Thursday, July 31, 2008

My Picks for BlackHat USA 2008

Loads of awesome looking presentations this year! So hard to choose from. I really hope I’ll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.

Day 1: 10:00 to 11:00

Bad Sushi: Beating Phishers at Their Own Game
Nitesh Dhanjani, Senior Manager
Billy Rios, Microsoft

I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.

Day 1: 11:15 to 12:30

DNS Goodness
Dan Kaminsky

The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I’m really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.

Day 1: 13:45 to 15:00

Iron Chef: Fuzzing Challenge

This event was a lot of fun last year when I participated as a “celebrity judge”. Just don’t be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the “show” where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake’s blog software. :)

Day 1: 15:15 to 16:30

Xploiting Google Gadgets: Gmalware and Beyond
Tom Stracener
Robert Hansen

My man RSnake accompanied by Tom Stracener delivering Google zero-days and JavaScript malware PoC abound. Who could miss that! Keep your eyes peeled for Googlers in the front row feverishly taking notes and radioing live information back to the Googleplex. This talk might also renew our sense of paranoia about browser security, if there is such a thing.

Day 1: 16:45 to 18:00

FLEX, AMF 3 and BlazeDS: An Assessment
Jacob Carlson
Kevin Stadmeyer

Don’t know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I’ve been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.

Day 2: 10:00 to 11:00

Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
Arian Evans

Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we’re still not exactly sure why they work, only that they do in extreme edge cases. What we’re also learning is that there is A LOT of web application vulnerability edge cases out there.

Day 2: 11:15 to 12:30

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling
Ivan Ristic
Ofar Shezaf

A serious toss up between this one and Threats to the 2008 Presidential Election, which I’m sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.

Day 2: 13:45 to 15:00

REST for the Wicked
Bryan Sullivan

Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.

Day 2: 15:15 to 16:30

Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
Jeremiah Grossman
Arian Evans

Again, only because I HAVE to be there. :) I’ve been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.

Day 2: 16:45 to 18:00

Pushing the Camel Through the Eye of a Needle

Only because the Sensepost guys are super l33t, always have exceptional material, and I’ve never been to a bad presentation yet. Didn’t even bother to read the description, I know it’ll be worthwhile. Hopefully I can make it over there after my presentation.

Friday, July 25, 2008

Results: Web Application Security Professionals Survey (July 2008)

The survey concluded this morning with a simply amazing turn out! A total of 340 respondents -- well over double the previous. Thank you to everyone who helped get the word and of course to those taking the time to fill out the form. This information is invaluable. Since there were so many responses, and hence comments, I’m only able to post the report graphs below. The full report containing all the comments, probably the best part, is available for download (xls). The upside of so much data is I was also able to run reports on people classifying themselves as “Security vendor / consultant”, “Enterprise security professional”, and “Developers” individually to see how they differed, if at all. If you want to the entire package of reports, here ya go. Big hat tip to Robert “RSnake” Hansen for the bandwidth.

And now for my interpretation of the results…

Question #1 – 3
Shows that we have a nicely diverse set of individuals with varying backgrounds and years of experience. It looks like I should have had more granular answer options for Q2 though, note for next time.

Question #4
In the matter of browser security I figured just about everyone is using something above and beyond a default install, which is just plain crazy now days and the results confirmed. What astonished me though is the percentage of people across the range using virtualization, roughly 25%! Think about this. 1 in 4 web security people assume their browser and/or OS has a high likelihood of getting owned. Military intelligence, congressional ethics, browser security.

Question #5
In retrospect I should have asked a better PCI-DSS related question, the answers were unsurprising. People in the certain business sectors were influenced by PCI-DSS when it applied to them and they weren’t when it didn’t. What I really want to know is what ARE the driving factors behind why organizations are investing in web application security. I’ll try to figure out a better way to get to that answer set.

Question #6
These answers I found to be really interesting because they were split roughly down the middle and the comments were all over the map. Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We’re still trying to figure things out and convince ourselves that we have the right answer. Or that someone does. I think there is a lot still to be learned in this particular area and I plan to ask more questions on the topic going forward. This also might be an area where we should bring individual experts and practitioners to together to discuss the various issues.

Question #7
I purposely kept the term “vulnerability scanner” vague to see how they performed as an entire category. It doesn’t appear that vulnerability scanners have improved much or at least peoples impressions of them since the last survey. They performed dismally in Web 2.0 technologies including Ajax, Flash, and Web services. What surprised me is how well the scanners performed in the persistent XSS category, on par with the non-persistent. I can’t say I agree, but it is what it is. Could be an artifact that people don’t understand the difference and figure if the tool didn’t find it that its not there. The other interesting thing is that developers have a better opinion of scanners than security vendors and enterprise professionals.

I plan on digging into this area even more in the future and separate out scanner types, asking for product names, and overall impressions.

