Jeremiah Grossman: 12/01/2009

Friday, December 25, 2009

Best of Application Security (Friday, Dec. 25)

Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.

Wednesday, December 23, 2009

(Fortify + WhiteHat = Fortify on Demand) or (1 + 1 = 3)

In case you haven’t seen the news, Fortify recently launched a one-stop SaaS shop (Fortify on Demand) for software security testing (support for Java, .NET, and PHP). This snippet from their site spells the offering out nicely:

“Fortify on Demand is a set of hosted Software-as-a-Service (SaaS) solutions that allow any organization to test and score the security of all software with greater speed and accuracy. This automated turnkey service offers an efficient way to test third-party application security or to complete baseline assessments of all internal applications. It is the only offering available on the market that correlates best-of-breed static and dynamic analysis into a single dashboard. Fortify on Demand's robust reports prioritize vulnerabilities fixes based on severity and exploitability, with line of code level details.”

The static analysis technology obviously comes from the market leader’s SCA product line, but guess who’s behind the dynamic part. Give up? :) That would be WhiteHat Security of course!

“Fortify selected WhiteHat Sentinel because it is the only software-as-a-service (SaaS) solution to deliver the highly accurate, verified vulnerability data required to ensure effective website security and actionable information for both developers and security operations as a service.”

Needless to say we are very excited! This technology combination and delivery model addresses a number of under-served customer use-cases, such as third-party validation and testing of COTS. As I’ve blogged before, it’s time to move beyond the nonsensical adversarial debates about which testing methodology (black or white) is best and instead focus on the synergies. We’re putting our R&D money where are mouths are and have grand plans to directly benefit our customers.

Today’s integration is already yielding a solid level of vulnerability correlation, right down to a line or code block, which helps prioritize findings into actionable results -- such as what vulnerabilities are confidently exploitable. Looking ahead, consider that static analysis can measure exactly how code coverage is being realized during the dynamic analysis -- furthermore pointing out the gaps in unlinked URLs, back doors, extra form parameters, etc. This will lead to way better and measurable comprehensiveness for both static and dynamic analysis. And don’t even get me started on the metrics we’ll be able to gather. We’re just at the beginning of understanding what is possible!

This will be the basis of Jacob West and my “Fortify on Demand Launch Webinar” (Jan 14.) and RSA presentation “Best of Both Worlds: Correlating Static and Dynamic Analysis Results” (Mar. 4). We’ll be learning a lot in the coming months and will be ready to share our discoveries with the audience.

Friday, December 18, 2009

Best of Application Security (Friday, Dec. 18)

Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!

Thursday, December 17, 2009

Attention security researchers! Submit your new 2009 Web Hacking Techniques

Update 01.04.2010: Voting process is commencing this week! Expert judges are Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Romain Gaucher, Steven Christey, Jeff Forristal, and Michal Zalewski.

Update: Awesome news, Black Hat is generously sponsoring the effort! The researcher topping the list will be awarded a free pass to attend the BlackHat USA Briefings 2010!

Just 2 weeks left in 2009. Time to start collecting all the latest published research in preparation for the coveted Top Ten Web Hacking Techniques list!

Every year Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. We are not talking about individual vulnerability instances with CVE numbers, nor intrusions / incidents, but the actual new methods of Web attack. Some target the website, some target the browser, or somewhere in between.

Historically many of these works would permanently reside in obscure and overlooked corners of the Web. Now it its fourth year the list provides a centralized reference point and recognizes researchers who have contributed to the advancement of our industry.

The top ten winners will be selected by a panel of judges (names to be announced soon) on the basis of novelty, potential impact, and overall pervasiveness. Those researchers topping the list can expect to receive praise amongst their peers as have those in past years (2006, 2007, 2008).

Then coming up at IT-Defense (Feb.) and RSA USA 2010 (Mar.) it will be my great honor to introduce each of the top ten during my “2010: A Web Hacking Odyssey” presentations. Each technique will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. Audiences get an opportunity to better understand the newest attacks believed most likely to be used against us in the future.

To make all this happen we are going to need a lot of help from the community. At the bottom of this post will be the living master list of everything published. If anything is missing, and we know for a fact there is, please comment containing the link to the research. We understand that while not every technique is as powerful as another, please make every effort to include them anyway, nothing should be considered too insignificant. You never know what method might be found useful another researcher down the road.

Thank you and good luck!

The Complete List

Tuesday, December 15, 2009

Why Microsoft should consider retroactively installing AdBlocking software by default

I’ve been following the developments of Google Android and Chrome OS with much interest lately. Less from a security/technology perspective and more as a lesson in business. One way Google is expanding Android’s presence in the mobile market is by sharing ad revenue with mobile carriers (ie Verizon). Instead of incurring software licensing costs (of BlackBerry, Windows Mobile, Palm OS, etc) carriers may receive revenue when their Android users click on ads. Carriers love this because they get paid to install an OS rather than the other way around! This business model has been called “Less Than Free” and Microsoft should take notice of it because their Windows / Office business model could be at huge long-term risk. Let me explain.

Microsoft obviously makes significant revenue OEMing Windows to PC manufactures (Dell, etc.). At the same time Microsoft feels some level of price pressure from free good-enough operating systems like Linux installed on ultra cheap PCs. Now imagine for a moment if Google decided to leverage Less Than Free for Chrome OS. Google could feasibly pay PC manufactures to install Chrome OS through an advertising revenue sharing program. PC Manufactures, instead of paying a fee to MS for Windows, get access to a new revenue stream when Chrome OS users click on ads. Additionally, my understanding is you can’t install desktop software on Chrome OS so the huge money maker that is Microsoft Office is gone on that footprint as well. Such movements would not happen overnight, but the writing is on the wall.

Microsoft is of course not without options when it comes to aggressively fending off the Google powerhouse. One way is that Microsoft could leverage their dominant (50%+) Internet Explorer browser market share. They could use Windows Update to retroactively install ad blocking software as a “security feature,” like AdBlocker Plus on Firefox, in all IE versions (6-8). No doubt users the world over would love it! Less annoying ads, less malware distribution (much of which spread by online ads), and a snappier Web experience! How could Google complain, they are all about speed right? :) Oh, right, because it would cut Google and their dual-revenue stream (AdSense / AdWords) off at the knees.

Many users, even Firefox users, might actually flock to Internet Explorer if they knew this feature was available! Most don’t even know AdBlocker Plus exists. This new ad blocking “security improvement” may also pressure Firefox, the other major browser, to do the same as not wanting to be one-up by MS in the security dept. At least one Mozilla exec is encouraging the use of Bing. Giorgio speculates that is might be why Google Chrome doesn’t have NoScript-like support yet, because they can’t figure out how to do it without enabling effective ad blocking. Makes sense.

Sure, Web publishers whose life blood is ad revenue would hate Microsoft, at least temporarily -- but fear not! Those billions in advertising dollars flowing to Google would still need to land somewhere, but where!? MS could open a “blessed” safe, secure, and user targeted advertiser network! So if Google, or anyone else, wants their ads shown to an IE audience they’d have to pay a tax to MS for the privilege. Still I’ve long wondered by pay-wall Web publishers didn’t heavily advocate the use of ad blockers to put pressure on their free content competitors.

I’ve also glossed over a number of important factors that come into play should any of this play out, like antitrust, but Microsoft is presently is 1-0 so maybe that possibility doesn’t scare them. Meanwhile during whatever legal proceedings, Google would be sucking wind revenue wise. As I wrap up this post, please keep in mind that I’m no industry analyst, just a curious observer who hasn’t vetted their ideas nearly enough.

Jeremiah Grossman