Clerkendweller : Web Security, Usability and Design

Next Week - Cam AppSec

2012-02-22T22:00:00-00:00

Next Tuesday I am speaking at a special event to promote building in security during development.

Building in Security for Application Development has been organised by the Department of Computing & Technology at Anglia Ruskin University in association with the Open Web Application Security Project (OWASP).

Following a welcome and introduction by Adrian Winckles, Dennis Groves will provide an overview OWASP and then present the Application Security 02 Project Framework. Fabio Cerullo will talk about Open Software Assurance Maturity Model and Enterprise Security API and I will describe AppSensor. There will be plenty of time for questions and discussion about all kinds of application security concerns and ideas.

The event runs from 4pm until 7pm and is followed by informal drinks and networking. It is free to attend, but prior registration is required.

Data Protection Framework Call for Evidence

2012-02-21T08:01:00-00:00

In response to last month's proposals for reform to data protection legislation by the European Commission, the UK's Ministry of Justice has announced a call for evidence on the proposals.

The call for evidence is seeking information from data controllers, data processors, rights groups, information policy experts and others on what might be the impacts and benefits of the potential changes. The aim is to provide the Government with information it can use during the forthcoming negotiations relating to the proposed framework.

Let's hope this helps to develop a practical, workable framework. Whatever the outcomes, building privacy concerns into systems and processes from the start will reduce the subsequent administrative burden. Have your say now — rather than when it is too late. Responses can be submitted by post, email and using the online form to answer the questions:

How will the proposals affect you, or the bodies you represent?
Wherever possible we would like quantifiable costs and benefits and real-life examples of the potential impact of the proposals.

The call for evidence closes on 6th March 2012.

APM Through the SDLC

2012-02-17T06:05:00-00:00

On Wednesday evening I attended another meeting of the London Web Performance Group at the Lamb Tavern in Leadenhall Market.

The subject was Application Performance Management (APM) across the Software Development Life Cycle (SDLC). Martin Pinner described a history of application performance & service availability measurement and management, and how it includes end user experience monitoring, transaction profiling, application discovery & instrumenting, deep-level component monitoring and analytics. He explained that APM needs to be addressed through the SDLC — during development, in test and under operation — across all architectural tiers, and across development, staging/UAT and production environments.

At one point he surveyed the audience of about what technologies they were working with for web, application and database servers:

Apache HTTPD was most in use, far ahead of IIS and anything else
PHP and Java were roughly equally used, trailed by .Net and then others like Node.js and C++
MySQL was most in use, followed by MS SQL Server, with a small number of people using everything else (Oracle, DB2, CouchDB, MongoDB, Hadoop systems, etc)

The presentation included pointers to many useful free and commercial products for different APM requirements, and rather than trying to repeat that, you will be able to download the slides once have been published (I will update this post).

A friendly group, and much for me to learn about in this area.

[In]Vulnerable SDLC

2012-02-14T07:22:00-00:00

Weaknesses in software security? Long-term security advocate and practitioner Eoin Keary has written an article about the weaknesses in our approach to application security.

Eoin describes the problems with past and current approaches, and has come to believe organisations should use a structured and repeatable method for addressing security in the software development lifecycle (SDLC) encompassing:

Secure design
Developer training
Common module/framework design and implementation
Code review
Integrated functional/security/anti-functional testing.

He also proposes that manual efforts are used in the SDLC, and in verification activities for runtime scanning, rather than in undertaking manual penetration testing. Eoin also highlights the need for ongoing, continuous monitoring, feedback and analysis in what he terms Enterprise Security Intelligence (ESI) — maybe that is Eoin's Secret Ingredient?

Read, learn, respond and implement what will work with your own organisation's risks and culture.

A Software Security Kitemark?

2012-02-10T07:45:00-00:00

Last Thursday, the UK's House of Commons Science and Technology Committee published its report on malware and cyber crime following an enquiry and public consultation.

The committee welcomed the publication of the Government's cyber security strategy at the end of last year, but instead wanted to address the concerns of everyday internet users in its report. In particular the committee believes that better awareness of issues and solutions amongst computer users will provide the greatest benefits to society. It highlighted the plethora of onformation sources, and guidance that might be too technical to understand or too difficult to implement effectively.

