This one is a rant, so if you don’t want to hear me whine about Delta exit stage left. So one week ago today, I was in Vegas waiting on a Delta flight. My flight the previous day was going to make me miss my connecting flight and I would have to stay overnight in Atlanta. Let’s see, overnight in Vegas or overnight in Atlanta? Ha, Vegas. Even though I’m missing billable time, I get another night in Vegas. Next day, flight’s delayed again and I get home 7 hours later from the altered flight, 24 hours from my original flight.
Fast forward 6 days, about to leave for the airport headed to Vegas again. Get an email from Delta that my flight was cancelled and I’m rebooked for the next day. So I’m out one night of hotel stay and I’m going to miss over half of DefCon. My buddies that I’m flying with get booked for an earlier flight and get upgraded to business class. I get a standby ticket and no business class. I call SkyMiles to complain, they say tough crap. I ask the girl why I should continue to fly Delta, her reply is “I don’t know”. She took the words right out of my mouth.
This morning get to airport 1 hour before flight and there’s one girl working the desk and there’s a huge line. Tried the kiosk, told me to see an agent. Plane leaves when I’m next in line.
Long story short, fool me once shame on you. Fool me 5 times, shame on me.
I’m sick and tired of not only getting screwed by Delta, but also the fake apologies. They don’t give a damn about any of us. Because I can’t get a reliable flight, I have to now drive 2.5 hours to Atlanta to fly. Does anyone know of a better airline? I’m on the market…
Eric Life balls, delta, sucks
On the Daily Dave mailing list there’s an interesting discussion about the value of static analysis. For those unaware of what static analysis is, static analysis is analyzing source code to find potential vulnerabilities. Like every technology, static analysis has it’s pros and cons. I don’t actually subscribe to the mail list (I only use RSS), so I’m going to write a little about my views on static analysis.
Pros
In the security world, the big fight is between static versus dynamic analysis. By dynamic, most people talk about penetration testing. The results from automated penetration tools usually contain low amounts of false positives, but your test is dependant on the tests ran by the tool. Pen-testing tools can and do miss vulnerabilities. Static analysis on the other scans ALL code. If there are vulnerabilities in the corners of your application that are typically not used, then static analysis has a higher probability of finding these vulnerabilities. In addition to finding obscure vulnerabilities, static analysis can also find more categories of vulnerabilities. Automated pen-test tools are limited because they can only see http responses. Static analysis tools can apply rules that are more focused on your development platforms.
Cons
The biggest argument against static analysis is it produces too many false positives. The common misconception here is that the tool is not saying “this is vulnerable”, the tool is actually saying “this is potentially vulnerable and needs to be audited to be sure”. Yes this creates a lot of work, but this argument really only applies to first time scans. Most of the major static analysis applications are rule based and give better results over time. After the initial triage, you suppress false positives and create custom rules to make the scan more context specific. For example, on the mailing list someone referred to static analysis tools producing false positives on custom memory management libraries. This is true, out of the box most scanners are going to flag this because they don’t know what the library does and want human eyes to verify. If you’re using Fortify SCA, you can write a custom rule to eliminate those false positives in the future. Because I’m a Fortify consultant, I know that the more you tailor our static analysis software to your application the better your results set. Static analysis shouldn’t be a one shot scan, it should be used continually throughout development and testing.
Conclusion
In the end, it’s not static analysis versus dynamic analysis. In reality, you should be using BOTH. Static analysis is going to give you a sense of how secure you code is. Penetration testing is going to find easily exploitable vulnerabilities. If you are concerned about false positives with static analysis, check out Fortify Program Trace Analyzer (PTA). PTA does static analysis automatically as you are doing functional testing. The results are extremely conservative. If PTA finds a vulnerability, you can usually take it to the bank.
Eric IT Security dynamic analysis, Fortify, static analysis
AP is reporting that the Treasury Department, Secret Service, and “other” agencies were the victim of a Denial of Service attack over the 4th of July weekend. The South Korean government was also attacked, fueling speculation that the attack came from North Korea.
Is North Korea getting smart? Even though they are making advances in their missile technology, they would still get spanked if they went to war with pretty much any of the major nations. In cyberspace though, they could rival the abilities of the major nations.
Even with a small group of hackers, North Korea could plan massive attacks against pretty much anyone they want. Imagine them developing or purchasing a botnet, then using this botnet to launch a Denial of Service attack. These attacks are nearly impossible to block and it would be difficult to trace the attack back to North Korea.
Given the success of this attack, I would expect to see more of this from North Korea in the future. This further underscores the importance of the DoD cyberspace initiatives.
Update: Plot Thickens
There’s more info out now that says this could be a botnet and that some South Koreans are being hit with a virus. The attack is also ongoing…this should be interesting.
Eric IT Security cyberspace, Denial of Service, DOS, North Korea