July 4, 2008
There’s been some talk about this, and no-one really knows what it means for the security industry just yet (at least not anything I’ve seen thus far), but the just passed Texas House Bill 2833 has the following paragraph
(b) For purposes of Subsection (a)(1), obtaining or
furnishing information includes information obtained or furnished
through the review and analysis of, and the investigation into the
content of, computer-based data not available to the public.
The very basics of this law is that if someone “reviews, analyzes, or investigates” any “information”, then they need security clearance, which as a contractor/consultant, means a private investigators licence.
Now, I am not a lawyer, and an opinion piece from the legislator is available here [pdf], and there’s an interesting write-up and interview here, but it appears to my reading that network/software security testing = ok, whereas forensic work = need Texas PI licence.
There’s a really murky area in there where say you are investigating a network/webapp/etc, and you find a vulnerability, what happens about showing an exploit or data, or even if the client asks you to see if the vulnerability has been taken advantage of? I’d love to know other people interpretations of this.
In any case, the community should be aware of this new law, and the potential ramifications of it (even if it’s not specifically written for/against computer security work that isn’t forensics). Otherwise “Violators of the new law can be hit with a $4,000 dollar fine and up to a year in jail”.
Don’t mess with Texas!
Posted in Industry, Security 
No Comments »
July 2, 2008
Congrats to RSnake for working the the ’softies and breaking the news that IE8 will have anti-XSS technology built into the browser.
This is really very cool, and as RSnake says, a big step in the right direction - programmers will always make mistakes, and any methods we can help protect against buggy software from being exploited (even if only temporarily) is a benefit.
I’ve been doing some research for an upcomming talk, and I must say though that mozilla’s proposal for a Site Security Policy goes a step beyond this. The negatives are that a) it’s an incomplete add-in, whereas the IE guys have hard plans (and code it seems) to incorporate XSS protection in the next version they ship, and b) that developers have to actually set the policy or it defaults to no protection (whereas IE will always provide some, even if it is not “full”). I really like the ability to say that “I’m not going to have any executable JS in this page”, and “If I do have JS, it’s going to be delivered from here” - totally removes the potential for the browser to load “untrusted” code.
What I really hope is that both browsers put their differences aside on who created what, or who supports what, and actually implement both solutions in a cross platform way. If that happens, we very may well say goodbye to one of the most prevalent webapp vulnerabilities and the web will me a much safer place for people in general.
[EditToAdd] Found this blog post that details the additional security features IE8 is going to have. Looks pretty cool
Posted in Security No Comments »
June 28, 2008
Well, it looks like the war of WAFs is ON! TS/Sci Security have done a great series of posts on the topic, the vast majority of which I whole-heartedly agree with. I’m sure that any readers of this blog would be reading TS/Sci, but if only so I can remember myself and have a record, I’ll (badly) summarize the posts.
Week of War on WAF’s: Day 1 — Top ten reasons to wait on WAF’s - As it says on the tin, reasons to wait and not deploy a WAF. I guess, that this is the post that I disagree with the most out of the series because of some of the items on the list, but that’s beside the point - it’s a good place to start the argument.
Week of War on WAF’s: Day 2 — A look at the past - To show that the argument against has been going on for quite some time, a copy of an email from OWASP to the Application Security Consortium (PCI) in 2004 is presented.
Week of War on WAF’s: Day 3 — Language specific - Points out that differences in how languages/frameworks (PHP, Ruby, ASP.NET, etc, etc) parse CGI variables may leave open holes. For example, if the WAF is written in C/C++ and parses URL’s one way, the target script may parse it differently (despite what the RFC says) because of canoncalization issues.
Week of War on WAF’s: Day 4 — Closer to the code - Argues that validation should be closer to the code and that there are methods that this can easily be added (one way put forward is Aspect Oriented Programming)
Week of War on WAF’s: Day 5 — Final thoughts - Identifies some short-term alternatives to using a WAF without going through a full SDLC.
Posted in Uncategorized No Comments »
June 19, 2008
So, it seems that the whole VA+WAF discussion is clearly the “hot” topic in webappsec this week. First up we have the ts/sci post that I linked to earlier, Andre responded, and we also have a post from the guys at CGISecurity.
I’ll first address one of Andre’s comments before getting into the meat of this post, so bear with me for a sec.
If developers are so hard to work with, so miserably stupid, and so unwilling to develop with security in mind — then how can a WAF vendor write secure software for their own products? This is the classic example of where a security vendor assumes that their own products are secure just because they are a security company.
