which thrive on user generated content, reputation can be affected within a matter of hours!
• Be where the feedback is
  Big news: the internet is searchable!
  • Google is a great tool for searching. Furthermore, Google will provide results in RSS feeds which can be loaded into your favorite Feed reader.
  • Twitter is where the people are! Twitter is also searchable and with tools like Tweetdeck and tweetbeeps.com it’s easy to capture tweets which mention your product.

So why do I feel the need to be captain obvious with this post? Well, far too often, as with most security researchers, I’ve reported issues in various products. Some owners have been very responsive while others don’t even bother responding with a form/canned response. With copycat products being released everyday, if you don’t take care of your users, they’ll go somewhere else.

For a good place to start on reputation checkout SpinHunters.com

Know that you are the right person for the job – Building a team of security professionals requires a strong understanding of many different areas of specialization in the computer field. You must not only have the people and business skills typically required in any other leadership role, but you must also have a deep understanding of technologies (both security and other) and how they inter operate to ensure reasonable protections against disasters. I’m not saying that you must be able to configure the PIX firewall, but you should understand it’s purpose, differences in firewall technologies, their challenges and how they play into the overall security architecture.

Know your mission – the first item of business is to determine what the security team is going to provide in terms of services for the enterprise. What are the problems that you were asked to solve by creating a security team? Some examples might include PCI/SOX/HIPAA compliance. Perhaps a savvy CEO has asked you to build enterprise security guidance in the form of policies, standards and baselines. Maybe you’ve inherited the network firewall ACL management, penetration testing, enterprise authentication management and product security design services to better serve the company’s need for IT Security.

Know your infrastructure – now that you’ve determined all aspects of the enterprise that are going to be under your control, it’s time to audit them and determine whether any security controls are already in place. Remember, you’re going to need to build the team to support and enhance these controls, this exercise will help you determine a required skill set. This is also the point at which you’re going to audit the parts of the enterprise you’re being tasked to protect. It is important to involve all stakeholders so that a single set of requirements can be derived for each of the security services. For example, if one of your tasks is to evaluate and standardize security controls over all production hosts, it’s important to determine the operational needs of the system administrators who manage these hosts and the developers who write the applications running on these hosts.

Team leads – Here’s where the size of the enterprise you’ve been tasked with protecting comes in. If you’re a small company, your “leadership team” might be 3 really talented individuals with whom you plan on dividing the responsibilities. On the other end of the spectrum, your leadership team might be 5 managers with teams of engineers to accomplish the work in a large enterprise environment. The people in your leadership team (whether the enterprise is big or small) must be colleagues that you trust will not only be able to help you execute your vision, but will also be able to provide valuable input to the plan. The leadership team must all share the same general understanding of enterprise security architecture components while maintaining a strong subject matter expertise in the specific technology areas which they are directly responsible for. For example, I would expect that your network team leader could not only lead the engineers on the team, but also be able to step up to the keyboard and fill an engineer’s shoes.

The engineering teams – Provided you’ve been given enough budget and are looking to secure a large enterprise, you’ll be looking to fill at least a couple vacancies on each team. The interviews should be conducted such that the candidate is not only demonstrating knowledge in the areas directly associated with the position they’re applying for but also in the other areas of responsibility for the security team. In addition to the usual traits you look for in a good candidate (good resume, demonstrated technical knowledge, good writing/communication skills, overall fun person), you are also looking for candidates who are not only experts in their fields, but possess a broad knowledge of technology in general. Don’t be afraid to conduct several interviews with several different people and keep the interviews challenging by presenting a real life security concern and have the candidate and interviewers solve it as a team.

Solve the problem on paper – Now that you have your awesome security team in place, it’s time to get them all together and lay out the problems you’ve been tasked with solving. This is when your vision for solving the problems gets mulled over and revised by your trusted colleagues. This exercise should not only add specific technology solutions to the plan, but will also allow everyone the opportunity to apply their knowledge and be invested in the final solutions.

Measure it – In any enterprise, progress must be measured to ensure some form of Return on Investment (ROI). Costs associated with technology purchases, staff salaries, and other activities will have to be be justified by demonstrating that the cost provides a reasonable assurance of protection against threats. Additionally, in the security world, a lot of useful planning information can be derived from tracking security metrics. For example, if the security assurance team is noticing a high number of input based vulnerabilities during their application assessments, perhaps some investment in secure development training for the dev teams is in order. Knowing which metrics to track as the plan is being built will facilitate the collection and tracking of the numbers.