The issue of a kitemark for software that meets certain security standards is raised again (paragraphs 67-68) although there is a concern that this might be more of a benefit to larger software development companies. The report suggests the ability and resource to "produce an online testing system already exists" (paragraph 69) and that the provision of an automated system to assess the security of software could be developed by Government or in partnership with private industry, or entirely by private concerns (paragraph 70).

Security labelling and the ability to automatically scan software for all security problems are not trivial issues, and we mustn't forget about design flaws and insecure deployment, but the committee is correct, consumers need better, trustworthy advice.

Software Reliability Saves the Human Race

2012-02-09T20:56:00-00:00

This evening I popped out to see the Kinetica Art Fair, an event I had been unable to attend in previous years.

The exhibition is very hands-on and displays kinetic, electronic, robotic, sound, light, time-based and multi-disciplinary new media art, science and technology. I thought I would share some of my photographs of some of the exhibits. Some were definitely weirder than others.

Many of the light-based exhibits were very beautiful, but these mechanised wings were perhaps my favourite item.

There were a few animated humanoid devices like these:

My Robot Companion above was meant to interact with you and use the camera mounted on its chest to project your own face onto the front of its head. Unfortunately, it seemed to have crashed, and was displaying a Microsoft Visual C++ runtime error and abort message (more legible from the inside of the "skull" as shown below).

I wonder if it was a memory leak? It seems we are perhaps still safe from being taken over and enslaved by highly intelligent robots, well at least not ones programmed by humans. Maybe they shouldn't have used a netbook.

Back to the text stuff tomorrow...

Developers' Software Security Weekly

2012-02-07T07:49:00-00:00

Mark Curphy has launched a very welcome weekly security newsletter for software developers.

Software Security Weekly is a compact review of security news, blogs, books, videos, presentations, cheat sheets, guidance notes and tools for software developers. The choice of topics included in this first edition looks promising, and is hopefully in enough detail to tempt practicing developers to increase their own software security knowledge.

I know it's not really meant for security folk, but I must say I found some useful things to follow up myself.

Subscribe here and pass the link on to your fellow developers. Or, print the page out and post it up somewhere prominent. Every Friday.

BITS Software Assurance Framework

2012-02-05T20:56:00-00:00

BITS, the technology policy division of the Financial Services Roundtable, an industry body representing the US financial services industry, has published a Software Assurance Framework.

The 50-page guidance document describes an outline of recommended components of what they describe as a "mature, strategic program for secure software development" for software used within the US financial services industry. The framework was a collaborative effort that involved several financial services companies in conjunction with Microsoft, and it references the Microsoft-sponsored Forrester Consulting research which indicated that the use of a prescriptive secure software development lifecycle achieves the greatest return on investment (see also the similar Aberdeen Group research).

This is not a hands-on "how to" for software architects, developers, testers or operational staff, but instead describes a framework of activities that contribute to the specification, production, deployment and operation of secure software throughout the development lifecycle. In that respect, the comparable documents to refer to are BSIMM, MS SDL and Open SAMM, and indeed these are referenced in the BITS framework. Some organisations also build their software assurance efforts around the Capability Maturity Model Integration (CMMI).

So what does BITS consider to be the key components of a software assurance framework? Eight are defined and explained:

Education & Training
Security Software Assurance Development Standard
Threat Modeling
Coding Practices
Security Testing
Pre-Implementation Practices
Software Assurance Documentation Archive Best Practices
Post-Implementation Phase Controls

There is of course considerable overlap with the references mentioned above which describe actual practices in place, how Microsoft undertakes secure SDLC and a maturity model for software assurance respectively. I have tried to indicate below how the BITS key components broadly map to Open SAMM:

BITS Component	SAMM v1.0 Business Function: Security Practice
Education & Training	Governance: Education & Guidance
Security Software Assurance Development Standard	Governance: Strategy & Metrics Governance: Policy & Compliance Construction: Security Requirements Construction: Secure Architecture
Threat Modeling	Construction: Threat Assessment
Coding Practices	Governance: Policy & Compliance Governance: Education & Guidance
Security Testing	Verification: Design Review Verification: Code Review Verification: Security Testing
Pre-Implementation Practices	Deployment: Operational Enablement
Software Assurance Documentation Archive Best Practices	(Through all above security practices)
Post-Implementation Phase Controls	Deployment: Vulnerability Management Deployment: Environmental Hardening Deployment: Operational Enablement

So quite a lot of overlap. There is an existing mapping of Open SAMM to BSIMM activities which could be used to extend the above mapping onto BSIMM. As the BITS framework has been developed in conjunction with Microsoft, I expected to see a much closer relationship with MS SDL, and yes this is the case.

