cat slave diary

Category: Security

  • Ajax Security by Billy Hoffman and Bryan Sullivan

    I’ve had the manuscript of this book for about two weeks now. I approached this review from the point of view of having had a contract to write an Ajax security book myself, with No Starch Press. I actually approached Billy to see if he wanted to help write my book at Black Hat in 2006, but I never followed through… on either the book or chasing Billy down and getting on with the job. For those who wait, are those who do. Congrats to Billy in chasing down a publisher and getting a good co-author, and most of all – getting it done! Writing books is a hell on the social life, and I can’t imagine how many all-nighters they pulled to get this out the door.

    So onto my mini-review.

    The Good

    Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

    I really liked the easy, laid back writing style. Must come from the laid back Atlanta-based authors (ps. I love it there). I don’t like it when authors write as if they are better than you by using big long words. Big long words just make my head hurt. Luckily, Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field, coining at least a few terms (cross-site flashing, for example).

    The structure flows pretty well, building upon what you’ve already learnt. They bring you up a little bit at a time. That’s not to say that there’s nothing here if you’re a Jeff Williams or a Jeremiah Grossman or RSnake – there is advanced stuff, but the authors have to bring the newbie audience along for the ride. I think they do this in a way that helps the newbie more than it helps the experienced folks – but that’s fine: the experienced folks are already au fait with much of the discussed techniques.

    The bad

    Well, there’s not much wrong with the book. I would have preferred more real live examples rather than “cheating” with Firebug, but that’s a small quibble. If you can do it with Firebug, you code will be pwned sooner or later.

    Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time. Yes, there is a lot of old stuff that has crept back in, but honestly, Ajax is *different* in some areas, and it creates new attack surface by definition. There’s nothing really wrong with saying “hey, here’s JSON injection which is new” or “hey, here’s a hybrid Ajax CSRF attack worm, and that’s new”, “hey, you’re adding 25,000 lines to run in the untrusted browser, I reckon the attack surface is going to be bigger and more easily exploited”.

    The book also fails to deal with framework authors in any major way. There are so many (bad) Ajax frameworks out there right now. You can accidentally create one if you scratch some code the wrong way. In my view, web application security can only be improved by targeting the frameworks (in the hundreds) rather than targeting the huddled millions who code for a living. However, the book will only sell in the tens of thousands if you target the poor bunnies cutting code. In my view, I would have liked it if the book had covered what *frameworks* should do. Maybe this could be fixed in the second edition.

    The Ugly

    The book concentrates far too much on attacks, and not enough on building and architecting secure Ajax applications. This is typical of the usual penetration tester mindset, which gets you the hot girls and invites to the swankest parties. However, it leaves a lot to be desired from the software engineering front. We have to stop treating security like a black art – it has to move to being the very way we code, so much so that it hurts if we do it the bad old way. However, penetration testing is far sexier that software engineering, and I’m sure this will not hamper sales in any way (c.f. Hacking Exposed, etc).

    Conclusion

    If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.

  • Why does forum software has more security features than “enterprise” tool chains?

    I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically:

    • They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions
    • They do not implement any form of strong identity handling, so when someone is logged into component A, it’s nearly impossible at component D to determine who is doing a particular action (see accountability below)
    • They do not make it easy to implement end-to-end access control (fine, medium, and course grained), so most of the time, authZ is equivalent to “do what the hell you want to do”, allowing the golden apples to fall very easily
    • Often they do client-side stupid tricks and can be trivially tickled into doing something really dumb
    • Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day
    • Data validation misses the business rules allowing tweaking of the golden apples, particularly on the way out. That old mainframe or ancient database is no more trustworthy than a slightly dodgy user
    • Modern business scenarios (business / trading partners, extranets, etc) are very poorly done
    • Encryption, if it is done at all, is of the crypto toy variety or the folks leave the keys in the door. But 95%+ of the time, it’s not even there, and yet here is all the value of the business, just lying there waiting to rustled under the covers

    A counterpoint to this is forum software. Admittedly, I help write forum software in my copious spare time (read: none at all), but considering that in most cases, the value of the asset being protected is precisely zero dollars, it’s amazing just how many security controls are relevant (and useful). They do what they do well, and yet they have to implement – through repeated and automated attacks – pretty much all of the OWASP Guide’s suggestions.

    I honestly wonder why folks think that “enterprise” software is somehow magically safe or scalable.

  • Security Engineering

    One of the really cool things my job allows me to do is go teach developers and managers about application security.

    In the past, I’ve half jokingly said “when the revolution comes, X will be first against the wall”, where X is a product or company who has no clue about security and worse, they pissed me off. Well, I felt the wall and the hood with these students – they wanted to revolt!

    My crime? For daring to suggest that they do not belong in production.

    READ MY LIPS! DEVELOPERS DO NOT BELONG IN PRODUCTION! END OF RANT

    We have to end the developer cult where they believe they are a black magi sending code from on high. Those days never really existed. It was only because any old oxygen bandit* could get paid (and paid well) to write crap. Guess what? Crap may be the state of the art of today, but you’ll have to do better, and soon. 

    Real engineers are fallible, but they know this and design around it. Coders seem to think they are magically immune from engineering problems, and do not code in any defense in depth. One of the key ingredients for software security is production management. And part of that is that developers do not have logins for production systems. They do not have access to promote code by themselves. They do not need special features just because they are developers. 

    Developers need to learn basic production hygiene. I help teach it, but they have to accept it and live the life. If you are a developer, and you have access to development, it’s time to lose those credentials. If your code has backdoors that let you do more than anyone else, that’s a sackable offense at many financial institutions and government shops.

    Let’s start being engineers instead of cowboys. 

    * Oxygen bandit. adj. Someone who breathes air they don’t deserve, is able to dress themselves in less than 30 minutes, and who is able to drag a few controls onto code someone else developed. For more details, see one of my favorite sites.

  • InfoSec Sellout Pwned

    It’s sort of ironic funny when a blogger who is against FUD in the security industry get pwned by sploggers.

    Seriously not safe for work:

    picture-1.png

  • Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant

    A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have:

    • Fear – Pretty much every talk
    • Uncertainty – you betchya
    • Doubt – doesn’t the security industry work on creating doubt? Yep.
    • Solutions – 10 out 444 talks == 2% of all talks

      We have to move past this. I am not asking for solutions to be even 50% of the talks, but dammit, it should be over 10% and it should be over 25%.

      The CIOs and CTOs and mid-level junketeers in our industry (who go to these events to pick up chicks of negotiable affection*) and go: “WHOA! I’m so screwed! What do I need to do to protect my assets from all this badness?” And the snake oil sales puke from the large security ISV will go: “let me show you this bridge I have for sale over here…”

      At Black Hat 3 of 5 potential security solution talks are the 20 minute turbo talks. How much can you learn in 20 minutes? Enough to be scared, or enough to learn a URL? In Defcon, there’s just one talk on using a tool as a shield around your crap. Of course that’ll work. Like anti-virus or IDS “works”. Not.

      The CIOs and CTOs and high level business folks don’t want horror stories. They get that enough of that from the snake oils sales pukes. They want solutions that work. They want to know what to do right. These solutions should not cost the earth and should be effective. None of which they’ll learn about at these conferences. Will this stop them going to conferences? Of course not! It’s Vegas, baby!

      The conferences will have to start being relevant or they’ll end up like being CES. CES started out small, grew immensely, changed to be vendor friendly, and no one came. They cancelled it. Now everyone goes to E3. They’ve changed the rules to be more industry friendly… and it’s only a matter of time before it, too, dies. “Our” industry conferences on the outside seem more popular than ever, but they are dead. I will not be submitting any more talks to them as they are irrelevant. They do not support solutions, only fear.

      * And occasionally, chicks with dicks of negotiable affection. But what happens in Vegas, stays in Vegas, eh baby!

  • OWASP Guide 3.0 Starts

    Well, I’ve had a bit of a holiday … doing work, and it’s time to pick up the pen and start writing again.