I do realize this is pretty high level and lacking in specifics, but I wanted to be sure I highlighted the importance of shared technical security knowledge as a key factor in the success of the security plan and subsequent implementation. Furthermore, I beleieve that the same planning and executing techniques can be applied from the executive goals to the engineers’ individual goals and when given the chance to build those goals together, the likelyhood of a good plan being build and implemented increases greatly.

One of the primary destinations on the internet in 2008 was for social networking applications…also known as places where you put all your information to share it with your friends. Whether it’s a Facebook profile, a Twitter post history, a blog, MySpace page, or Google most people have published all the information required for the target account to me stolen. Need more proof?

• Sarah Palin Yahoo! account hacked
• Paris Hilton’s Sidekick hacked
• Fred Durst’s T-Mobile account hacked
• Google search results for: “security question” hacked

One of my motivations behind this post comes from when I checked my access logs and found that someone searching for “Wade Woolwine” birthday on Google and had ended up on my blog. Luckily, I don’t use my birthday for answers to security questions…but I now know that one of my accounts is being targeted.

It’s not likely that people will stop choosing bad security questions or publishing too much information about them on the internet. So how do we make this account management safeguard safer?

• Better Security Questions
  Enter a 6-10 digit code.
  Enter a backup password.
  Enter the last 4 digits of your drivers license.
• Photo security questions
  Allow the user to provide the security question by selecting an image or providing their own.
• Confirmation code sent over SMS
  For sites who use SMS for other purposes, a verification code can be sent to the registered mobile number.
• Delay email address change requests
  Impose a 24 hour delay for email address change requests. During that time, issue an email to both current and future email address explaining the email change request. The email to the current email address should include instructions on how to block the request should it be unauthorized.
• Identity certificates
  If the provider is able to issue client certificates for their visitors, these certificates can be used as a form of 2nd factor authentication.
• 2nd factor authentication service
  For banks and other financial institutions, leveraging a service such as Verisign VIP should be implemented. There would be an additional cost for the tokens to cover, but the added security becomes a marketing tool for the service.

I’m not sure if any of these options are truly viable as robust solutions for enhancements or replacements for security questions, but they would make targeting users’ accounts through social engineering more difficult.

mod_auth_kerb extends Apache’s Basic Auth functionality to authenticate enterprise users against Windows Active Directory using Kerberos tickets supported by Windows. mod_authnz_ldap can use the Active Directory LDAP server to evaluate any available LDAP field against administrator defined ACL. For example, Company X decides to use an Open Source web application but want to restrict access to those in the Active Directory Administrators group; mod_authnz_ldap can use the LDAP server to pull the Active Directory group for the user it’s authenticating and determine whether they are part of the Administrators group.

Here’s a quick summary of how to get it working:

1. Ensure that your Apache is build with –enable-ldap –enable-authnz-ldap –with-ldap.
2. Configure Apache to use mod_kerb_auth/Kerberos as it’s AuthType:
   http://koo.fi/tech/2008/06/18/apache-http-authentication-to-active-directory-with-kerberos/
3. Configure Apache to use mod_authnz_ldap to authorize access based on LDAP data:
   Global Apache configurations:
   LDAPTrustedMode SSL
   (optional) LDAPTrustedGlobalCert CA_DER /etc/apache2/ssl/AOL_Member_CA.der # If the SSL certificate on ldaps is not recognized
   LDAPVerifyServerCert off

   Directory Apache configurations:
   RequireSSL # because you don’t want Active Directory credentials in the clear
   AuthLDAPURL ldaps://directoryserver:port/dc=somewhere,dc=com?cn SSL # where CN is the unique username
   AuthLDAPRemoteUserIsDN off
   AuthLDAPBindDN DNUsername
   AuthLDAPBindPassword DNPassword
   require ldap-attribute ldapfieldname = “ldapfieldvalue”
   require ldap-attribute ldapfieldname = “ldapfieldvalue”

4. Set Apache’s LogLevel to debug and start troubleshooting. Having an LDAP browser available to test will help you determine where the issues are when troubleshooting.

I ran into a small problem while getting this setup. I found that mod_auth_kerb was modifying the Apache Basic Auth “user” field from the username provided at login to username@realm. This might not be a problem in most cases, but for my implementation, username@realm was no where to be found in the Active Directory LDAP data. So, I did the following quick hacks to the mod_auth_kerb source code and recompiled:

• Comment out user = apr_pstrcat(r->pool, user, “@”, realm, NULL);
• Changed MK_USER = apr_pstrdup (r->pool, name); to MK_USER = apr_pstrdup (r->pool, sent_name);

This small change makes mod_auth_kerb return the username instead of username@realm. I’ve emailed the maintainers of mod_auth_kerb to see if they would consider adding an configuration flag to enable the stripping of @realm.

mod_auth_kerb supports SPNEGO (Windows Integrated Authentication support in IE and Firefox) which can provide Single Sign On for Windows users authenticated to the Active Directory.