Question #8
I was fairly impressed with these results. 1/3 of the respondents said they’d either recommend a WAF, already have a WAF, or had a WAF on the road map. Then half of everyone said they were “Skeptical, but open minded” as compared to a sparse 15% expressing a level of negativity. This should be a huge market indicator for WAF vendors, industry analysts, VARs, and systems integrators. That 50% category represents a huge opportunity to demonstrate a WAFs value and long-term viability. In the next year we’ll know which way the trend is heading.

Question #9
Cmon, I had to poke a little fun at RSnake. I mean you gotta know web security is becoming mainstream when you can’t automatically win an online Chihuahua beauty contest poll in Austin without getting out haxored at the last second. ;)

Question #10
OK, that settles it. Web security people have little to no respect for McAfee’s HackerSafe brand and even that’s putting it mildly if you read the comments. I was confused on what the large “other” responses wanted for an option though. There is also a quite unnerving statistic with developers as their answers were split in thirds. Could it be that 1/3 of developers believe HackerSafe means security?

Question #11
And there we have it, web security people don’t trust Google, roughly 75% of them anyway. The kicker is most still use them in some way or form anyway. Maybe in many ways we are just like the average user. We’ll tend to sacrifice security for convenience just like they do.

Question #12

Some like the idea, some hate it, and others have a love-hate relationship. Either way it appears there’s enough people interested in a certification that its time for someone to do it and do it well. Sooner or later there will be 1 or perhaps 2 industry acceptable certifications. Who will it be!? Probably the first one to do it right will.

Question #13

The answers were all over the map and I don’t think I asked this question in the best way. Still the majority of C-level executives are at least giving the web security problem a good look. What I’d really like to know, similar to question #5, is what exactly is causing people to care and dedicate more resources. Maybe it’s an incident, industry regulation, keeping up with the jones, who knows! I aim to find out.

Question #14
80% of us figured the industry noise was tolerable or we’ve become number to it. The rest, well, they are not long for the industry anyway. You must get used to it or you’ll go crazy, maybe some of us already have.

Question #15
Who’s winning? Few think it’s the good guys. What more can we say here but that this is really sad and we have our work cut out for us.

Question #16

The forced ranked list. Some were close in the center, but this is what we got. Awareness is still a HUGE issue and I tend to agree.

1) General awareness and education
2) Implementation of an security inside the SDLC
3) Source code analysis
4) Black-box vulnerability assessment / pen-testing
5) Web application firewalls
6) Enforcing industry regulation

Question #17
Read the comments, it’s worth it. :)

Friday, July 18, 2008

Web Application Security Professionals Survey (July 2008)

It’s been a long while since I posted a webappsec survey, Oct 2007. So leading up to BlackHat seemed like an opportune time to hear from the community what they think about the hot button topics of the day. The questions are designed to expose various aspects of web application security industry we previously didn't know, understand, or fully appreciate – and maybe learn a thing or two about our peers in the process. As always the more people who submit data, the more representative it will be, and that means please share the link. All the past surveys have been quite revealing.


- Open to anyone working in, around, or near the web application security field.
- If a question doesn’t apply to you or you don’t want to answer, leave it blank.
- Comments in relation to any question are welcome. All data will be published.
- Submissions must be received by July 25, 2008 (1 week), results posted shortly thereafter.

Publishing & Privacy Policy
- Results based on aggregate data collected will be published.
- Absolutely no names or contact information will be released to anyone, though feel free to self publish your answers anywhere.

Tuesday, July 15, 2008

0wN3d by 5 characters

RSnake: My number one problem with WAFs is they don't protect against _all_ the vulns.

Jeremiah: Sure, but secure code doesn't fix all the vulns eitehr

RSnake: Depends on _how_ secure! I could easily create a peice of code that was 100% secure. You wouldn't find it fun to interact with, but it would be secure.

Jeremiah: while (1) { exit; }

RSnake: Sure, if you want to get crazy. I was thinking: exit;

Jeremiah: dammit, 5 characters.

RSnake: I rule

Sunday, July 13, 2008

Roxer - still the easiest way to make a web page

Jer Blog Roxer:

It’s been several months since I’ve written about Roxer. Currently Lex does all the coding since I’m investing just about every waking moment at WhiteHat. Primarily I help on Roxer strategy and solve extremely difficult JavaScript problems. Since the beginning we’ve been completely enthralled in the types of pages users build and the features they ask for. Iterative development is a lot of fun as is prioritizing enhancements into buckets that draw a crowd, improving the user experience, and keep people coming back. Astonishingly we’re up over 13,000 users, not bad for near-zero marketing, and that’s if you count my single blog post. :)

Its really cool seeing people from all over the world using something you’ve built. Actually we think over half of our users are outside the U.S. Teachers are posting classroom curriculum. Students are making online book reports. Bands are creating their online presence. Gamers are creating fan pages. And of course there is some other stuff in there we have to remove from time to time that’s’ not PG-13 rated. :) A lot is being published and its become impossible for even us to track.

Our next challenge is trying figure out a business model that makes sense. Fortunately though since everything is so darn cheap to run on the Amazon cloud platform we haven’t really felt pressured to do so, focused more on product and kept the service free. Premium subscription pricing seems to be the way we’ll go, much more attractive than advertising, but we’ll probably try that to. Maybe I’ll post again when we hit 50K users, that’ll be something!

Monday, July 07, 2008

Some unanswered questions

Some thoughts from over the holiday weekend.

1) Is time (adding or taking away) the only defense against web application timing attacks?
2) What good is using SSL to encrypt usernames/passwords when all other sensitive data is not?
3) Who is getting fined for how much due to lack of PCI-DSS compliance?
4) If automated vulnerability scanning of an application is a test of the tools intelligence, is manual testing a test of the human's intelligence?
5) When oh when will the TCv2 finally be finished!? :)

Web Security Specialist ~ Tenacious Hunter Needed

We're hiring, especially those want to hack into websites for a living. That's right, paid to hack. If you don't know how, that's OK because we're ready to train. If you or someone you know might be interested in the opportunity, fill out the form on the job listing page. Note: you must reside in the S.F. Bay Area or willing to relocate.

"WhiteHat Security has an amazing opportunity for the creative person itching to take a crack at poking holes in websites while on the prowl for gaping security vulnerabilities. In this role you will have access to thousands – yes, thousands – of well-known websites. Your job will be to actively root through them looking for all the ways a blackhat might use to break into a site. In this role you will master the basics of web application security and secure software engineering and learn what it takes to become a skilled hacker--an incredible launching pad for your career in the web application security industry."

Thursday, July 03, 2008

Whitepaper: Vulnerability Assessment Plus Web Application Firewall (VA+WAF)

For those interested we’ve released a whitepaper on how Vulnerability Assessment Plus and Web Application Firewall (VA+WAF) function independently and collectively. We spend a few pages describing the technical fundamentals of both which many should find educational – especially on the WAF side with industry material in painfully short supply. Very few people really understand the nitty gritty details of how WAF work and deployed in the real-world. I've learned a great deal in the last couple months talking with those who have. There is a little F5 ASM marketing in the paper so beware! :) Enjoy, snippets:

“WAFs at their core are designed to separate safe Web traffic from malicious traffic before it’s received by the website. And, if an attack does find a way to sneak past a WAF, it still has the ability to prevent sensitive information from leaving the trusted network. To get a better understanding of how the technology works, it’s helpful to view a WAF’s functionality as three discrete components - policies, policy generation, and policy enforcement. Depending on the particular WAF in use, they may go about implementing each component in a number of different ways. No one particular way has proven to be the right way, as each has its pros and cons.”

“Every effective vulnerability assessment program requires a cohesive combination of people, process, and technology. Qualified people are necessary to carry out day-to-day tasks, manage the technology, and interpret the results to make them meaningful to the business. Process is required for coordinated efforts between executive management, IT Security, and software development groups to share information, prioritize vulnerability fixes, and enable organizational improvements. The right technology is essential for consistency, efficiency, and comprehensiveness. Whether an organization chooses to perform vulnerability assessments with internal resources, a consultancy, or a Software-as-a-Services vendor, the overall vulnerability program must always account for people, process, and technology. If not, the effort will cost more in time and dollars than it should. Or worse, simply not work.”

Wednesday, July 02, 2008

PCI-DSS references the outdated OWASP Top Ten

I’m sure other people have noticed this, at least I hope so, but never mentioned it publicly. If you read PCI-DSS 1.1 section 6.5, the part that covers “Cover prevention of common coding vulnerabilities in software development processes”, you’ll notice the list is identical to that of the OWASP Top Ten 2004 while the latest version is 2007:

6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs)
6.5.3 Broken authentication and session management (use of account credentials and session
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows
6.5.6 Injection flaws (for example, structured query language (SQL) injection)
6.5.7 Improper error handling
6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management

I guess technically speaking anything that’s in v2007 and not v2004 you don’t have to worry about. That means you still have to code against Buffer Overflows and Application DoS, but not Malicious File Execution, Insecure Direct Object Reference, and Cross Site Request Forgery (CSRF). Ahh, fun fun. Gotta love compliance. :)

Web Application Security Today - Are We All Insane?

CSO magazine was kind enough to publish an opinion piece where I present a top-down view of the current state of web application security. I nervously expect a “spirited” flow of blog comments because it questions the value of certain best-practices and deeply held personal philosophies. Fortunately though our general public discourse has advanced a great deal recently and the community at large is a lot more informed of the challenges at hand. I pulled out a snippet to give a feel.

"It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us. Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion. We're losing two dollars for every dollar spent."