Yes, just because someone is a security company, doesn’t mean that their products are secure - we’ve seen far too many vulnerability in “security products” to even make that claim. However, there certainly is a scale out there when it comes to the quality code vs where that code comes from - there’s an 80/20 rule, even for programmers. The 20%-ers are going to be drawn to security issues and security companies (if that’s their “thing”), whereas the rest aren’t going to be interested and just want things to “work”. They aren’t hard to work with, stupid, or unwilling to develop with security in mind, it’s often that they work in a org where there’s a need to “get it right enough to support the business” (there’s another codinghorror post on this very topic, but by google-foo is failing me tonight). Ok, we could talk about security being a requirement (which it very rarely it is), “fit for purpose” and all that, but that’s a topic for a whole different post. The issue is that security is seldom the first thing on an average developer’s mind, nor should it be.
Anyway, I really wanted to know more, and Jeremiah Grossman reached out invited to demo his VA+WAF solution and ask any questions I wanted. JG obviously has a bias, but wanted to know what I thought as I have no investment in this field (at least, I can’t think of any) other than wanting customers to be more secure.
First things first - WAF is not a panacea to all your security woes. My thoughts on this, and agreement from JG, is that it’s just a temporary thing until the real cause of the vulnerability is fixed. My analogy (and I love analogies) is exactly the “band-aid” one people have been throwing around - if you’ve just cut yourself, probably badly, would you at least put a band-aid on it, or cover it with something to stem the bleeding until you manage to get to the emergency room for the wound to be sewn up, or is it better just to leave it open and potentially bleed to death?
A big discussion point with VA+WAF is the false positive issue - if a rule is pushed that isn’t a “real” vulnerability, then is can negatively impact the application. WhiteHat are approaching this in a “softly-softly” approach, using black-lists on parameters that are “known bad”. Black-lists I hear everyone say! Surely for security you want white-lists. Well, yes, if you have context (ZIP, telephone number, person’s name, etc) but a WAF doesn’t have that (which is why issues really have to be fixed in the code eventually). Instead, an approach is to not to attempt to “fix” the vulnerability itself, but to just stop exploitation though that vector. For XSS and SQLi the individual characters that are used in exploits are pretty well understood and shouldn’t ever appear in a a legitimate request, so black-lists work “well enough” in this case.
The other part of the false positive issue is how do you actually know it’s a vulnerability - scanners produce output like it’s going out of fashion, often having hundreds of “findings” to go though. Which of these can (or should) be blocked at the WAF? Well, most scanners are pretty good now at identifying XSS (and some instances of SQLi), and as I’ve discussed above, having a rule that simply stops exploitation won’t affect the app as the characters that are “blocked” shouldn’t appear in legitimate requests anyway - no harm, no foul. Scanners are going to get better, but there’s a whole raft of vulnerabilities that can’t effectively be scanned for (and never will), and can’t be fixed at a WAF. I don’t believe that there’s ever going to be a “perfect” VA or WAF solution, but starting with XSS and SQLi is a reasonable place to at least start the journey as there’s lots of these issues out there and they don’t seem to be going away. We are at the beginning of a journey, and just because we haven’t come up with a “unified theory” (and might not be able to) doesn’t mean we can’t start learning from smaller steps.
So, why not just go and fix the code instead - adding a WAF + rule-set just adds complexity and potentially another set of vulnerabilities in the WAF itself. Although I agree in principal, and back when I was an academic I wouldn’t have budged on this. Now however, I’m a bit more of a pragmatist - in some cases it’s not possible to immediately go and fix the problem because of change windows, vuln/bug-fix priority, staffing, regression testing, etc, etc. For the life of me I can never figure out why a site goes live on the net without security QA (I’m often the first person to evaluate a site for security after it’s been in use, and clearly vulnerable, for a significant amount of time), but once again that’s another post for another time. In any case, in a lot of instances, it’s not as simple that some people make out to simply make an immediate change (any change) in a live webapp.
There’s an article out there somewhere (as I said, my google-foo just isn’t working tonight) that argues that a company shouldn’t have any firewalls, but just to have all hosts out there on the internet. If everything were patched, configured securely, and had updates applied to them immediately (forgetting for the moment zero-days and non-published vulns), then they wouldn’t be vulnerable right? It certainly would keep everyone on their toes, but I don’t think I know one person that would recommend that approach and I think we are in exactly that position with webapps today.
