IBM Rational Software Development Conference (RSDC) Slide Deck Online

By Dan Cornell

A couple of weeks ago I was at the IBM Rational Software Development Conference (RSDC) and I gave a presentation on static analysis, dynamic analysis and how to use them together.  My slide deck is online here.

--Dan
dan _at_ denimgroup.com

Static Analysis Talk at Texas A&M University

By Dan Cornell

May 14th I gave a talk to the Texas A&M IT Forum about Static Analysis.  They were kind enough to record the presentation and put it online.

There are a couple of things to note:

• The volume is kind of low so you have to turn it up and listen.
• I saw issues with browsers switching from the "Welcome and Introduction" clip to the "Dan Cornell speaks on Application Security" clip.  In order to bypass this I clicked on "Dan Cornell speaks on Application Security" just below the video clip.

Thanks again to all the folks at Texas A&M University for giving me the opportunity to speak.

--Dan
dan _at_ denimgroup.com

ROOTS Conference Wrap Up

By Dan Cornell

I made it back to the States after the ROOTS conference and wanted to post some comments.  It was a great conference with a lot of interesting folks and I was thrilled to have the opportunity to present.

On Tuesday, Andre Klingsheim and Lars-Helge Netland gave a great talk on Architectural Risk Analysis.  They ran us through a fantastic exercise where we had to work with folks at our tables and rank the most common causes of death in the USA.  My partner and I did all right - we got all the right causes of death but had some of them in the wrong order.  That was useful for examining perceived versus actual risk.  They also discussed the traditional Risk = Probability x Impact formula for quantitative risk analysis and why it is challenging to apply consistently across practitioners and projects so we also looked at qualitative risk analysis.  This is great material for software developers to cover and having more conversations in this area can do nothing but help increase the awareness of software security issues across the industry.

Martin Knobloch and Marinus Kuivenhoven gave a fantastic Application Security Workshop on Wednesday.  They went through an introduction to OWASP tools like WebScarab and WebGoat and then walked through the OWASP Top 10 2007 with examples.  I have been over this material a number of times, but I got a lot of benefit out of a number of the examples and case studies they talked about.  Again - presentations like this can only help to get the software development community more interested in the security implications of the applications they are producing.

Thanks again to the ROOTS committee and all the attendees.

--Dan
dan _at_ denimgroup.com

(The picture is of an extremely well-dressed stick figure crossing the street in Bergen, Norway)

ROOTS Slide Deck Online

By Dan Cornell

The slide deck from my talk at ROOTS 2008 is now up online.  That talk covered security testing with static analysis tools and dynamic analysis tools, looked at strengths and weaknesses of both approaches and then discussed how to us them together.

This has been a great conference and I hope to post some more details shortly.

--Dan
dan _at_ denimgroup.com

(Photo is of a statue of Henrik Ibsen here in Bergen, Norway)

OWASP AppSec 2007 San Jose: Day 1

By Dan Cornell

As mentioned before, John Dickson and I are up at the OWASP AppSec 2007 San Jose conference this week.  I had a chance to attend some great sessions and talk witha  bunch of great folks today.  Here are some notes:

• The keynote speakers were Dave Cullinane and Michael Barrett from eBay and PayPal.  Michael had to run off to catch a plane, but Dave gave a great overview of the scale of the problem eBay faces trying to build a trusted platform for commerce.
• Chris Wysopal's talk about finding backdoors in software was fantastic.  It had some great analysis of backdoors discovered in software in the past and great discussion of possible signatures for static analysis tools that can help identify potential backdoors.  It is hard enough to find security vulnerabilities introduced into software accidentally - looking for backdoors intentionally crafted and inserted is just that much harder.
• Eric Sheridan's talk about Cross Site Request Forgery was very informative and I am looking forward to trying out his two new CSRF tools.
• I caught up with IBM Watchfire's Ory Segal. He gave me a demo of some of the new AppScan 7.7 features.  I have been slacking off but I finally got a copy of the beta and will be looking at it through the end of this week.  So far it looks to be pretty impressive.  I'm looking forward to the new "state inducer" feature that allows you to record more complicated workflows to get an application into a state where you can actually test it.  Think of an application with a three step process - you need to go through steps one and two before you can test the functionality at step three.  This has been a problem with scanners we have used in the past when we are testing more complicated web applications implementing multi-step processes.
• Amichai Shulman's talk about defeating Web 2.0 vulnerabilities was basically a web application firewall commercial - but I suppose that is to be expected.  He did have an excellent point that given the number of CSRF vulnerabilities that exist in existing code it is a daunting task to try to eliminate them all in code.  From that standpoint WAFs certainly do have a place in any serious application security infrastructure.
• I caught the tail-end of Robert "RSnake" Hansen's talk about browser insecurities.  OWASP is launching a Working Group to deal with browser insecurity issues and I look forward to seeing what the come up with.
• The "Building and Effective Application Security Assurance Program" panel did a good job of laying out what does and does not work when creating such programs.  Hint: don't pick a tool and think that your problems are solved.
• The OWASP Leaders meeting was a good chance to put some names with faces.  It also made me realize that the Texas chapters - San Antonio, Austin, Houston - need to do a better job of attending the OWASP national conferences.
• As always the OWASP Dinner was a great chance to relax after an day packed with great information.

So that is a wrap up of Day 1.  More info to come on Day 2.

--Dan
dan _at_ denimgroup.com

Webinar Series: Threat Modeling for the Masses

By Dan Cornell

Denim Group's John Dickson will be presenting a two-part webinar series titled "Threat Modeling for the Masses."  This series will introduce the concepts of Threat Modeling and will put it in a context so that these techniques can be used by more people involved in the system creation process.  Previously Threat Modeling was typically done by developers and software architects – this webinar series pushes these capabilities down to IT security personnel, project managers and other interested parties.

Also, you can check out John's previous webinar on the purchase of SPI Dynamics and Watchfire here.

--Dan

dan _at_denimgroup.com

Webinar Online: Top Two Web Application Scanner Companies Acquired

By Dan Cornell

Recently Denim Group's John Dickson did a webinar with some commentary about the acquisition of Watchfire and SPI Dynamics by IBM and HP respectively.  It is now available online for download.

Keep an eye on this space for John's upcoming webinar series on Threat Modeling.

--Dan
dan _at_ denimgroup.com

IBM Acquires Watchfire

By Dan Cornell

Today IBM announced that they will be purchasing Watchfire.  Press release is here.  It was interesting to see that Watchfire's tools were slated to find a home with the Rational development tools rather than the business unit that was formerly ISS.  Personally I think that is a great idea because it give the application security tools to the application developers.

--Dan
dan _at_ denimgroup.com

Watchfire Blogs

By Dan Cornell

I heard from Watchfire's Ory Segal today that they have rolled out a new blogging site.  I especially like the post on Man vs. Machine because it offers a new perspective on the differences between technical and logical vulnerabilities.

--Dan
dan _at_ denimgroup.com

The Role of Tools in Application Security

By Dan Cornell

There was a question on an application security mailing list I am on about the current landscape of application security tools - what were they good for, is static analysis better than dynamic analysis, etc.  Here is my unedited reply:

We get asked that question quite often and here is my (short) answer:

 Application security tools are really good at what they do and they are getting better.  Also they are pretty much useless for the things that they don’t do and that isn’t likely to change any time soon.

Tools are great for finding technical flaws in applications – the types of flaws that deal with configuration, input handling and output formatting issues.  Things like SQL injection and cross site scripting. Tools are typically really bad at finding logical flaws in applications – these are the issues that deal with business logic, authorization and trust issues.  Examples would be insecure direct object references or passing the price to an e-commerce application in a hidden variable.  Tools have no way to gauge intent so there are flaws that slip by.

Another good thing about tools is that they don’t get tired or sloppy – they can chew through large applications and large code bases and apply rules on a consistent basis.  Organizations would do well to use tools as an initial step in assessing the security of an application but they MUST realize that no tool is going to be able to demonstrate that an application is secure.  To get to any reasonable level of assurance, tools must be augmented by manual testing and inspection.

It has also been interesting to watch the tools popular in the industry evolve over time.  The early tools were black box scanners (Watchfire, SPI Dynamics).  These look and act pretty much like Nessus or ISS but for web applications.  This makes sense because the first folks to really get concerned about application security were the information security folks in an organization and these people tended to have network and sysadmin backgrounds. They are used to scanning an operating environment to find flaws.

As the “problem” of software security has started to be adopted by the software development groups in an organization we have seen an upsurge in code-level analysis tools (Fortify, OunceLabs).  That is because software development folks have software development backgrounds (naturally) and they are comfortable dealing with code and compilers.

As for what tools an organization should use – it is important to look at what group is going to be running the tools.  If the security group is full of folks with network and system admin backgrounds it is unlikely that they are going to become proficient enough .NET or JEE coders to get a lot of utility out of a source code analysis tool.  Also it might be hard for them to get the software development groups to turn over source code (for some reasons most enterprises we work with are a little sensitive about shipping that all over the place…)  For groups like that the dynamic analysis/scanner tools allow them to get a solid analysis of the security state of the tools in their portfolio.

If the application development group is going to be running the tool, using tools that can take advantage of having full access to the source code makes a lot of sense.  The scanner tools have to make a guess as to whether or not the request/response pattern they have seen is an actual vulnerability.  The source code analysis tools have a much more clear view of what the software is actually going to do.  For groups like these the source code analysis tools make a lot of sense.  At the end of the day for large organizations it often makes sense to have both types of tools in use to get a “second opinion” of the security state of their applications.

Obviously this answer is full of simplifications and generalizations and solutions for one organization won’t necessarily work for others.  But I did say this was my short answer ;)

I forgot a couple of points so I had to post a follow-up:

Couple of things I forgot to mention:

The tools don’t run themselves.  If you buy a tool you should know how you are going to modify your processes to make use of it.  Then you need to make sure the folks who will be using the tool know how it actually works and can operate it.  And it pays to check back with those people after a while and make sure that the tool is actually being used and is being used as it should.  Otherwise you can spend as much money as you like but your applications will not get any more secure.  You might fool a couple of auditors – but you won’t fool the attackers ;)

I suppose I could shrink that down to an even shorter answer:

Use application security tools to apply consistent checks for technical application flaws.  Do not expect to be finished after you run one.  Be sure that you know how you are going to use the tool before you buy it and train the people who are going to use it.

Perhaps a post at a later date will examine why I seem to end all of my emails with the silly winky emoticon ;)

--Dan
dan _at_ denimgroup.com

Guy Podjarny to Present at San Antonio OWASP

By Dan Cornell

Guy Podjarny from Watchfire will be presenting at the San Antonio OWASP chapter meeting this Thursday.  Hope to see folks there.  Please note that the time (11:00am) is a little earlier than usual.

San Antonio OWASP Chapter: April 2007 Meeting
Topic: Overtaking Google Desktop
Presenter: Guy Podjarny (Watchfire Corporation)
Date: April 26th, 2007, 11:00am - 12:30pm
Location:
San Antonio Technology Center (Web Room)
3463 Magic Drive
San Antonio, TX 78229
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+T
X+78229

Abstract:
This presentation will describe an innovative attack methodology against Google Desktop which enables an attacker to achieve remote, persistent access to virtual all data on the victim machine, and can further lead to full system control as well. The attack leverages vulnerabilities in Google.com web site and Google Desktop, allowing malicious JavaScript to be injected into different responses. In addition, it leverages the integration between Google.com and Google Desktop.

A significant aspect of this attack is that it emphasizes the danger of the integration between desktop applications and Web based applications, as this opens an aperture for a malicious attacker to escalate his/her privileges by crossing from the Web environment to the desktop application environment.

The attack also highlights the risks associated with a fully Web based desktop application, and with a tool like Google Desktop which allows easy access to virtual all information on the host machine.

In the presentation we'll review the different steps of the attack, demonstrating skipping from the Web to Google Desktop, overcoming various protection mechanisms built into Google Desktop, and finally exploiting the vulnerability in various ways.

Presenter Bio:
Guy Podjarny is Senior Security Analyst with Waltham-based Watchfire, a provider of software and service to help ensure the security and compliance of websites.
Guy joined Watchfire in 2004 bringing with him several years of senior product development and web application security expertise from previous roles including Sanctum. As senior security analyst Guy is integral to the development and evolution of Watchfire's market leading AppScan solution. He is also closely involved with researching and evaluating technologies and helping define and influence strategic directions for Watchfire's security solutions.

Guy has spoken at security events, participates in industry working groups and has contributed to several whitepapers and articles on application security.

Sodas and snacks will be provided. Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.

--Dan
dan _at_ denimgroup.com

Watchfire AppScan Extensions

By Dan Cornell

Yesterday Watchfire released the new 7.5 version of their AppScan tool.  One of the cool features of this new version is the AppScan eXtensions Framework (AXF).  This allows developers to write extensions to the AppScan product using any .NET language.

Denim Group was fortunate enough to be in an early access group that got first dibbs on playing with these extension capabilities.  The first extension we put together is one that allows Watchfire AppScan users to automatically submit security issues found to Microsoft's Team Foundation Server as Bugs to be addressed.  Why did we choose to do this?

Although it may be trite to say, it is important to remember that security comes from a combination of people, processes and technology.  Watchfire's AppScan product is primarily focused on technology and it is good at what it does.  What the AXF allows us to do is extend their technology-focused tool to better integrate it with organizational processes.  Hopefully this plugin will help link up security groups with application development groups and foster better communication.  Communication is THE key success factor we have seen for organizations trying to improve the security of their application development efforts.

Keep watching this space - over the next week or so I will be posting information about full plugins we have written as well as providing some tutorial information about how to write your own plugins for Watchfire AppScan 7.5 using the Application eXtension Framework.

--Dan
dan _at_ denimgroup.com

Visual Studio Team Foundation Server APIs are Cool

By Dan Cornell

I've been doing some work developing a tool that makes calls against the Visual Studio Team Foundation Server API and I must say that the API is pretty impressive.  I will post more specific information about the tool in a week or so, but suffice to say it is REALLY easy to make calls against Team Foundation Server.  Right now I'm working with the APIs for the Work Order portion of the system and they are really comprehensive.  It is really nice that Microsoft has made these APIs available because having the ability to extend and integrate the Team Foundation Server product makes using it as the basis for enterprise development really compelling.

--Dan
dan _at_ denimgroup.com