Take Two on Top 10 2010 Security Defenses

A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses.

Epic fail.

Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting out a fire that costs a million bucks to put right than to be the materials engineer who designs cheap fireproof cladding. I’m burying the hatchet as I burnt a fair bit of goodwill in my original announcement, which not my intention at all. We still need folks to break stuff and disprove snake oil, so there’s a place for the dark side whether I agree with the focus on the dark side or not.

Just two nominations made Andrew sad despite the worthiness of the submissions.

  1. Rob Lewis nominated Trustifier http://trustifier.com/ryu/features.html
  2. I nominated Josh Zlatin, a colleague for the work he has done on PureWAF, extensions for the OWASP Core Rule Set + Mod Security. You can see the results of PureWAF on Pure Hacking’s website, which is behind our WAF in the cloud service. That’s not an invitation to attack us, just sayin’

Please discuss or vote in the comments section for who you think should get the non-existant gong.

The Sorta Inaugural 2011 Pure Hacking Top Web App Sec Defenses Competition

There’s a couple of changes. Pure Hacking will be sponsoring the competition in 2011. There will be categories, such as Life Time Achievement, Best Security Architecture, Best Left Field Idea, Best Secure Business Idea, Best Quick and Dirty Defense, Best Educator, and of course Best Defense. I will detail more about the categories as time goes on. I will be getting inappropriate statuettes made with engraving and everything. If you feel like you can donate something to boost the booty, contact me.

As for nominations, I will keep a running tally of awesomeness from my RSS feeds and other sources. You can nominate your favorite folks and defenses by e-mailing me – vanderaj ( at ) owasp.org. Come December 1, 2011, I’ll put them up for voting at which time I will disclose the prizes.

So far –

1. OWASP’s XSS roundtable at the OWASP Summit in Portugal is a worthy nominee. Let’s stamp out XSS.

2. I think Gunnar Peterson should get a Lifetime Prize just for being Gunnar. If more of us thought like Gunnar, the world would be a safer place and folks would be making a LOT more money than they do today.

Please keep this competition in mind throughout 2011.

Security checklists are not bad, it’s how they’re used

There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks:

  • (Paraphrasing) Checklists don’t work

Actually, PCI DSS is making in-roads in containing data breaches. See for yourself.

So what’s the big deal?

Those who know me, know several things:

  • I wrote the OWASP Developer Guide 2.0, the grand daddy of security advice.
  • I was primary author of OWASP Top 10 2007, which is in PCI DSS 1.1 and later.

Thus you’d expect me to defend checklists. And I will, but not in the way you’d expect.

I rail against checkbox / “pass a test” thinking. If you’ve taken a training course by me, you’ll know that I’ll tell you don’t collect ANY logs unless you’re going to do something useful with them. I tell you to use security as a competitive advantage – e.g. raise transaction limits by reducing your risk exposure. I tell you to align application security with enabling secure business. Security is not a speed hump. Security is not brakes on a car. Security is the mind set, knowledge and activities that allows you to do things you can NEVER do without security.

So where do I think checkboxes have a place? For trained professionals. Pilots have extensive checklists. They work – flying is THE safest form of transport, despite working against a few very ouchy laws of physics.

We (and in particular, I) have created checklists that work. We know that SQL injection is a problem. Don’t include it – it’s negligence to do so. It’s #1 job in the Top 10 2010. We know that XSS and input validation / output encoding is a problem. Don’t include it – it’s negligence. It’s #2 on the Top 10 2010.

My mind was made up a few years ago, shortly after I finished the Developer Guide that it’s insufficient to engage with info sec teams. We must fix the frameworks. Make it hard to do SQL injection or XSS by default.

We must engage with the business and raise their expectations from “okay, I gotta set fire to $10k for a review, where do I sign?” to being a trusted business partner, enabling them to do amazing things that are simply unimaginable a few years ago, but safely. Security enables secure business. Any consultant, any info sec person who forgets this, forgets who pays their bills.

This is not to say that I want you to do ONLY the things in whatever checklist you decide on. I included this text in the Top 10 2007, and it stands true today:

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.
Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in Where to go from here for more information.
A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today.
This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress. Please consider joining or financially assisting with these efforts.

Think outside of the box. Create high technology business enablers that your competitors think are indistinguishable from magic. But whatever you do, don’t give the checklist to an unqualified person. That’s simply not their point.

p.s Stop bitching about PCI DSS. It’s an unqualified success at what it set out to do.

Passwords are neither free nor cheap

I don’t know how many clients over the last decade I’ve been trying to get this basic fact through their very thick business skulls, but here goes again:

PASSWORDS ARE NOT FREE
PASSWORDS ARE NOT CHEAP
PASSWORDS ARE NOT SAFE
PASSWORDS ARE NOT ACCEPTABLE FOR HIGH VALUE DATA / APPLICATIONS. EVER.

Vodaphone has found this out to their immense cost and on going public relations disaster.

By changing the faulty business decision (passwords) every 24 hours, VHA are sticking their finger in the leaky dyke. They sell mobile phones. They could step up to two factor / transaction signing with mobiles for CHEAPER than passwords. Especially for them. This is an opportunity for VHA to say – look we’re leveraging our unique selling point (mobile phone operator) to provide world class security. Instead, they choose passwords.

Stop using passwords. Their time was done more than 10 years ago, if ever.

New laptop – Asus K52DR-EX143V

Much earlier this year, the Minister of War and Finance’s (hi Tanya!) old Dell augured in and bought the farm. First, Tanya spilt Milo (granulated malt) grains on the keyboard and this got under the key caps, causing the keys to stick. I tried cleaning it a couple of times, but many keys were never very good after even a solid cleaning. Then I spilt soup into the keyboard. In trying to take it apart and wash off the soup, I managed to break the little ribbon connector holder to the trackpad, and the keyboard didn’t appreciate being taken apart again, and I couldn’t get about six or so keys back on. Despite this, the laptop “worked” with an external keyboard for months. Finally, Mackenzie stomped all over our bed and the laptop, breaking the power cord connector near the screen. This last one did it – couldn’t get any more charge into it.