Is there a market for VA+WAF - I’m sure there is - it addresses a need (or pain-point) that exists out there. We know this because even though the “simple” vulns like XSS and SQLi are extremely well known, and fixing them is very simple, there’s still many many apps out there that have these problems and they continue to exist on top x lists. Is the “right” thing to do? Perhaps - as a temporary measure until the root cause can be identified and fixed, it at least stops the bleeding. My main concern about this approach is it becoming a “crutch” and companies relying on it as a way of becoming “secure”. It doesn’t close the loop, train the developers in the why/how their code is vulnerable and how not to make the same mistake again - it’s the being given fish vs being taught how to fish deal - reliance is not a good thing (perhaps this is a better link - especially the one by gareth :)). JG said that they would be able to see over time how many of the rules pushed to the WAF are later removed and are fixed in the code, which are metrics I would be very interested in seeing.
This is turning out to be a longer post that I really have time for, or anyone would really want to read - it’s just opinions, instead of hard data which I haven’t seen presented yet. All I can say is that VA+WAF is no magic bullet, and I haven’t heard of anyone that claims it it. However, just because it’s not a magic bullet, doesn’t mean that there’s not at least some worth behind the idea.
Posted in Musings, Security 1 Comment »
June 18, 2008
I know that it may seem that I’m on a big rant as I’m moving out of SoCal, but honestly this has been brewing (and talked about with various people) for some time - I just haven’t had anything to point to and say “there!”.
A really cool article in the NYT a week or so ago detailed some “additions” that an architect did to a client’s apartment in New York without telling them. I won’t go into detail because it’s a fascinating read and it will spoil the story. However, just today I saw that JJ Abrams wants to make a movie based on that article.
Is it me, or does Hollywood have no original ideas left in them? Sure, it’s an interesting story, but as the Gawker post says, it’s been done before. McG tried to bring one of my favorite TV shows back in the UK over to the US (in what I heard was a a word-for-word remake) without even consulting with the originators/cast - that went so well a fan revolt eventually canceled the show at the pilot.
It’s not even a few people. Lots of films recently seem to me to be either remakes, bad sequels, or TV shows adapted for the big screen (how the hell is The A-Team getting remade!).
I thought that Hollywood was the land of the creative geniuses? What has happened to all the interesting, engaging films and TV series (ok, I’m a big fan of BSG, but that is so different and original vs the 1980’s series I’m not lumping it in with all the others). There’s a lot of talent out there, so why isn’t it being used? Is it because the studios just don’t want to take the risk(s) any more and just go for the “safe” option with “established” brands? (how did that work out for you Knight Rider?). All my favorite shows seem to get canceled very quickly, so how is one supposed to “invest” in a program - looks like I’m just going to have to wait for the DVD’s to appear on NetFlix.
Ideas anyone?
Posted in Uncategorized No Comments »
June 17, 2008
One more post before I really should head off to bed 
Another blog that I’ve read on-and-off, but has just got a permanent place in my RSS reader is ts/sci security. There been one post recently that although I don’t agree with 100%, certainly is “on the money”.
http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is
The only part I’m not sold on is the…
If you think that implementing a WAF will save you (even in the short-term), please let us know why you believe this is the case. TS/SCI Security sees the WAF answer as FUD, lies, and/or short-sightedness.
…bit at the very end. I’m not as enthusiastic as Jeremiah Grossman is, but feel there’s some benefit in WAF rules some of the time. The default should be to “recode or replace while we still have the chance”, but sometimes that isn’t always immediately possible (resources, understanding, change windows, etc, etc). Having a temporary “patch” and a level of defense in depth isn’t “bad” per se, although given a choice we should always fix at the code level because that’s where the cause is and the most context to know what to do.
In any case, discussion is good.
Posted in Security 2 Comments »
June 17, 2008
Ages back I met Rich Mogull at BlackHat/DefCon and we got on really well. Turns out we have some strange shared background as he worked backstage on some of the same tours state-side that I did in Europe.
Anyway, Rich is blogging at http://securosis.com/ 
As an ex-Gartner security analyst he has great insight into the industry and has written some great posts on the blog already (where have I been that I’ve been missing all of this!).
I’d advise anyone that is interested in security to subscribe, and I for one look forward to reading more.
I wish you the best Rich, both with the blog and the (now not so new) company.
Posted in Industry, Security No Comments »
June 17, 2008
Ok, now I’ve got past that sweeping generalization, I can’t wait to see what happens on the 1st with the new cell-phone law coming into effect.
