cat slave diary

Category: Security

  • Using ASVS for real

    The last time I talked about OWASP’s new Application Security Verification Standard, I had performed a Level 2B-3 review of my forum software, UltimaBB.

    This time, I’m working on a real project for a real customer. It’s been interesting.

    • Level 1A and in particular, 1B has been emasculated. I’m not really sure of the value of these reviews as they have 22 and 13 controls to review respectively. Taken together at Level 1, it might have *some* value, but I’m not sure you’re getting a whole lot of assurance. I would only recommend this level if you have like 1000 apps to review, and you need to see which are the most atrocious so you can target Level 2B / 3 / 4 reviews. Sure they can be done quickly, but I’m not sure they prove anything in particular. The good news is I reckon the current state of the art dynamic and static tools could produce reports absolutely compliant with this level with no real changes other than ASVS report format (R1-R4) and risk rating methodology. The problem is that there are no tools today that do both automated dynamic testing (a la IBM’s AppScan or HP’s WebInspect) and automated static code analysis (like Fortify’s SCA or Ounce O2) in the one tool, so combining the output of two different tools in the time available would be a challenge (whilst being incredibly boring and unrewarding to a skilled assessor).
    • The basis of a Level 2B review is “manual” verification, most likely using the results of automated scanning. You don’t HAVE to do the automated scan – you can do it by hand. Based upon my experience of both UltimaBB and this review (a mixture of ASP and ASP.NET), the automated scan was more of a waste of time than a blessing. Yes, it found XSS and was quite specific to its location, but honestly, in terms of performing an ASVS review, as long as you know how XSS works (lack of input validation and output encoding), you should be able to find them with grep or your favorite search feature in far less time. The problem is that the scanners are asked to scan for 88 things at Level 2B, and I’m pretty certain that without AI, the scanners are only going to be able to do around 50 of the findings automatically. For example, I have a CSRF token in my forum. The scanner I use claimed that each of the forms had no CSRF protection – a false positive that took nearly all of the alloted 30 minutes to eliminate, and thus put me behind schedule.
    • Time ~= money ~= quality. We tried to make Level 2B reviews work in five days as this is a current sweet spot of this rather depressed market. Five days was chosen on best practice productivity of 15 minutes per control + slop time + QA. With the new ASVS release, there’s now 88 controls to review. That’s about 1 control needing to be written up every 20 minutes, assuming four hours for QA (10%) and four hours for the Exec summary. Doesn’t sound like much, but there are many controls that simply take longer than that. Some don’t. I honestly think Level 2B reviews cannot be completed satisfactorily on large or complex code bases in five days.
    • Level 3 reviews have 109 controls in 13 categories. This is at least 10 working days’ worth of work – each control gets 30 minutes (assuming 1 day for QA and four hours for Exec summary), which is about right. I personally think Level 3 is about the right level for most code reviews as it does nearly everything a Level 4 review does, but is realistic in terms of schedule, budget and outcomes.
    • Level 4 Reviews have 121 controls in 15 categories. If anyone is offering a Level 4 review of any size code base in less than four weeks, take a very hard look at their methodology. I just don’t believe you can satisfy the need to look through each file for malicious content in less than that time frame and give it a “professional indemnity insurance proof” result. This level of review is painstaking and I doubt many people will end up asking for it.
    • Report Length will be an issue. Using the reporting format (R1-R4), the average Level 2B report in 12 point fonts will be about 100-120 pages long. This is far too long for the paying customer (== execs, which is different to the consuming customer – the developer), so spending time on the Executive Summary and follow up report out is essential if you’re to communicate the results in any meaningful way. So you know those time lines I mentioned above, take out a good four+ hours out of the juice to write up a proper Executive Summary and other report out materials. This reduces your time per control down to 20 minutes for a five day report and about 30 minutes for a ten day report. Obviously, if you have a large or complex code base, you’re going to be hosed if you’re not on the top of your game every single work day. Put away the nerf guns – it’s work time!
    • For those of you used to writing reports that eliminate sections that don’t apply, you’re going to get a shock with ASVS. You need to write up ALL 22, 13, 56, 88, 109 or 121 findings – regardless of if the code is awesome or awful. Leave time for it!
    • The OWASP risk rating scheme is a monster. 16 elements per item x say 88 items = A BUCKET LOAD OF CALCULATING. If you’re still using Word to write your reports, you may want to write macros to automate the calculation and Executive Summary elements, or else you’ll be here next year working out what the risk is. You should also check the balancing on the OWASP risk ratings. I find they produce a lot of mediums and highs. I will talk to Jeff about making the scale 0, 1..5, and producing a universal 1, 3, and 5 set of elements to make it easier to produce a more balanced risk rating. Find some of your previously QA’d risks and try them out on the OWASP risk rating to see if you get similar results (and you should!). If you don’t, adjust the risk rating methodology and document it in your report. You don’t want to be known as the risk manager’s nightmare. Too many highs == less work in the future if they constantly (successfully) argue with your ratings for being unrealistic and too high.
    • Missing controls. By design, ASVS does not have every control under the sun. Some missing controls are actually very surprising. As there’s so much work in an average ASVS review already, I doubt many folks would add back these missing controls. However, I think the ASVS team is making a mistake by not making Level 3 and 4 include some of these more common controls, particularly if the clients asking for Level 3 / 4 reviews probably already have these controls in their IT security polices and would like to know about the status in their apps. We’re talking things that are found in ISO 27001 and COBIT 4, so I’m not just being tin foil hat crazy here.

