Surviving the Week – 11/25/2011

I hope that all of you in the US had a great Happy Thanksgiving.
As is normal for a holiday weekend, the new is a bit light, but here is what I was able to gather for this week.

Surviving the Week – 11/18/2011

This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.


Twitter shortened links – Security bad practice?

As as spend more time using twitter, I understand the need for shortened URL’s and make heavy use of them. But, when I am viewing a tweet I always hesitate before clicking on those links knowing that they could be easily used to hide some sort of XSS or SQL Injection payload in the redirect.

It would be a great way to target accounts of twitter followers to even attack Intranet sites as well as public facing sites. Maybe some good proof of concept hacks will need to be created to demonstrate. Will leave that for another day.

I am sure some of these link shortening providers have put some effort into blocking XSS payloads from the URL’s they shorten, but its easy enough to have the short URL point to a page on the bad guys site which will perform a 302 with the payload in the Location header. This story/video on Help Net Security from a couple years ago tried to warn us.

I wish links didn’t count against the 140 char limit on twitter so these shortened URLs wouldn’t be as needed. Oh well, looks like another instance where features trump security.

(Now time to use to make a short link of this blog post so I can tweet it)

Response to WAF/IDS/IPS Effectiveness Report

For those of you who know me as well as Dan, you know that we have spoken quite often on our podcast (Information Security Place Podcast) about the effectiveness of today’s current technologies used by Web Aware Firewalls (WAFs) and Intrusion Detection/Prevention Solutions (IDS/IPS).  I’m rarely one to say “I told you so”, but Larry Suto’s latest report on the effectiveness of these technologies, does  kind of do that for me.

For more information about the study:

In the WAF effectiveness report, Larry illustrates the need to properly train a WAF solution on the application it is protecting to gain effective or consistent protection from the app.  According to the report, it took an average of 3.5 hours by a WAF savy technician to train or tune the WAF solution to get an effective level of protection for the test application.  As noted in the report, this is significantly more time spent, than the average organization spends on their production WAF installations.

One issue to note, is that many WAF solutions are leveraged to protect more than one application once they are in production, so can it be safe to say that an organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications? It could be a safe assumption since many applications are not identical or leverage completely different technologies.

One element of the report I really think Larry does an effective job at illustrating is the lack of effectiveness that a traditional IDS/IPS brings to the table.  Since these technologies are not designed to specifically look for your application’s vulnerabilities they require custom rulesets to be created to be effective at protecting your applications.

As announced earlier last month, NT OBJECTives released NTODefend to assist organizations in creating those custom rule sets for both WAF and IDS/IPS solutions. In the report, Larry was able to illustrate the effectiveness of NTODefend at creating custom rulesets that are unique to each of your organizations applications. In both instances, the rules created by NTODefend provided a substantial improvement for all of the platforms that can currently leverage our technology. Note, in some instances the IDS/IPS solutions actually became just as effective if not more effective than some of the WAF solutions, after applying our rules.

All in all, the report goes to show that even with these technologies in place, organizations are still required to perform ongoing testing to find vulnerabilities and then train their WAF or IDS/IPS solutions to protect their applications. Thankfully, at NT OBJECTives we have solutions to help you do just that… NTOSpider and NTODefend.

Is your WAF effective? Independent research study

There has been a lot of discussion, articles and analyst reports about WAF’s over the years (some listed below). The truth is that WAF’s aren’t perfect, but I believe that they are an essential part of a comprehensive application security defense strategy. The WAF technology has been maturing and improving over the last few years. There is even more good news in a just-released in-depth study, by Larry Suto, security consultant, where he tested six WAF’s and two IPS’s for their effectiveness at blocking application vulnerabilities.

Two of the most interesting findings in the report are:

  • A properly tuned IPS can be as or more effective than WAF solutions at blocking security vulnerabilities. After seeing the results of this study, the IPS vendors have agreed that their devices can, in concert with NTOSpider/NTODefend be counted as a WAF for PCI compliance purposes.
  • Automatically generated filters from dynamic application security tools (DAST) can improve vulnerability blocking effectiveness by as much as 39% for a WAF and as much as 66% on an IPS.
Why are WAF’s Essential?
For me, the bottom line is that we can’t ignore the fact that there are known vulnerabilities in production applications. Ideally, these would all be fixed in the source code, but the reality is that they can’t always be fixed immediately, they might take months to fix or they might not be able to be fixed at all in the foreseeable future. In these instances, a WAF is very practical solution as a temporary patch for the vulnerability. I mean, if someones sitting out there in public with no pants, someone please hand them a towel!
The other painful truth about WAF’s is that they take time to train and configure. Most security teams are short on time and short on resources. The people on the front lines whom I speak with tell me they would love to be able to better train their WAF’s more quickly. Here’s the good news
  • With about 3.5 hours of expert tuning, most WAF’s can perform fairly well.
  • When you add DAST generated custom filters, both WAF’s and IPS’s are excellent at blocking vulnerabilities
  • One of the things, that makes NTODefend unique is the ability to confirm that the filters are blocking unwanted traffic and allowing desired traffic. During his study, Larry was able to play with this false positive detection functionality in NTODefend. He was pleased to see that it does in fact shows if the WAF/IPS is blocking good traffic – pardon the promotion :-)
As you would expect, a handful of other vendors (including NT OBJECTives)  provided tools for Larry to use to complete the report. Anyone who has every tried to do a study knows that it takes a lot of work, and Larry does not receive any payment from any vendor to complete these studies. No study is perfect, but given his finite amount available time and resources, I believe Larry tried to implement the fairest study he could.
For more information about the study:
Good articles that discuss the use of WAF’s & IPS’s

Surviving the Week – 11/11/2011

Web application security news from the last couple weeks.
[I guess I didn't figure out how to keep going with this weekly post when Im traveling, but now I'm done traveling for a couple months, so should be able to keep up with the news]

SEC tells public companies they must disclose cyberattacks – time for CEOs & boards to really care about security

Interesting news out of an agency we in the security industry don’t think about very much, the SEC (Securities and Exchange Commission). Reuters reports that the SEC is now going to require public companies to disclose in their SEC filings any cyberattacks that may have affected them, and the potential losses as a result of these attacks.
This regulation should have a very interesting side-effect for those of us in the security community. For years, we have tried to quantify the cost of attacks in justifying security purchases. But to date, since companies have been so wary of sharing any information about such attacks, data has been somewhat limited.
The Ponemon Institute’s report in 2010 Annual Study: Global Cost of a Data Breach stated that the average organizational cost  of a breach across the globe was $4 million, up 18% from 2009. Globally, data breaches cost an average of $156 per record while in the United States, the costs were significantly higher at $214 per compromised record.  The study examined the actual breach data from 154 global companies across 17 industry sectors. The report states that organizations appear to be taking their “stewardship of sensitive personal data seriously” and are increasing measures to protect against breaches “by implementing data protection best practices and technologies.” The costs of a breach considered in the report include everything from PR response, software remediation, consulting costs, forensics, customer communications and more.
I’m willing to bet that the new numbers that we see out of these companies, about the cost of an attack, is going to far exceed what even we have been speculating for the past few years. As criminals become more sophisticated, as systems and applications become more intertwined and accessible, they continue to be ripe for the picking.
And for public companies, they now face not only the cost of the breach and the cost of repairing their customer trust, but also the cost of shareholder nervousness or disenchantment over their security practices and breaches.
Security is now becoming the domain of not just the CSO or the CIO. With the new SEC rules, the CEO and the board of every public company will have a vested stake in ensuring the security of their systems, if they want to keep their job, and keep their shareholders happy. And that’s a good thing for us as consumers.

“Perfect-Fit” Virtual Patching for WAF/IPS with NTODefend

Recently NT OBJECTives announced NTODefend and its ability to generate “perfect-fit” custom patches for WAF & IPS. This marketing term “perfect-fit” has been the cause of some questions. People are wondering how our “perfect-fit” rules differ from what other DAST vendors are doing, as well as solutions like ThreadFix (aka Vulnerability Manager) from Denim Group. Those who know me, know that I don’t like when vendors overstate their capabilities, and I make sure NTO does not do this either, so I think this term deserves some explanation.

The other solutions that are able to generate virtual patches work from pre-defined templates based on categories of attacks, such as SQL Injection, Cross-Site Scripting, OS Injection. So if a given input is vulnerable to SQL Injection, then the SQL Injection template will be used to generate a virtual patch for the vulnerable input.

NT Objectives’ approach differs in that NTODefend is able to generate rules based on deeper intelligence about the input. This extra information comes from two key features in NTOSpider:

  1. NTOSpider‘s input population technology works to determine the intended legitimate data. For example, the input population technology will determine if the input only accepts numbers, or is intended for a phone number, email address, street address, etc.
  2. NTOSpider’s attacking engines detail specifics about the attacks that worked, with information such as usable characters and escape sequences.

By leveraging details about the attacks, NTODefend can generate more specific and aggressive rules to function as counter-measures to the attacks that the input was vulnerable to. This can include making rules that only allow numerical values, or maybe blocking single quotes but not double quotes, or allowing parenthesis but not dashes. NTODefend can also decide which canned filters to include to make sure the input is well protected.

The key point is that each rule is generated custom to the input AND custom to the ways it can be exploited.

After installing the virtual patches into the solution, NTODefend provides the ability to re-test all the inputs with both attack traffic and good traffic (modifiable database included with each data type NTOSpider can detect). It then generates a report to show which of the good request and bad requests got blocked. This provides users with the ability to quickly understand how effective the virtual patches were and hopefully alerts them to any virtual patches that could be blocking good traffic.

We do not claim that these generated virtual patches will always be 100% accurate to all situations, but we are confident that they will be useful and that we provide solutions for users to quickly deal with discovered vulnerabilities.

I welcome discussion and questions on this topic.

Introducing Jim Broome

We caught a big one!
I’m proud to announce that my buddy Jim Broome has joined the NT OBJECTives team and will be a contributing to the blog and podcast.

Jim Broome, CISSP
Jim, an information security veteran with two decades of experience in the security industry, is joining as VP of Security Services. Jim’s role is to provide world-class SaaS based web security services through NTOSpider On-Demand while also providing leadership to the NTOLabs research and consulting teams.

Practice Manager – Accuvant LABS – Accuvant, Inc.
As one of Accuvant’s most seasoned security assessors, Mr. Broome performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing, and wireless security assessments for a large number of Fortune 500 clients. These clients came from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Principal Security Consultant – ISS X-Force

Prior to joining Accuvant, Jim was a principal security consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western region consulting practice while performing his day-to-day duties of network assessments and penetration testing.

Directory of Network and Security Operations –

Before X-Force, he was the director of network operations for, a managed service provider exclusively for credit unions. At, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

HouSecCon 2011 and B-Sides ATL Review

Last week was a travel week.
On Wednesday I was in Austin for some meetings, then headed to Houston for the second annual HouSecCon on Thursday. I have to say that I was blown away at how much bigger and better it was than last year (with the exception of the badges ;). My buddy Michael Farnum puts this thing on with a team of friends and they are doing an amazing job growing the event, and it was fun having a booth for NT OBJECTives and everyone loved our new shirts we were giving out.

This year MJ Keith (now with The Denim Group) was the keynote speaker. I was first introduced to MJ Keith at last years HouSecCon where he blew me away with his Bump hack in his “Pwn on the go!” talk, and I was glad to see him being given the headlining spot this year.

The talks were all great, with highlights from Michael Gough, Josh Sokol and Zac Hinkel. I did my “Not your granddad’s webapp” talk which seemed to go over well, if you missed it, you can watch the video.

On Friday I was in Atlanta for B-Sides Atlanta, which was a fun event. I didnt have as much time to sit in the talks, but the lockpick room was great and I tried to hang in the podcasters room, even though it was a little hard to engage in useful conversation. I wonder what it was like for those listening to the live stream.I didnt do a talk at this one, so I just spent my time meeting people and eating great southern food.

Comparing the two would be hard, because they were entirely different, so I will just say that I have a fun week at both cons and look forward to both next year.