• IE: http://support.microsoft.com/kb/258063
  
• Firefox: In about:config, change the value in network.negotiate-auth.trusted-uris to https://the.url.for.your.app

Since mod_auth_kerb and mod_authnz_ldap simply hook the Apache Basic Auth functionality, applications can leverage the Apache server to provide a username to the underlying web application.

Here are a couple apps you might want to test your new authentication with:

• Subversion (SVN)
• Mantis Bug Tracking Application (with Apache Basic Auth support)
• MediaWiki (with Apache Basic Auth support)

While I think that Jeremiah Grossman is absolutely on to something with his theories of alignment of interests in Web Security, I would argue that attaining the goal would go against human nature. Since the dawn of time, human have been in competition with one another and the only thing that’s really changed is the prize for being “best”. In pre-historic times, it was food, fire, and a safe place to sleep. In the middle ages it was land, crops, and livestock. In modern economies, it’s all about the money. For those actively participating in society, money virtually defines who you are in society. Actors, sports professionals, and CEOs of fortune 500 companies rake in hundreds of thousands of dollars and their quality of life shows it with nice cars and lavish housing. While middle class and below are barely making ends meat and most are working very hard for every dollar they spend.

Things aren’t much different in the business world. Companies who perform well go public and have millions of investors, companies who perform poorly go out of business, and once again, the measure of success is money. The examples cited by Jeremiah (SSL for web traffic, data encryption, and getting rid of IFrames) just further illustrate my point. While these practices would do a great deal for protecting their customers, they cost money and affect the bottom line profits, and therefore are not implemented. Yes, I know that security incidents end up costing the company more money in damage control than it would have cost for the safeguards to be implemented in the first place. This is the line security professionals have been giving senior executives for years. Has it worked? It doesn’t seem like it: Ask any of the 60% of the top 100 most popular websites who’ve hosted malware in the first half of 2008. (Websense security Labs™ (State of internet security -Q1 – Q2, 2008)

At this moment, the greatest asset that has been given to security professionals are regulations. Whether they be industry (PCI-DSS, SOX, etc) or Government (FISMA, NIST standards, etc) these regulations on IT Security have proposed to fine/hold legally responsible companies who do not attempt to enforce a minimum level of safeguards to protect their customers. By no means am I saying that these standards are perfect, there is far too little enforcement, the rules are not always described clearly and there are many cases where auditors are coerced into giving a passing grade to infrastructures which do not meet the requirements. What I am saying is that the idea of fining companies for failing to protect consumer data is the right way to go when you’re dealing with executives who’s primary driver is making money for the company.

I propose the following to answer Jeremiah’s question “How do we get the owners of 187 million websites, 17 million developers, browser vendors, universities, governments, ISPs, compliance auditors, and security researchers all to pull in the same direction towards a more secure Web?”:

• Establish more laws and industry regulations defining how companies should conduct themselves.
  Admittedly, this is a double edged sword. More checkboxes != more security, but it does give the professionals in the field some solid backing when presenting security concerns to executives.
• Academics and researchers must collaborate to change the education system.
  Remember the old saying “work to make the world better for your children”? We have an army of little tech savvy kids coming through the education system. Lets teach them about information security and privacy issues so that as they move into consumerism, they will instinctively demand security from the products they consume.
• Figure out a better way to demonstrate the value of IT Security services.
  This seems to be the Achilles heel of the IT Security world. How do you demonstrate the value of preventative counter measures? Yes, I know, another question VS. an answer.
• Offer better security solutions and products.
  As stated in Jeremiah’s article, “Security vendors love strongly enforced compliance standards as it frees up budget for their solutions, which may not reduce risk, but have to be purchased to satisfy a checkbox”. We don’t need more checkbox solutions, we need tools that actually empower companies with the right information so that they can easily get a snap shot of the current security posture. White Hat Security has a great tool/service hybrid where vulnerability data collected during automated assessment is pre-vetted by WhiteHatSec security engineers before being presented to the customer. As a quick disclaimer, I don’t work for WhiteHatSec, but have had the opportunity to see their product in action.
• Greater focus on outreach and communications.
  As the final, and perhaps most important solution, I propose a greater focus on outreach and communication. Security is still a field where only those who have the history and passion for computers truely understand what’s going on. This needs to change. The average web consumer must be educated to understand the personal ramifications of the “laiser faire” attitude that plagues the web application security world.

Please feel free to share you thoughts in the comments, I’m very interested to hear what my peers have to say on this subject.