Drone Video Intercepts: Military Case Study with a Universal Lesson

By Dan Cornell and Michael McBryde

There has been a lot of hubbub over the past day and a half about insurgents intercepting video feeds from US unmanned drone aircraft.  Wired has covered this story pretty extensively:

·         Insurgents Intercept Drone Video in King-Size Security Breach

·         Not Just Drones: Militants Can Snoop on Most U.S. Warplanes

Basically, a system was designed quickly, without security as a requirement, for a very limited number of Predator drones used by Special Operations.  Then the drones became much more popular, the system was adopted for much wider use, and the system’s scope was increased to include a majority of the jets flown in the U.S. military.  Net result?  Iraqi insurgents can view or potentially jam video feeds from the majority of U.S. aircraft using materials they could get at Radio Shack.  Yikes!

So let’s review:

·         A system was designed and implemented quickly – with limited scope.

·         Obscurity was the main security protection, and general system security was not a requirement.

·         The usage and utility of the system increased rapidly – so rapidly that decision-makers ignored security reviewers warning of the vulnerability.

·         Gaping security holes were found by 3^rd parties and exploited.

·         Fixing the problem will not be cheap and will likely result in material operational downtime

Strange … I’ve heard this before.  This isn’t a case study specific to the military – this is something we see all the time with both public and private sector organizations.  Business (or “mission,” in this case) requirements for new features and functions are favored over addressing known system weaknesses.  This decision gets made once.  And then again.  And then again.

Vulnerability management and security remediation are ongoing tasks in the development of any system.  Ignoring vulnerabilities and focusing exclusively on new features pretty much guarantees that you will get hit eventually.

Contact us if you would like help remediating those pesky, lingering, known vulnerabilities in your software systems.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Guaranteed NO False Positives: Static Analysis Edition

By Dan Cornell

Since everyone seemed to be so excited about our new web application scanner technology that guarantees no false positives, I’m sure everyone will be equally excited about the new Static Analysis Edition.  This is just as simple to use as the dynamic scanning tool we released yesterday – just point the scanner to the directory that the application code lives in and it will scan the application for vulnerabilities but the results will inclue NO FALSE POSITIVES.  Couldn’t be easier…

Here’s the code.  All yours, under an Apache 2.0 license.  Just like the web scanner edition.

package com.denimgroup.nofalsepositives;

import java.io.File;

import java.util.ArrayList;

public class StaticAnalyzer

{

     public static void main(String[] args)

     {

           ArrayList vulnerabilities = new ArrayList();

          

           String sDirToScan;

           File dirToScan = null;

          

           long scanStart;

           long scanEnd;

          

           //   Must at least enter a URL for the site to scan

           if(args.length < 1) {

                usage();

                System.exit(1);

           }

          

           //   Make sure the file path is valid

          

           sDirToScan = args[0];

           dirToScan = new File(sDirToScan);

           if (!dirToScan.isDirectory()) {

                System.out.println("Provided path was not a directory.  Unable to scan.");

                System.exit(2);

           }

          

           //   Kick off the scan

          

           scanStart = System.currentTimeMillis();

           System.out.println(String.format("Starting scan of %s at %d", dirToScan.toString(), scanStart));

          

           //   Finalize scan and report findings

          

           scanEnd = System.currentTimeMillis();

           System.out.println(String.format("Finished scan of %s at %d", dirToScan.toString(), scanEnd));

           System.out.println(String.format("Found %d vulnerabilities with NO false positives", vulnerabilities.size()));

     }

    

     public static void usage()

     {

           System.out.println("usage: java com.denimgroup.nofalsepositives.StaticAnalyzer <BASE_DIR>");

     }

}

Another facetious post!  Based on some Twitter chatter yesterday I’ll bet folks can’t wait for our NO False Positives Web Application Firewall.  That one will probably be a shell script that uses netcat.  And we can run it in the Cloud if we need to.  Buzzword buzzword buzword!

The use of static analysis tools is an incredibly powerful way to identify potential vulnerabilities in code, but no tool is perfect.  Automated scans are a portion of an application assessment – not the entirety of one if you really want a realistic evaluation of your security posture.  Tuning the default ruleset and crafting framework- and application-specific rules allows you to extract so much more value from your static analysis tools.  And manual review is required to look for business logic issues such as problems with authentication, authorization, etc.

Contact us if you would like help performing thorough application assessments or crafting a sensible application security program for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

New Web Application Scanner Technology Guarantees NO False Positives

By Dan Cornell

Recently I’ve been working with some other Denim Group folks to do our regular internal benchmarking of various application security scanners.  Last week we got into a deep discussion of false positives, how many scanners claim to reduce or eliminate them, and different techniques to make this happen.  During the talk we came across an idea for a surefire way to completely eliminate false positives and this weekend I had enough free time to put together a proof of concept.  I’ve included the proof of concept code at the bottom of this post and you can consider it to be released under the Apache 2.0 license.

This is revolutionary enough that we are currently trying to make testing with this technology required for Scanless PCI Certification and we want to make sure that all Certified Application Security Specialists are required to be conversant with it.  We’re considering shifting all our use of scaning tools to use our new technology.