It seems to me that some people here have trouble enough driving, but pretty much insist on having a phone clamped to their ear 24/7 - I even saw someone out on their horse the the other day paying no attention to anything other than whatever was on the other end of their phone.
Perhaps I’m being a little over sensitive here, but this is just typical of Californian’s “me-first” attitude (another sweeping generalization here, but I’m sure that all the people I’m throwing under the bus here know exactly the kind I’m talking about) - they just seem be totally ambivalent, and that’s being generous, about anything going on around them other than what they are doing. Just like an opera singer warming up - ♫ “me, me, me, me, meeeee” ♫ .
In any case, I’m really looking forward to seeing the cops line people up down the street giving them tickets because I’m sure this new law isn’t going to change a thing. Some people are going to get a shock though as although it says first office is $20, and subsequent ones are $50, when admin fees, etc, are added on they come out to $76 and $190 respectively. However, even that isn’t going to stop some of the people that simply put, have more money than sense, or just don’t care.
Please people, put the phone down for a little while (and that includes texting), or buy one of these for a little more than the cost of that first ticket. In a strange way I’m sad that I’ll only see a few days of this and wont be able to hear the teens/push-chair-moms bitching about it in the mall.
</rant>
Posted in Rant No Comments »
June 17, 2008
Tara and I went up to LA for perhaps the last time on Sunday to see Nic, do some shopping, and generally hang out. Had a really good day so I though I would share some photos.
First up, driving out to Santa Monica we noticed that Rodeo Drive was shut with lots of people milling about. Intrigued, we parked up and had a look. Turns out it was a classic car show (with some modern cars) so we drooled over some of the cars and walked up and down Rodeo (why is it called ro-day-o rather than ro-dee-o?) for the first time ever - it’s just not our “scene”.
We then headed out to Santa Monica and walked around the shops, went on the pier, and got some fab Belgium chocolates. Grabbing a coffee, we noticed a lot of police cars heading up the street and wondered what all the commotion was - turns out a taxi had knocked a biker off his Ducati, who promptly took off his helmet and attacked the taxi driver! A bit overkill with 8 cars, 2 bikes, 2 EMTs, and blocking the road off (many are out of shot in the pic), but I guess there’s not much for the police to do on a Sunday afternoon there
A must for the day was to head up to our favorite place in LA - Griffith Observatory. Both of us love that place so much if we lived any closer we’d be up there all the time. Grabbing a drink and watching the sun go down from this place is a must-do experience.
Finally we headed out to the Sunset Strip for dinner and a few drinks at the Rainbow Room. The Lakers were playing a must-win game, so the place was pretty packed. At the table next to us was Billy Zane, who was really nice and wasn’t getting hassled at all, and Justin Hawkins (from The Darkness) arrived just as we were leaving.
So, that might be about it (unless we make it up again on the July 4th weekend) for LA for us - lots of packing and other things to finish up. To all of our new friends and work colleagues who made us feel welcome, our eternal thanks - I’m sure we’ll be back and will certainly stay in touch. To all of the rest of the wannabees in OC/LA, I’m glad I won’t have to put up with you for much longer 
Posted in Trip Report No Comments »
June 7, 2008
It’s been brewing for some time, but at some point in July we’ll be moving to Seattle.
We’ve really enjoyed living in SoCal; much more that we’d originally anticipated. There’s been lots of things to do between LA-proper and San Diego that we’ve had a blast. So much that it’s difficult to pick any highlights, but I’ve been able to see my favorite bands play live a few times, hang out at famous/well-known places, even been invited to a world premier of a major film! Not to mention the fantastic weather.
But SoCal isn’t where we feel "home" or really "fit it", so time to give somewhere else a try. I’ll look forward to exploring our new home city and being part of the tech community up there (so any tips/recommendations/invitations are greatly appreciated). In the mean-time during the few weeks we have until the moving truck turns up we have to mop up things to do in LA (so once again, if there are any tips/recommendations/etc …). We can’t say we’ve "done it all" as that takes a lifetime our friend Nic always says as she’s graciously been our guide on many an occasion, but we’ve certainly "lived it" and sampled the highlights. As Baz Luhrmann says, "Live in [Northern] California once, but leave before it makes you soft".
In some ways I’ll miss LA, and will leave you with a fantastic photo from my favorite LA-centric blog.
Posted in Personal 1 Comment »