    I was struck by the Wiki at just how hard it was to edit and get it the way I want it to look. Even more so when my free time coincides with poor or non-existent network access. Right now, I don’t need to fight the tools. Neil Smithline has a tool which can Wiki-fy a Word document, so my plan is to work in Word (again) and get regular re-publishes to the Wiki. That way, I get maximum productivity where I don’t need to fight the template (I can just write words), and we all benefit once the work is done.

    OWASP Guide 3.0 Over the last day or so, I’ve looked at the OWASP Guide 2.1 (a draft which is essentially what you see in the Wiki as 3.0), and it’s not pretty. There’s lot of … interesting … advice in there. I know I (re-)wrote a bunch of it (well, most of it), but it’s proof of the pudding – choose one of “quick, secure, cheap” and you get your priority. The priority last time was to make BlackHat in 2005, a Herculean task that took me out of commission for months afterwards. I was so burnt out from doing stupid insane hours (basically a full day’s work and then a full day’s work at night on the Guide followed by 4-6 hours sleep and doing it over again), that after it was done, I ended up watching more Tivo than doing geeky stuff or going out with friends.

    I’m taking the “secure” path this time. The Guide 3.0 is going to be much shorter. In fact, I’m generally going to start over unless there’s some good text already. There’s two reasons for this:

    • We want to change the license from the GNU FDL to the Creative Commons Sharealike license, and we can’t do that right now. It would take a long time to find everyone and ask them to assign their (C) to the OWASP Foundation, and if even ONE of the previous authors / contributors / editors cannot be found, we cannot relicense. Now, I know many folks think, “do first, apologize later”, and in general most folks who contribute ANYTHING to an open source effort must realize that they’re efforts are working towards the Foundation’s goals, not particularly theirs… but in this case, we live or die by looking after our copyrighted works. If we want to ensure that others do not copy without attribution, we also have to do that too. It’s a moral thing.
    • Much of the previous content really belongs in the (Penetration) Testing Guide, and a significant chunk would be good for the forthcoming Code Review Guide. There’s remarkably little in the current 2.1/3.0 Wiki draft for building secure software.

    So that needs to be created. And once I go down that path, I may as well make the effort to re-structure the Guide into a proper security architecture format:

    Introduction / Frontispiece

    Security Architecture & Secure Design
    – Principles
    – Policy
    – Regulatory environments
    – Risk Management and Threat Risk Modeling
    – Asset Classification
    – Secure by design
    – Initiator / Approver
    – Help Desk / Administrative interfaces
    – Secure Coding Standards and Methodologies

    Identity Management
    + My family and other animals, or Evidence of identity and the user management life cycle
    – Questions and Answers – still stupid after all these years
    – Providing advice on storing strong credentials

    + Authentication & Session Management
    – When to use 2FA vs passwords
    – Designing for federated authentication
    – Designing for federated trusted authentication
    – Transaction signing – Authenticate the transaction, not the user (necessarily)
    – Signing calculators
    – Flow diagram for SMS / e-mail trx signing
    – Flow diagrams (2FA, certificate, password)
    – Common controls (idle timeouts, etc)
    – Protecting against common attacks (Brute forcing, phishing, etc)

    + Access Control
    – Coarse (access to system at all)
    – Medium (access to secured resource / secured function)
    – Fine (access to particular datum i.e. Direct Object References)
    – Building indirect object references
    – Attacks (forced browsing, direct object reference, etc)

    Data Protection
    – Designing highly protected systems
    – Asset classification and legal requirements to protect data
    – NOT using / storing certain types of data
    – Privacy
    – Secure Communications
    – Secure Storage of sensitive information
    – State management
    – Pattern
    – In a “normal” web app, Ajax, and web service

    Integrity
    – Data validation
    – Output encoding
    – File system

    Accountability
    – Designing high value systems – preventing fraud and promoting accountability
    – Designing for incident response / forensics
    – Auditing
    – Logging
    – Error handling

    Availbility
    – Protecting against injections
    – The pattern of badness and how to protect against it
    – XSS
    – CSRF
    – SQL / MDX
    – LDAP
    – XPath
    – …
    – Denial of service
    – Buffer overflows
    – Concurrency and race conditions