    So what do I think about ASVS for code reviews? The more I use it, the better I feel that we’re meeting the our customers’ need to produce something that doesn’t produce HIGH risks for information disclosures like internal IP addresses (which are irrelevant). The customer is in control of the amount of looking at their code, and we’re producing developer ready results that affect the design and architecture of the code, which hopefully means much safer applications in a few months’ time.

  • HttpOnly in Safari 4.0 (release)

    Good news! Safari 4.0 has:

    • Supports read only HttpOnly protection
    • XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders!

    It does not protect against cookie writing.

    Test script here: http://greebo.net/owasp/httponly.php

    This is a great improvement! Now all major browsers support HttpOnly in some form.

    thanks,
    Andrew

  • Pretty is not necessarily secure

    I feel sorry for folks trying their hardest to be something they’re not.

    It’s time for me to put something down I’ve been saying at conferences for years. If you’re not a programmer or developer by trade, please don’t write software or web apps. Dreamweaver does not maketh you a programmer. Ajax is not a magic path to studly geekiness.

    You’re simply unqualified. Get someone who can do it right, the first time. Sadly of course, lots of developers are in the same boat, but at least they know what the tools of our trade look like.

    I wouldn’t dream of doing marketing, cooking a meal for 300 Z-listers, ripping out a squidgy bit from inside someone else, arguing a case in front of judge (although I do play a lawyer in the lunchroom), or doing a corporation’s taxes in a zillion years.

    Why does the opposite seemingly rarely apply?

  • Validating ASVS 1.0 beta using a PHP application

    A long, long time ago, I took on running Aussieveedubbers, a forum based around the love of Volkswagens. We were on EzBoard, where the adverts and performance sucked so bad, that free was no longer acceptable. Over many iterations, I now run UltimaBB, a derivative of XMB. I had various titles – including lead programmer – at both projects for a while, but my main claim to fame was to get XMB 1.9.1 out the door with Tularis, the lead dev at the time, and the primary early force behind UltimaBB along with John Briggs. John implemented the hacks, and I did the architecture changes required to make them suck a lot less and hopefully make them more secure. In a way, I have – UltimaBB does not suffer from ANY of the XMB Bugtraq failures. Therefore, I am a coding god and UltimaBB is secure, right?

    I got going in forum development primarily through security fixes. By the time the UltimaBB effort died and XMB imploded in 2008, I thought I had gotten most of the security bugs out of the code. UltimaBB was a shining beacon of the bazaar approach. Or so I thought.

    But like most in open source, there’s a huge difference between what I think is secure, and what is actually secure. Just because I think it is secure doesn’t make it so. I wish more folks in open source projects would get this very simple message. You suck, and as long as you know that, everything (in time) will be okay.

    So, like all good scientists, I do not let my good opinion of myself get in the way of a solid slap session. I gave UltimaBB a thorough code review using OWASP’s forthcoming Application Security Verification Standard at Level 2B, which encompasses a manual code review for 83 controls with an optional use of automated static code review tools. I used Fortify’s awesome Secure Code Analyzer, which is almost certainly the best in the business today. It didn’t find everything, but it highlighted a number of deficiencies I already knew about quite reliably.

    I can’t claim I did this review because I suddenly had a huge chunk of time on my hands, but because I am implementing a new service at Pure Hacking, and we’re using ASVS as our verification baseline. I’ve added a few more things in as I think they’re important, but the main thing is that I’ve now validated that the ASVS produces a reasonable outcome for an average program, one that should have been reasonably secure – because *I* wrote a great deal of it, and certainly the security bits.

    The good news is that ASVS can be used as a security consultancy’s baseline for a partially automated, but primarily manual code secure code review. I think with a bit of tweaking, we can develop automated searches in most languages for about 50-60% of its requirements, which will dramatically improve the quality and reliability of secure code reviews.

    The bad news is that my forum sucks. I have a bunch of extreme, high, medium and low risks to fix. Until I’ve fixed them (as there’s precisely one forum running this code out there – mine!), I can’t go into them too much, but let’s just say that I was disappointed with myself, and I’ve taken myself out the back and slapped me silly.

    Luckily, I have a good client for this review (me), who will actually fix all the defects and lacks found so far.

  • ESAPI for PHP news

    AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working:

    ESAPI for PHP tests passing

    This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE Set, List, HashMap, and many other basic data structures. What PHP does have is native associative arrays (somewhat like HashMaps), ArrayObject, and ArrayIterator from the SPL. The problem is that PHP doesn’t like sparse arrays with very long indexes:

    $foo[“THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX. THIS IS A VERY LONG INDEX.”] = $value

    So I had to make up a workable hash function and hope for zero collisions. I tried using spl_object_hash(), but that actually is too good. It uses the object’s value AND pointer position, such that:

    $foo = “123”;

    $bar = “123”;

    spl_object_hash($foo) != spl_object_hash($bar)

    I think I still need to add a few more test cases as my hash function WILL collide when there are two direct object references of the same value, and thus will not be safe for some uses.

  • ESAPI for PHP – first tests passed

    I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class.
    PHP ESAPI Exception Test Suite pass

    This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes, it’s one test, but it tests the exceptions thrown by every single one of the Exception classes.

    This is key as ESAPI throws a lot of ESAPI exceptions when things go south. In addition to ESAPI exceptions, the PHP port will also throw SPL exceptions, such as InvalidArgument and so on as it makes sense to do so.

    To get this far, I’ve had to hand hack the Authenticator, User, Logger, and Intrusion Detection classes – currently no errors are sent out by ESAPI for PHP, but give me a bit of time and it will happen. String Utilities is also partially there. Authenticator is interesting as it actually does generate strong passwords, and actually reads from the resources directory for the user’s file and decodes it into an array. However, some of these behaviors are hard wired to allow more of the Milestone 1 classes to pass tests, rather than be part of the Milestone 3 build.

    I’ve started work on the RandomAccessReferenceMap class. It’s almost there; but unfortunately, I’ve got to go to bed as it’s 2 AM. It’s so close I can smell it. Once done, that class is a close relative of the IntegerReferenceAccessMap, and so there are likely to be two valid and useful ESAPI for PHP classes done soon. I’ll see if I can finish it and check it in before I have to go to work on Monday.

  • Web training news

    No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism.

    In some exciting news:

    • I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project finds a home for it. I’ll come back and link to it when it’s ready. Very rarely does an entire 1+ day deck escape into the wild, so I hope the OWASP Education community runs with it, and constantly improves it.
    • My deck is forming the basis of Pure Hacking’s new two day developer training! Obviously, we’ll be extending the deck and giving it the Pure Hacking spin, but fundamentally it’ll be the same focus on building secure applications and not breaking crap applications. Our new deck will be ready at the end of the month for your training pleasure!

    In other news, Pure Hacking is holding a one day WebEx (i.e. remote) training session on Testing Web Applications with Ty Miller as your host. If you’re interested, please drop me a line.

  • How today’s Twitter Attack Might Never Have Been

    I feel sorry for Twitter – they have the poster child of low value apps (which usually means no security controls or review), and then all of a sudden, they get done over using such a simple attack that it’s generous to call the attack a “hack”. Of course, because of the targets – Barak Obama, Stephen Fry (the world’s best comedian bar none), who are HIGH value targets, Twitter is feeling the pain of applied media heat today.  

    Twitter on Monday said the hacker had broken into 33 accounts by gaining access to tools used by its support team.

    “These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck,” wrote Twitter co-founder Biz Stone in a blog post. “We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.”
    – from ZDNet

    If Twitter had simply built their software (in 2006) to follow the 2005 OWASP Guide 2.0, they would have been safe today in 2009. 

    Security Principles

    I cribbed and re-phrased these from the 2002 Guide 1.0, which were in turn cribbed from the seminal Saltzer and Schroeder’s 1975 paper. This stuff is not new.

    This is all about application architecture. If Twitter had designed their admin app to be non-reachable from the Net, the attack would have failed. If they had made users unable to perform admin tasks, they would have been safe. If they had defense in depth, they would at the very least known about the attack. If they had separated admin tasks from user tasks properly, they would have been safe. If they had not hidden the URL or parameters to the admin interface, they would have been safe as it would have been unreachable.

    These are all design time considerations, one that is ultra important … even when you design a low value application.

    Access Control

    • Principle of least privilege
    • Centralized authorization routines
    • Authorization matrix
    • Controlling access to protected resources – All functions must be access controlled

    If ANY of these had been followed, they would have been safe. 

    Administrative Interface

    • Best practices – describes the Twitter issue completely. It would be the new example if I was writing this today.
    • Users are not admins, admins are not users.
    • Divide the admin interface off into its own app, unreachable from the Internet.

    If ANY of these had been followed, they would have been safe. 

    In general, we know and have documented the solutions to these ultra common issues. Here’s my rule of thumb – if you design insecurely, you WILL be broken into. Security Architecture is a MUST. 

  • 2009 – The Year of WebAppSec Solutions

    “He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984

    Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the future, and in particular controlling the risk from VALUE attacks, such as phishing, crime ware, and process issues (aka business logic issues).

    I’ve been interested in process issues for a long time as its the easiest way to get VALUE out of a system. One the earliest web app sec attacks was against CDNOW back in the mid 90’s. They preceded and were bigger than Amazon for a long time. Ultimately, Amazon acquired CDNOW. Why? Apparently, they had a cool front end shopping cart, a payment system and a shipping system. Sure enough, the shipping system took a bunch of hidden fields and accepted a “paid=yes” type of flag. So essentially, you could fill in the hidden fields with the CDs you wanted and skip ahead to the ship bit, and get free stuff. End of story, they’re part of Amazon today instead of the other way around. The opportunity cost of being insecure for CDNOW can be measured in billions and will continue to rise as the years go on. That one attack wasn’t the end of the business, but it set them along the path.

    So why in 2009 we do we allow 1995 era attacks to succeed? Why is this stuff not taught at University? Why are the business folks who make really bad decisions allowed to continue on doing the same old, same old, when they should know – do know – that it’s going to cost them a lot more in the long run?

    So let’s look at the lows and highs of 2008:

    Highlights of 2008:

    • PCI compliance starts to hit merchants. They still suck, but they’re unlike before, they’re now going to have to fix their stuff or go out of business
    • PCI 1.2 updated to OWASP Top 10 2007. Awesome. 
    • OWASP has a huge security summit in Portugal, deciding on future directions, and an awesome set of security conferences around the world. I think we have hit critical mass
    • OWASP Application Security Verification Standard Released

    Low lights of 2008:

    • Phishing and malware links as tracked by APWG rose to its highest level ever. 
    • Massive compromise of credit cards continues – vendors continue to flout PCI regulations and common sense.
    • SQL injection attacks launch a million malware infestations

    This basically means that attackers have been noted by the mainstream media and others as attacking VALUE through web apps, and not assets, like pwnage. They don’t care about the mechanism so much as the money. This has been my view for at least five years. I don’t care about if you control a 100,000 bot fleet – your just desserts are coming soon in your very own dawn raid. I do care if you can steal from 95,000,000 folks or defraud thousands with one e-mail.