BITS Component	MS SDL v5.1 Phase: Process
Education & Training	Training: Core Security Training
Security Software Assurance Development Standard	Requirements: Establish Security Requirements Requirements: Create Quality gates/Bug Bars Requirements: Security & Privacy Risk Assessment Design: Establish Design Requirements
Threat Modeling	Design: Analyze Attack Surface Design: Threat Modelling
Coding Practices	Implementation: Use Approved Tools Implementation: Deprecate Unsafe Functions
Security Testing	Implementation: Static Analysis Verification: Dynamic Analysis Verification: Fuzz Testing Verification: Attack Surface Review
Pre-Implementation Practices	Release: Incident Response Plan Release: Final Security Review
Software Assurance Documentation Archive Best Practices	Release: Release Archive
Post-Implementation Phase Controls	Response: Execute Incident Response Plan

There isn't a direct one-to-one mapping here, but I hope the above help navigate the document if you use Open SAMM or MS SDL and want to delve into another source of ideas for secure software development lifecycles. Although the BITS framework might be somewhat heavyweight for some non-financial services organisations, especially on the documentation front, it is perhaps an easier starting point than the closely related MS SDL, to begin working on building security into development (and acquisition) processes. Take what suits, makes sense and fits your own organisation's type of applications and tolerance of risk.

Most of the content will be relevant, and since it is spelt out in reasonable detail, this could be very helpful. Some notable nuggets deeper in the document are:

pp2-3 "teaching techniques of good design and their subsequent use can result in software secure not just against known attacks, but also against unknown attacks and attacks yet to come"
p20 "Security defects are "defects", not just "security defects"
p35 Security vulnerabilities identified in applications in production .... should not be treated as software defects, but as one part of the company's incident response process".

And on page 36 in the section relating to emerging threats in the post-implementation phase controls, there is a comment relating to the OWASP Top Ten and CWE/SANS Top 25 which seems out of kilter with the rest of the framework's text. The document states these as being valuable sources of information but "both represent an earlier generation of software security intelligence". I am not sure each of those sources set out to define the only threats to consider, and are instead a way of introducing the concepts to less-knowledgeable groups and encourage reading of the much deeper related materials. But perhaps this is more of a comment about PCIDDSS which specifically mentions these two sources. I wonder.

As you can see, worth the read.

Web Application Exposed Surface

2012-02-01T12:31:00-00:00

The exposed surface of an application is often called its "attack surface" or "defensive perimeter". I prefer "exposed surface" since the term is a little less judgemental and I think better implies why we need to be careful about it.

Remember that many security weaknesses come about due to unexpected functionality existing, as well as implementation and design flaws. The number of weaknesses is generally proportional to complexity, often measured as lines of code, or in the context of this discussion, this is often proportional to the amount of exposed surface. The exposed surface of a web application would be all the addresses (URLs), methods (e.g. POST, GET, HEAD) and parameters (form, query string, URL path, cookie and other headers) which the application responds to. Quite often this normally means every possible path and combination of parameters you can throw at it, even if the results is just a "not found" error message.

I was reminded to write about this topic, after reading Essential Attack Surface Management recently on Jim Bird's Building Real Software blog. I like his suggested approach of, well at least making a start, even if it is to focus only on the higher risk areas. Things like search engine friendly paths, dynamic URLs and URL rewriting will cause difficulties, but these are not insurmountable, especially if the site's path naming system can be considered, analysed and defined early in the development process. You might also want to focus on the authenticated parts of the application first.

If you can reduce the exposed surface, or even better limit it to only the necessary entry points, this is a huge step forward in defending your application. Your web application will be a combination of the necessary functionality for your business processes, combined with extra functionality (intended or otherwise), but it also needs to be able to handle other types of request gracefully (e.g. site icon, robots.txt file, missing page tests).

The types of things which are commonly exposed, but should not be are:

Templates, used by other scripts
Included code, such as modules and libraries, never meant to be an entry point
Entry points meant for users with a different role or permissions (e.g. system initiated web services, customer-only content)
Unused, but included, functionality.

The exposed surface might also include the following things, but should really never exist in web-accessible locations:

Administrative interfaces
Logs
Temporary files
Configuration files such as encryption keys (yes really), and database connection strings
Backups
Default installation files, including help documentation
Old and archived scripts, test versions of a site, and other unused content.