    Services
    – Traditional (OS, e-mail, etc)
    – Web Services
    – Ajax (JSON, and plenty of other topics, etc)
    – REST
    – XMLRPC
    – .NET Remoting
    – JNDI and JMS

    Ensuring Quality
    – Software quality assurance – how to test web apps properly (and where to go after here)
    – Configuration
    – Deployment
    – Maintenance

    Index
    – Index
    – Glossary
    – References
    – XSS Cheat Sheet (after permission is sought again)

    Although I am not looking forward to writing every night again, at least this time I have a good basis to work from and I’m not trying to write three Guides in one. I am probably underestimating the effort required, but I hope to bring this in under 150 pages, delivering basically a chapter a month or so (about 10 pages per chapter) to the OWASP Guide list to be peer reviewed, code snippets and diagrams created. Once we are nearly there, with some luck, we can send it to the publisher.

    Why don’t I want a co-author? I tried that in the past and although help was offered, only a few rare individuals submitted work afterwards. Some of it was excellent, but much of it needed re-writing due to technical errors or outright hinky prose. The Testing Guide shows that the quality varies so much when you DO get help that it’s simpler to write the text yourself.

    I will gratefully accept help with the editing – editing the text once complete is a very necessary step, and it’s certainly much easier for folks who are unaccustomed to writing large books to edit than to write from scratch. There’s a world of difference between writing a blog entry and a book. I think it’ll just be faster this way, and hopefully, a bit higher quality. Of course I could be wrong!

    Off to fire up Word.

  • The mainframe conundrum

    It would have been nice to get Web 1.0’s security fixed first before starting on Web 2.0. And before Web 1.0 was … the mainframe.

    In my time with health care providers, at one of the world’s largest telcos, at various largish Australian banks, and over the last few weeks teaching mainframe folks about secure coding techniques, I’ve come to a conclusion: we’re in a crisis. Not only have we not really solved the necessary problems in Web x.0 land, we haven’t been keeping an eye on the ball in the most important area of all: where the value lies.

    Critical nationally protected infrastructure all use mainframes to process the value of our lives:

    • Banking (money – a necessity, which allows you to buy housing)
    • Logistics (getting stuff from A to B)
    • Defense (making sure we’re protected)
    • Food chain (eating – a necessity)
    • Government (unfortunate necessity)

    Pretty much covers Maslow’s Hierarchy of Needs in every way – modern life would not be possible without mainframes. We cannot:

    • house ourselves (buy houses with a mortgage),
    • eat (we no longer farm or hunt ourselves and rely on getting access to food at supermarkets (who use mainframes to keep stock levels and understand what their customers are buying) which requires shipping – and most large logistics firms use mainframes for everything from load optimization through billing and scheduling
    • or even get water depending on your water utility.

    I look back wistfully at seminal security papers and works from the 1960’s and 1970’s. I feel miffed that this 40 year head start has been squandered. Almost everything we’ve “discovered” in web application security is old news to these researchers. Their programmer contemporaries are still out there, building mainframe apps, and they do not know anything about the old research, let alone the new. “Web apps? Not my job, governor!”

    Today’s mainframe devs do not know the core principles – confidentiality, integrity, and availability (except for performance reasons). Key security principles such as defense in depth, complete mediation, and validation are no longer practiced, even though the old code lived and breathed it.

    In my discussions with mainframe devs, they struggle with basic security concepts, and even in some cases, the need for security at all. After all, the attackers know nothing of the mainframe and they can’t get on to the system. Right?

    In the end, the fault partially lies with the application security community. We in web application security know no mainframe stuff. I don’t know anyone competent to review COBOL, RPG, PL/1, IBM assembly language (!), or a host of 4GLs. I don’t know anyone who knows a jot about RACF, ACF2, and all the security mechanisms available on mainframes since before I was born.