    “How’s that working out for you?” – Dr Phil McGraw

    When we do something that is clearly not working, it is beyond time to do something different.

    Back in 2002, I was doing security architecture in web apps for some of my more forward thinking clients. I have a draft book in my OWASP folder on Web App Security Architecture I started in 2003. When I moved to the USA in 2006, security architecture was completely off the average US enterprise architect’s radar. Only today are seeing some traction in this space, and not everywhere. 

    Success stories elsewhere

    With air safety, various safety bureaus review crashes and make binding resolutions on pilots, manufacturers and airlines to remediate design issues and human factors. For example, in many cultures, a strong hierarchal society is the norm. More than a few co-pilots have sat meekly by, refusing to override their captain as they plowed straight into the ground. So the airlines were forced to change the human element in the cockpit, forcing sub-ordinates to take control when the situation warranted it.

    Air safety is a poster child for what can and should be done. From the early days when cowboys ruled the roost and many died, to today when only rail is safer per million passenger miles, air travel is one of the safest transport forms, despite being so inherently dangerous from a physics point of view (speed, height, traffic density, weather conditions, etc). We need to emulate air safety. Web application security is at the point where enforceable regulations are in their early days, like seat belts in cars were 50 years ago. 

    We can and must skip 50 years. I’m not a huge fan of heavy handed regulation as I feel it will stifle the next big thing if done wrong, but I think many languages and frameworks are settling around a few major paradigms. We can help them, and they must help their users. 

    We KNOW how to secure those meta-issues. We MUST secure those meta-issues. So here’s my 2009 Wish List:

    Education

    We have to educate those who come after us. This means getting into every CS and Software Engineering course world wide, and ensuring they have at least one mandatory security architecture / software security subject.

    All applications share exactly one feature: security. I don’t think you can be a sound practitioner unless you have at least heard about this most fundamental of issues. It’s like graduating accountants who have not completed Audit 101. It’s completely ridiculous that there’s no equivalent in most CS and software engineering degrees today. 

    I am also only going to speak at developer and architecture conferences. Speaking at security conferences is awesome and I usually get married or drunk or both, but it really doesn’t advance the state of the art. Architects and developers must get on board, and to do so requires their buy in. 

    Eliminate XSS and SQL injection

    We really need to get some basic technical things off the radar, so in 2010 and beyond we can deal with VALUE attacks. To that end, 2009 should be spent encouraging open source and vendors to fix XSS and SQL injection. We know how to fix these things. OWASP’s ESAPI has the canonicalization, input validation, and output encoding features that every application can use. Every modern framework has prepared statements or a safe(r) mechanism than dynamic statements.

    I encourage the OWASP leadership and those in leadership positions to take a stand on these two items. I call on all framework providers to make the simplest possible output mechanism XSS safe. I call on framework providers to deprecate and eliminate dynamic SQL queries, or at least make serious warnings pop up so that folks know that they should not be using those interfaces. I call on open software reporsitories to stop downloads of packages that have open CVE entries. It’s important to bubble up the importance of safe software, and we can’t do this by wishful thinking.  

    We can do this. It’s not a pipe dream. 

    Security Architecture Is a First Class Citizen

    It’s important to start putting security architecture in its place – which is every bit as important as the shiny buttons folks click or the processes businesses use to get stuff done. We cannot hope to eliminate design issues that allow VALUE attacks unless security architecture fu is strong within every organization writing software today. 

    Although history is written by the victors, we’re a long way from victory. Let’s get cracking!

  • A review of 2008

    Last year, I made the following observations / resolutions. Let’s check out how well I did:

    • Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. 

    I think I succeeded at this one

    • Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?

    Although I am lighter (149 kg down from probably ~ 155 to 160 kg), I’m not significantly lighter. I could have been close to 100 kg if I had stuck to an appropriate diabetic friendly diet and exercised more. I blame baby girl. JOKING. I’m a member of the cult again, and I have diary entries for walks and gym, so hopefully this time next year, may be I could be closer to 100 kg than I am today. 

    • Finish at least one piece of first class research in the web app sec field

    Nope. Not even close. Started a few though. And that’s the subject of my next post – what to look forward to in 2009.