Some entry points may only be meant for different groups of authenticated users, although there may be some overlap with unauthenticated public users. Every application will be different, but the following attempt to illustrate this for a public website with some functionality used exclusively by authenticated customers.

There are choices on where you enforce limitations on the inbound exposed surface. Some typical places are:

Network firewall
Traffic management device
Web application firewall (WAF), guard or other type of filter
HTTP proxy server
Web server
Application code.

No one of these is the best answer, and in many cases it is better to use a combination of more than one. For example on a web-based content management system, you might use a firewall to limit access from only known office IP addresses, use a web application firewall to limit requests to only well-formed HTTP requests and for known URLs and parameters, use the web server or proxy server to enforce the use of TLS, and let the application enforce the parameter type and range checks, before any business layer authorisation checks and input data validation occurs. The decisions might be different here if requests from internal users do not pass through all the same network devices.

You might even enforce the same restriction in more than one place. For example, you may only open port 443 through a network firewall, as well as having the web server listening solely on port 443, and also the application checking TLS is in use and setting the Secure flag on the session cookie.

But do remember, your web applications will probably also receive requests for entry point URLs that are not on your list, and which are not necessarily malicious, you may have forgotten to take into account, or include unexpected extra or missing parameters. You may want to ensure the web application responds in the correct manner for your own context and user base. Just blocking everything else may not be the correct option.

If you are in a situation of being unable to determine the exposed surface, there are approaches to use application profiling to create a good estimate. At its simplest this may be undertaking a web site crawl, but there has been some work in the area of using web application firewalls to build up a model of the site from actual usage. There is some good information on using ModSecurity for this, and I will try to summarise the information sources in a later post.

Another approach is to fingerprint the page content and monitor for changes such as defacement and cross-site scripting injection. Again, I will look out some references I have for this.

Happy Data Privacy Day Eve!

2012-01-27T07:46:00-00:00

Yes, had you forgotten it's Data Privacy Day tomorrow? See StaySafeOnline for events in the US and Canada. Not sure why it's a Saturday — maybe to give the weekend journalists a story they can prepare in advance, and then take the day off.

While there is a programme of events, data protection has been in the news this week following the publication on Wednesday of the European Union's proposed reform of data protection legislation, promoted under the banner of aiming:

to increase users' control of their data and to cut costs for businesses

There has been extensive documentation and justifications published to accompany the draft directive. There is of course plenty of coverage elsewhere, and I would recommend reading the following:

Initial response from the ICO on the European Commission's proposal for a new general Data Protection Regulation, UK Information Commissioner's Office
EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area European Data Protection Supervisor
Pan-EU consistency in data protection reform welcome, but burden on business a problem, says expert, Out-Law.com

So, what does it mean? For now, these are just proposals, and what will eventually be made into law will be something very different. But it does indicate the way things are going, and is a reminder to website and application owners & developers of the need to take privacy considerations into their projects now, since the cost of changes later may be prohibitive. And, they should be doing this already, but there may be more obligations for those processing personal data in the future. There is potentially more complex functionality required for tracking consent, achieving data portability, handling withdrawal of consent and undertaking data removal.

And, there is the topic of mandatory notification of "serious" breaches.

Data Privacy Day might be a day of reading after all.

Privacy, Labelling and Legislation

2012-01-24T20:08:00-00:00

The proposed new European Data Protection Directive will be announced tomorrow.

Apart from the leaked draft document, there has been plenty of comment (e.g. here, here and here), Viviane Reding, Vice-President of the European Commission, has also been speaking up.

Meanwhile IAB Europe has been busy behind the scenes discussing online behavioural advertising (OBA) and IAB USA has been blogging about its self-regulatory programme. Lots happening then with privacy, advertising and online marketing.

We will find out tomorrow if the leaked document was representative of the final proposals.

London Android Group

2012-01-20T07:30:00-00:00

After attending the London Web Performance Testing Group on Wednesday evening, I went along to the London Android Group (londroid) at Skills Matter.

Mixing Native and Web Technologies, Oh My included three presentations/demonstrations. Great stuff.

Dave Springgay spoke about his experiences at News International developing highly crafted news apps which provide high quality and high performance on native mobile operating systems. He explained their use of HTML5, Android WebView and Java bridging to use JavaScript to inject content (mainly JSON) directly into pre-built HTML templates which are customised for each device, and which can be updated without re-deploying the app.