Below is the proof of concept code:

package com.denimgroup.nofalsepositives;

import java.util.ArrayList;

import java.net.MalformedURLException;

import java.net.URL;

public class DynamicAnalyzer

{

  public static void main(String[] args)

  {

    ArrayList vulnerabilities = new ArrayList();

          

    String sUrlToScan;

    URL urlToScan = null;

          

    long scanStart;

    long scanEnd;

          

    // Must at least enter a URL for the site to scan

    if(args.length < 1) {

      usage();

      System.exit(1);

    }

          

    // Make sure the URL is valid

          

    sUrlToScan = args[0];

    try {

      urlToScan = new URL(sUrlToScan);

    } catch (MalformedURLException e) {

      System.out.println("Provided URL was invalid.  Unable to scan.");

      System.exit(2);

    }

          

    // Kick off the scan

          

    scanStart = System.currentTimeMillis();

    System.out.println(String.format("Starting scan of %s at %d", urlToScan.toString(), scanStart));

          

    // Finalize scan and report findings

          

    scanEnd = System.currentTimeMillis();

    System.out.println(String.format("Finished scan of %s at %d", urlToScan.toString(), scanEnd));

    System.out.println(String.format("Found %d vulnerabilities with NO false positives", vulnerabilities.size()));

  }

    

  public static void usage()

  {

    System.out.println("usage: java com.denimgroup.nofalsepositives.DynamicAnalyzer <SITE_URL>");

  }

}

In case anyone hasn’t figured it out by now this whole post is completely facetious.  Automated scanning has its place in any credible application security program, but no credible application security program consists only of automated scanning.  And you will always get false positives as well as results that need to be re-prioritized based on the business context of the vulnerability.  Automation is great, but you can’t automate everything.

Contact us if you would like more info on constructing your application security program.

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Coverage of Sentinel / Snort Integration from Michael Montecillo

By Dan Cornell

Michael Montecillo from the analyst firm Enterprise Management Associates recently put up a blog post discussing the integration between WhiteHat Sentinel and Snort we built.  It was also covered by Dark Reading a while back.

The integration takes the manually-reviewed vulnerability results from Sentinel and generates targeted Snort rules to identify attempts to exploit the identified vulnerabilities.  This is exceptionally helpful for streamlining the IDS/IPS configuration process because you can apply aggressive inspection and protection where you know you are most vulnerable.

Thanks to Michael for the mention.  The integration project was a fun and exciting one and helps to increase the value of both Snort and Sentinel.  Folks who saw my OWASP AppSec DC 2009 presentation on Vulnerability Management in an Application Security World know that we have some more things to be released shortly that continue this trend of making disparate application security technologies work together more effectively.

Please contact us if you would like more information about WhiteHat Sentinel as well as integrating assessment results with IDS/IPS and WAF systems.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Denim Group Recommendations for Smart Grid Security

By Dan Cornell

Today we released some recommendations for utility companies who are looking to adopt advanced metering and smart grid technologies.  These recommendations are intended to help them address potential security weaknesses and vulnerabilities early in the system design, development and deployment process.  With the increasing focus on the potential of smart grids and the funding being used to promote them it is critical that utility firms consider security throughout the lifecycle or they risk putting critical infrastructure at risk as well as incurring huge costs for retrofitting and remediation.

See the press release online: Denim Group Advises Utility Companies to Plan for Security Threats to Smart Grid Technologies

Contact us for more information about how to address security risks associated with advanced metering and smart grids.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

New OWASP Board Members Announced

By Dan Cornell

The results of the recent OWASP Board Member election are in.  Congratulations to Matt Tesauro and Eoin Keary!

More details are available on the OWASP Wiki:

http://www.owasp.org/index.php/Board_member

--Dan

dan _at _denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

OWASP Vulnerability Management in an Application Security World Slide Deck Online

By Dan Cornell

My slide deck from OWASP AppSecDC on Vulnerability Management in an Application Security World is now online.

You can get it from the Denim Group website: Vulnerability Management in an Application Security World.

It is also available on SlideShare:

Vulnerability Management In An Application Security World: AppSecDC

View more documents from Denim Group.

Contact us if you are interested in more information about how to manage and remediate application level vulnerabilities.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

John Dickson's Permanent Campaign Slide Deck from Denver ISSA Online

By Dan Cornell

John Dickson’s slide deck from his Denver ISSA presentation is now online.  You can get it from the Denim Group resources web page: The Permanent Campaign.

It is also online at SlideShare:

The Permanent Campaign

View more documents from Denim Group.

Contact us if you would like more information about creating secure software development lifecycles (SDLCs).

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Webinar Resources Online: Jump Start You Application Security Knowledge

By Dan Cornell

The content from Jeremiah Grossman and John Dickson’s most recent webinar is now online.

Title: How to Jump-Start Your Application Security Knowledge: For the Network Security Guy Who Knows Nothing about Application Security

PDF slide deck is available online: How to Jump-Start Your Application Security Knowledge

And the slides are up in SlideShare:

The webinar recording is also available online: https://whitehatsec.market2lead.com/go/whitehatsec/webinar_jumpstart1009

Contact us if you would like more information about application security resources for security professionals.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Security Centers of Excellence

By Dan Cornell

Michael Montecillo had a great blog post tracing the history of many of today’s security companies.  He looks at some key organizations that spawned many of today’s leading security firms.  In the post, he traces two of the organizations that have John Dickson as an alumni: the United States Air Force Computer Emergency Response Team (AFCERT) and Trident Data Systems.  Thanks for the mention, Michael!

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous