Surviving the Week – 09/30/2011

The hacks are continuing to take place on more and more critical sites.


Surviving the Week – 09/23/2011

Sorry for the missing posts the last couple of weeks, I need to figure out how to manage these weekly posts during travel periods. So this week will include a couple items from the missing weeks.


Not your Granddad’s WebApp Video

This talk was previously mentioned, but now a recorded video is available.

Not Your Granddads Web App

The next generation of applications have started to rule the web, and they look very different from their ancestors.
In the “good ol’ days” web apps had their problems, but it was easier to understand and great resources (tools/practices/trainings) were quickly made available to help.
The new age of applications sit on top of HTTP and HTML with technologies such as AJAX, Flash, Silverlight etc, and their developers are often as naive as teenage girls wearing midriffs and mini-skirts. Today’s applications dazzle with their rich user interface, ability to push logic to the client and retrieve information asynchronously. But these younger applications inherently have the same security problems, which are now obfuscated by fancy looking interfaces and the resources (tools/practices/trainings) available to help are even more limited.

Security B-Sides Vegas 2011 Review: Cultural Cues from High Risk Professions

Conference: B-Sides Las Vegas
Title: Cultural Cues from High Risk Professions
Speaker: Gal Shpantzer

In this B-Sides LV talk,Gal Shpantzer employed the Swiss cheese model of catastrophe as a parallel for the information security industry. The model was originally developed by James Reason of the University of Manchester and Dante Orlandella[1],  and used to analyze the causes of systematic failures in aviationengineering and healthcare. The model likens organizational problems to swiss cheese – where each problem can be viewed as a hole in a piece of swiss cheese. The layers in the systems and processes are designed to catch mistakes before they become catastrophic. But, if the holes in each layer align, serious problems can result. Much like a hole going all the way through the piece of cheese.

For example, Korean Air at one point in time had 17 times as many catastrophic incidents per million miles as United Airlines.  Investigation revealed that it came down to differences in processes and protocols. Whereas, at United Airlines, volunteering information and seizing controls under emergency circumstances, etc were incorporated into the official cockpit protocols. The captain was the authority but could be questioned. This was also discussed in depth in the context of cultural influence in Malcolm Gladwell’s book, Outliers, there was an atmosphere of over-deference in the cockpit where one does not question the captain. And, it wasn’t just Korean Air where this happened. There were other airlines headquartered in countries where respect for authority is so ingrained in the culture – like in Colombia.

In the info security space, Gal Shpantzer proposed protocols where there is responsibility but people are not afraid (i.e. penalized) for volunteering information.  Pain and hostility shuts people down and leads to swiss cheese.  In the medical profession, it was found that the more expert the physician, the more likely that physician was to miss simple things like administering aspirin before/after operations that reduce probability of cardiac problems.

Summary:  I find little to disagree with.  This is one of those common sense, obvious when you hear it talks that is none the less worth mentioning because when you don’t hear it, it tends to not get done. No product ideas, but good general security philosophy.

Security B-Sides Vegas 2011 Review: History of Physical Security

Conference: B-Sides
Title: History of Physical Security
Speaker: Schuyler Towne

This was a great entertaining talk.  This guy enters my pantheon along with Joseph McCray (conspicuous in his absence this year) as a must-attend for entertainment and information.

This talk was about the history of lock technology from year ~1500 onwards.  Actually he did mention ancient Egypt, but mostly ~1500 onwards.  Up to a point, locks were “security by obscurity“.  Once you knew how the lock worked, it was easily defeated.

Then in England some guy invented a lock that is more along the lines of a modern lock with the tumblers and whatnot that demand a specific key to unlock and where knowing the design doesn’t help you as you need the specific key to open it.  These of course are also defeat-able but the security-by-obscurity approaches were as trivial as:  if you knew where to poke a stick into the lock you could open it.  There was a long period in which there was no advance in physical security.  People got smug or didn’t want to be told that their locks were insecure and this created a climate which stifled advancement.

Advances then resumed around the end of the 1800’s.  The summary of this talk and its relevance to our business is:  this is another “metaphor” talk.  It is about locks (physical locks) but security-by-obscurity and its weaknesses is quite relevant to information security as well.

Any Schuyler Towne talk is highly relevant to any software engineer at a vulnerability assessment company particularly if they are out of coffee (as they were when I attended the talk) because he wakes you up and entertains you and gives you a bit of cognitive inertia that you can carry forward into the next boring-but-informative talk and thereby get more information out of it.

mitnick on colbert

Surviving the Week – 09/02/2011

Welcome to “Surviving the Week”!

Each week I will be collecting the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.

Security B-Sides Vegas 2011 Review: Are There Still Wolves Among Us?

Conference: B-Sides
Title: Are There Still Wolves Among Us?
Speaker: Val Smith from AttackResearch

This post is part of our series where we are summarizing some of our favorite talks from Black Hat, B-Sides and Defcon this year. For those of you who weren’t able to make it to Vegas this year, we hope you find these useful.
This talk was about blackhats – what they are, who they are and what motivates them. Blackhats, like Anonymous and Lulzsec, are usually people who hack to be destructive as opposed to their whitehat counterparts, ethical hackers who test corporate and government IT assets to aid in security efforts.

Val Smith’s outlined the following as the motivators for these destructive hackers motivations. Continue reading

WAF != Firewall

A “Web Application Firewall” is not a “Firewall”!

Why are “Web Application Firewall’s” (WAF’s) called “Firewalls”? I think the term firewall was initially used by vendors because it was something already allocated in their potential customers’ budgets and WAF vendors wanted to avoid association with what they truly are – Intrusion Prevention System (IPS) for HTTP/WebApps.

Firewall [Wikipedia]

“a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.”

A firewall is clear and focused. It blocks traffic according to very clear and concise rules and does not really understand the content. It just decides if traffic from Computer_A/PortX should be allowed to communicate with Computer_B/PortY.

Intrusion prevention system (IPS) [Wikipedia]

“network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.”

This more accurately describes what so called WAF’s really do. A WAF is simply an HTTP specific IPS. They should be more accurately named one of the following:

  • WAIPS: Web Application Intrusion Prevention System
  • WIPS: Web Intrusion Prevention System
  • HIPS: Http Intrusion Prevention System
  • AIPS: Application Intrusion Prevention System
  • HAIPS: Http Application Intrusion Prevention System

Over the last few decades, Firewalls have become a trusted solution to improve security, for the layer its used to protect. IPS’s on the other-hand have a long history of being viewed with some skepticism. I think the modern high quality IPS’s solutions have overcome most of the false positive/negative issues of the past, and tend to be very good and when organizations implement them. However, due to their history, customers have a clearer understanding of what it is they are actually implementing and what to expect, as understand the need to maintenance and tuning.

All too often, I see that the years of trust built up in Firewall’s ability to be installed, configured and then forgotten has transferred to WAF’s, and people are implementing them with the same faith that they would a traditional Firewall – not with open eyes to the fact that WAF’s require care and feeding like they do when implementing an IPS.

Please don’t get me wrong, I am not criticizing the value of implementing a WAF in your organization. On the contrary, I believe they actually can be a very important and effective part of your Layered Security & Defense in Depth strategy especially when trained to understand the malicious traffic.

When we work with our customers on their application security strategy, we try to help them understand what their WAF is and what it isn’t so that they have reasonable expectations and can build an effective application security strategy.

I would love to hear some of your opinions… Is a WAF a firewall?