Jonathan Anthony provided an overview of the advantages of building mobile applications as webapps, using PhoneGap, using Titanium, and finally as native apps. He explained the latter of course give the best performance, better graphics and access to all the hardware APIs (with geo-location and camera being the most popular) along with the ability to have an icon on the desktop, but come at a cost due to the higher rates for developers, and the need to develop for at least two operating systems (i.e Android and the other one). He thought that for many apps, a webapp should be considered, due to speed of development and the cross-platform capability making them perhaps a quarter of the price.

Finally, Doug Chisholm and Clinton Smith described the capabilities of appsplash to develop cross-platform applications using their custom development platform.

So that's the technologies presented, but jQuery Mobile and jQTouch were also mentioned. Plenty to keep tabs on.

Web Performance Testing Group

2012-01-19T08:34:00-00:00

One of the benefits of being in central London during the week is the number of events it is possible to attend.

With too much choice, it is sometimes possible to miss opportunities to expand your knowledge, but yesterday I took the opportunity to attend for the first time, a meeting of the London Web Performance Group being held at the London Canal Museum near King's Cross.

David Burns spoke about web performance testing and continuous integration. He described how he had developed processes for building web performance testing into development processes and is now able to do this with continuous integration.

Although initially this began by asking helpdesk staff to time the loading of web pages using stop watches (long ago in 2006), he now uses Selenium Web Driver in combination with BrowserMob Proxy. The latter allows data export in the HTTP Archive format (HAR) (more information). This data can then be viewed, aggregated and analysed. The long Q&A session provided plenty of time for discussion of the techniques, how Ajax can be monitored, and alternative methodologies.

Perhaps there are some ideas here to investigate for security testing.

Future meetings of this group will be looking at Ajax, and performance testing of mobile applications. I have joined the group to receive future announcements.

New Entry at No 4: Cyber Attacks

2012-01-14T17:52:00-00:00

I have to thank Alexis Fitzgerald for pointing out this weekend's reading — the latest edition of the Global Risks report from the World Economic Forum.

All 50 risks examined in this year's Global Risks 2012 - Seventh Edition fall in the high-impact and high-likelihood areas. This year cyber attacks have been identified as one of the top five risks in terms of likelihood. However it terms of impact, issues like major systemic financial failure, water supply crises, food shortage crises, chronic fiscal imbalances and extreme volatility in energy and agricultural prices have much greater effect.

The rising issue of cyber attacks is related to the ability for this to be undertaken remotely and anonymously, as well as the much increased "hyperconnectivity" of systems. The objectives of cyber attacks are stated as sabotage, espionage and subversion (e.g. spreading false information and denial of service attacks).

Axioms for the Cyber Age.
— Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
— Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not been detected.

This isn't a report for the micro-scale, but examines risks from the perspective of the world and nation states. However, that isn't to say that larger companies and other organisations can't learn something from the report. A detailed analysis of last year's earthquake in north-east Japan, identifies how more highly-networked businesses (with distributed leadership, is loosely coupled, has dispersed workforces, has cross-trained generalists and guides by simple but flexible rules) fared better than more hierarchical centralised policy-driven tightly coupled ones. The questions for stakeholder on page 35 are good tips for consideration in developing and updating incident response and disaster recovery plans — whatever the scale of the organisation or system.

The report may also be of interest to those involved with sector-wide bodies for encouraging building resilience into their member organisations. On that subject, the US Department of Energy and Department of Homeland Security have announced a new initiative to develop best practices in the form of a cyber security maturity model for the electricity sector.

If this global risk is your thing, you may also want to have a look at the Cyber Power Index which attempts to benchmark the ability of the G20 countries to withstand cyber attacks and to deploy the digital infrastructure needed for a productive economy.

Report on Dynamic Application Security Testing (DAST) Solutions

2012-01-10T08:48:00-00:00

Gartner published its report Magic Quadrant for Dynamic Application Security Testing (DAST) at the end of December.

The report is currently available to download free of charge if you register on Veracode's website. But it looks like if your turnover is less than $500 million, or say it is, the sales folk may be less likely to bother you.

The report is a useful summary, but I don't think it does enough to highlight the need for DAST to be just one part of a mix of activities contributing to a secure software development lifecycle, and therefore more secure applications. There's plenty of activity out there combining developer training, secure coding guidelines, vulnerability management, web application firewall dynamic patching and static analysis techniques too.