    Very few know anything about TPF, MVS, z/OS, CICS, and VM. And yet, taking even one of these – TPF – could reward study for years. It powers all the airlines, the travel industry (Galileo, the world wide booking system used by everyone who travels, is a TPF application), and even 911 emergency response systems. And yet, I must admit I’ve never heard of it until last week, and yet I’ve worked around folks who used mainframes for the last 15 odd years. What chance does that newbie .NET coder who needs to have a secure ordering system involving a mainframe as a backend? We have no advice.

    So we can’t properly review applications that use mainframes … except to treat them as black boxes. And that is wrong! Most large organizations have a 30-40 year investment in their applications and they’re not going to re-write in a Johnny come lately language like Java or C# just because we can’t review old code. There are literally billions of lines of COBOL out there, and it … runs the world. There should and MUST be a way we can review this code.

    What needs to happen in the security research community?

    We need to research the security concerns in commonly used mainframe languages (COBOL, RPG, PL/1, assembly) on top of common platforms (z/OS, others) using their common data stores (DB2, and so on). We will break old/new ground here. Probably this stuff was being thought about back in the late 70’s early 80’s, but was never published. I think our field’s brightest researchers simply stopped looking at commercial environments around this time.

    We need to understand their native toolsets to provide key security architecture deliverables, such as using RACF to provide authC and authZ services. The mainframes have a rich set of security tools… but no one uses them any more.

    We need to become competent in reviewing these older systems and applications, so we can provide reasonable advice

    We need to be choosy about what to review – there’s simply so much code at every large firm and government agency and basically no one to review it

    Although OWASP should be publishing the results of this work, maybe we as the security industry should have an extended residency with the IBM Redbook folks to get access to the real deal (do you have a mainframe?), peer review our work, document all our findings and get it back in the hands of the mainframe devs in a timely fashion.

    What needs to happen on the mainframe side of the fence

    Business requirements should reflect in the security architecture. We know that mainframe has almost all if not all of the necessary support of a “modern” security architecture:

    Data protection

    • Confidentiality. Most mainframes have an inbuilt HSM. Few sites are using this feature! What a waste. Let’s get this out there and encourage the use of hard core encryption
    • Integrity. Most of the protocols in the SNA stack have inbuilt integrity controls, and yet once they are mated to TCP/IP, the common protocols such as ftp, x3270, and access to MQ is all unencrypted and has no integrity controls. This needs to change

    Identity management

    • RACF is basically as old as me. It supports everything a SSO vendor would happily sell a Java site and has done for over 30 years. It now supports modern pass phrases, LDAP support, and so on. These “advanced” features should be in use at more sites.

    Event management

    • I still need to do more reading, but I can’t imagine that the systems which power banks has no audit or logging features. Let’s learn how to differentiate between logging and auditing, and ensure these logs are protected from unauthorized use.

    The folks on the mainframe need to understand the powerful tools and native platform support they already in their possession. This requires training and support from their vendor. IBM? Hear me.

    We in the security research community can’t possibly understand every possible version of every language and platform out there. It’s time to start consolidating around a few common platforms and languages. I propose the security industry sticks to supported platforms and languages as IBM has a chance of rectifying any problems we find.

    This will be painful for many, but it’s like the pains the accounting industry went through in adopting the GAAP. We can’t and should not audit a planet’s worth of loose receipts.

    I am not hopeful that any of this will change any time soon. I am willing to have a dialog with any and all mainframe folks. Let’s talk.

  • Dumb: Safari 3.0 does not support HttpOnly

    Sad Andrew 🙁 🙁 🙁

    Reading:

    picture-10.png

    Writing:

    picture-9.png

  • Why I will have a job in 2035, or how to write a successful talk submission

    In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today.

    Why?

    I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken at both before, and I know I don’t suck too badly at speaking. Knowing that you suck more than other folks is the first step to being a good speaker, and I learnt that many years ago and have been learning ever since. Nowadays, I get good reviews from my customers, got good reviews and write ups for my last talk at OSCON. Black Hat provided me with my feedback which indicate that most of the folks who returned the forms liked what I had to say and how I said it, although there is room for improvement. When I train professionally, I am probably my harshest critic. That said, everyone – including me – can always learn how to present better, and make presentations that don’t suck. But let’s put that aside for a moment, and look at our industry’s premier developer and security conferences.

    Why you will not learn solutions at any major event this year

    I know this might come across as sour grapes, but seriously, when the biggest “security” conference rejects my talk (which will show how to scale code reviews in large enterprises, a huge problem for the Fortune 500, government and defense types, who just happen to send a bunch of folks to said conferences) in favor of the same theoretical root kit talk as we saw last year and a meta-theoretical anti-root kit talk targeting that specific theoretical root kit talk, they’ve lost the plot. When the largest *developer* conference rejects three of my talk suggestions, two of which are teaching developers how to code more securely (including a advanced level 300 class – I’m sick of teaching “hey, this is htmlentities(). He’s your friend”), they’ve lost the plot, too*.

    OSCON’s security track is a paltry seven talks, basically most of one day out of five. And only one, by my friend Chris Shiflett, will teach you how to avoid the most common problems in web apps and another reports on the use of a source scanning tool by the open source community. Each of those talks is less than an hour. The chance you’ll learn something you don’t already know about PHP security is pretty small. At Black Hat, so far, there’s plenty of announced talks, but it will take you until day two before you learn how to do something useful. There are no other how to fix talks at Black Hat. That’s very, very sad.

    There are some fine speakers at each event, for sure. But some have been seen before. And before that, too. But when you’ve seen ten theoretical root kit talks, or the fiftieth hundred buffer overflow talk (the same attack since 1988? kill me now), or yet another XSS talk or eight, we get it. Software sucks.

    How do we fix it? Show me the money!

    Do I want to be fixing SQL injections, buffer overflows or cross-site scripting issues when I’m 65? Hell no. These are solved problems. We know the solution. They MUST be burnt into the APIs so that programmers (no matter what skill) CAN’T do it the wrong way. There are some fine researchers working in the field, and you’re not going to hear them talk about fixes at Black Hat or OSCON. It’s Fear Uncertainty and Doubt. Scare the punters so you’ll buy their products or services. That security sales method is so 1995 when we thought firewalls were kinda neat.

    That sucks.

    It’s the reason the security industry is little more than snake oil modulo a few gems here and there. Why don’t A/V vendors go white-list? Spend 10 minutes telling your computer about the programs you use and white list the behavior of those probably very common apps? No more virus infections as everything else is untrusted and doesn’t run. That’d kill their shakedown revenue stream.

    To be a smart security vendor today, you provide value to the customer by showing them how to architect a secure solution, how to build secure software (by training their devs – we can’t write all the software), how to test and review software (or indeed provide these services as an external audit function), so they don’t have to worry about spending *more* money on useless controls or worse case, notifying the regulators and their customers that they’ve screwed up and “gee, we’re sorry! we tried our best. Here’s $100 bucks”. Value folks, value. We’re here to provide secure business, not scare money out of folks. Once the horse has bolted, it’s far, far too late. That’s why I think forensics and a lot of compliance is a total WAFTAM. Dead money.

    Providing solutions is exactly what we’ve been doing at OWASP. We provide value. Some of the solutions are actually getting towards voting age. We just need to get it out there so you don’t make the same mistakes, time after time. I’ve dedicated the last four – five years to researching, describing and educating how to fix things at OWASP. And yet, we don’t get no love at major conferences. And here’s why – they don’t want to tell you how to fix it. They want headlines in the meeja. The meeja only know about attacks, “hackers”, and people losing money to organized crime gangs, or their daughters to the nasty pedos across state lines. So the conferences provide that. We all lose with this approach. Luckily, with OWASP, we run the conferences, so this year, I will speak, and hopefully it will be useful to those who attend.

    But realistically, the folks we want to talk to are at BlackHat and OSCON, not at OWASP (yet). So let’s learn …

    How to write a successful talk submission

    First off, and foremost, be honest about why you’re going. You’re a conference whore, and so am I. The hallway track is their raison d’etre, and best experienced with booze and lots of it. But how to get there… write a submission!

    0. The title must be snappy. “Attacking OMG PONIES!111 2.0” All good talks have 2.0 in them somewhere.
    1. Subject matter must ONLY be about attacks, exploits, or bragging. The more esoteric the subject of your attacks, the better. I’m talking to you, side channel attacks.
    2. Reading poetry to the attendees is only acceptable if it’s accompanied by images of death and you’re dressed in a funny hat, so try to come up with a reasonable approximation of how much your new tool (P0NIE PWNER) haxxors the badness (OMG PONIES!!111) you claim to attack. You don’t need to provide the tool, just claim it exists. No tool / exploit == no attendance.
    3. Don’t include anything – ever – about how to fix the problem. That’d ruin the the “hacker” image of the conference.
    4. Profit!

    Conclusion

    So screw them. See you at Black Hat. I’m the one who looks like a trans-gender lady of negotiable affections and I’m lovin’ it.

    * OSCON has a talk on PHP security, by Zeev Suraski, one of PHP’s founders. The talk (PHP Security: Fact and Fiction) which sounds pretty defensive. Hopefully, it will say something like “gee, sorry about that!” to all the attendees. I’m very hopeful about the claimed agenda – it talks about what is changing in PHP to fix their previous stupid insane security decisions and lack of a security architecture. PHP *must* move in that direction, and fessing up to current and past indiscretions is the first of at least 12 steps to resolving the issue. Look at ASP -> ASP.NET. Same thing.

  • Time to start on the Guide 3.0

    It’s time to get moving again. The Top 10 2007 is out. So it’s time to look at the raison d’être of OWASP – The OWASP Guide. The OWASP Guide is a compendium of best practices, what not to do (in 2003-2005), how to test for a problem, and occasionally comically bad English. I did 18 hour days for nearly six months back in the day to get it out the door, something that is just not possible these days as I have my insomnia mostly under control.

    My view is that we need four smaller books:

    1. OWASP Secure Lifecycle Guide for Requirements, Architecture & Design
    2. OWASP Guide to Writing Secure Applications
    3. OWASP Testing Guide
    4. OWASP Code Review Guide

    That way, we can farm out the materials that exist in the Guide today to the appropriate books, and make it much more lightweight. Being 300 pages is fine, but honestly, I doubt anyone besides me and the translators have read it in its entirety. I don’t think the average work-a-day developer has the time nor the inclination to read yet another fat book, particularly one that they themselves don’t see as being particularly useful to their primary role: pumping out insecure code, leaving time for instant messages and a few quick rounds of killing fellow cubicle dwellers … in whatever FPS du jour.

    Schneier stated recently in one of his famous counter points with mjr, that he believes that the security industry shouldn’t exist and that penetration tests (paraphrasing) should read and then shredded. Seriously, if you’re waiting until the pen testers tell you that you have a problem, it’s far too late. Software engineering must make the jump from being a cowboy nation of lazy and uneducated coders to being a repeatable, safe art. That’s why I work in the area I do – fixing the problems before they are problems. Then it’s basic risk management. And folks have been doing risk management for years, well before the current security industry sprang up. There are snake oil sales folks in our industry without a doubt, but there are many skilled and useful folks as well. I hope I am one of the latter.

    Back to the Guide… There’s a need for the OWASP Wiki to be in sync with these master works. This is an ongoing problem; I don’t know how to solve it. Writing a book one page at a time is ineffectual and wasteful. Editing a massive tome even more so. Wikis have their place though, even if the Wiki fan boys hype it beyond its actual capabilities. The Wiki way is not the book way. To a Wiki fan boy, this is actually not a problem. But to me, as a lover of narrative and meaning, the dictionary like slabs of text are like context-less ships passing in the night. There’s no thumbing around there without maybe missing something important. The Wiki is great as a dictionary; terrible as a learning platform. I love puttering around great Wikis like H2G2. Towel Day is May 25. Don’t forget your towel.

    No matter which way you slice it, someone has a lot of work to do to translate a book into a useful and helpfully hyperlinked Wiki, and a truly awesome Wiki is nearly impossible to fold back into a book.