So I gave Tanya my maxxed out late 2006 17″ MacBook Pro. We were free of the evil, monstrous Windows beast and I was happy even though I was down a computer. Unfortunately, Tanya doesn’t like MacOS, not even after six months. Color me shocked, but there you go.

So for Christmas, I bought her a new Asus K52DR-EX143V from MSY. This unit has a 4 core AMD processor, 4 GB of RAM, 1 GB of dedicated VRAM and ATI HD5470M display chipset, 500 GB of disk, and BluRay / DVD-RW combo drive. Sounds sweet.

Opening the packaging wasn’t too bad (there are videos all over YouTube if you’re an unboxing freak), but then the stark differences between Mac and PC packaging starts to set in.

  • There’s quite a lot of papers and odds and ends in the box. With the Mac, you get a simple, small Getting Started booklet and a sticker.
  • The Asus power brick is fairly large, but the cables are pretty short – about 1 m in total length. The end is a traditional plug that is of similar design that caused the demise of the previous Dell. You may need to take an extension cord with you on site if you travel with this model as the cable is pretty short. The Mac has a small power brick with integrated cable organizer, with long cords (about 2 m total) with a MagSafe connector. There’s no doubt in my mind that Tanya’s Dell would have survived if it had a Magsafe connector.
  • However, there’s no recovery DVD (urgh) or installation media. With the Mac, you get a single MacOS X DVD that allows you unlimited re-installs.
  • Stickers randomly cover about 45% of the Asus palm rest. Luckily, they came off fairly easily in about five minutes and a sharp knife. There was some residual stickiness from one of the stickers which I’m still yet to get completely off. There’s no stickers on a Mac.
  • There are a lot of shipping protective stickers on the Asus, such as around the bezel, on the web cam,and so on. Some of it is actually quite hard to remove such as on the hinges. There’s only a small piece of soft foam between the keyboard and the keyboard in the last two Macs I had.

Turning on the Asus requires installing the battery, and plugging the power cord in. Immediately, differences between Windows 7 OEM and MacOS X start to stand out. For a start, the Asus is by any standards a fast computer, but it took over a minute to get to the first registration screen asking for personalization and registration details. I was working and online in two minutes out of the box on my Macbook Pro 13″ in 2009.

Windows 7 starts in about a minute, but there’s so much circusware and trial software installed that I spent the next fourteen hours:

  • Decoding and removing all unnecessary crap off the machine. This is still not complete, but I’m much happier now. The Asus now boots in about 45 seconds
  • Removing the stupid “data” disk partition – for some reason there’s a 116 GB system partition (far too big), and a 329 GB data partition (far too small). Removing the data partition solves both issues. To fix it on yours, assuming there’s no data on the data partition, start the disk partitioner (diskpart.exe):
select disk 0
list partition
select partition 3 < -- see note below 
delete
select partition 2
extend
exit

* the data partition was 3 on my system - YMMV and do not delete your system partition!

  • Upgrading Adobe Reader 9 to X
  • Upgrading Flash to be as secure as it'll ever be (which is not very)
  • Installing the 78 patches for Windows, requiring just over a gigabyte of bandwidth, several attempts and reboots
  • Installing decent firewall, anti-virus and anti-spyware - not needed on a Mac (yet)
  • Installing Microsoft Office 2010. There's a trial copy of Office 2010 Starter edition already installed, but that also has all the installation bits for all editions. So I bought the Product Key Card of Home and Business edition and chose "Activate key" to turn Starter edition into Home and Business. However, it failed to install the first time, so I tried again after a reboot and that worked. On the Mac, you just drag MS Office from the install DVD to your Applications folder. The Mac install is far faster and just works. Of course, once installed, there were Office 2010 patches to install.
  • There's no installation media or recovery DVDs, so I broke out my DVD-R supply, and after 2.5 hours (seriously!) it burnt five recovery DVDs with hilarious Chinglish prompts such as "Predictably, burning will take five DVDs to create a recovery DVD". You can't make that crap up. Of course, using the recovery DVDs will blow away all Tanya's data and return the circus ware, but ... it had to be done. The Mac has a full OS DVD and thus doesn't lose any user data, and in many cases keeps your applications and settings working too.
  • I'm currently installing iTunes and migrating data across. This would take time no matter if it's a PC or a Mac, so I'm going to give it a free pass at the moment.
  • I'm still trying to set up Outlook 2010 and her Windows Mobile 6.1 phone. This should be a no brainer, but ... Windows 7 doesn't seem to like Windows Mobile 6.1.
  • I still don't have a Time Machine work-a-like that can back up Tanya's data. This is a serious issue as hers is the most likely computer to die. Suggestions welcome.

Using the laptop

As it's only the second day of having the laptop, I've not done any real work on it yet. PCs are unproductive like that. I'm still yet to find out if it can run videos in iTunes full screen on our TVs, which the Macs do in their sleep. Tanya's previous Dell used to have serious lag time between video and sound and the fans were on full time, requiring extra volume. I'm hoping that this computer is at least as able as a four year old Macbook Pro.

Problems so far

I don't know if this is just me, or known problems with Asus laptops, but I've found that connecting the VGA adapter to a 24" screen at 1920x1080 @ 32 bpp produces a wobbily and shimmering display that flickers a great deal. I would get eye strain after a few minutes if I had to use this as my primary display. So I tried a HDMI cable, but that produced a pink / purple display centered in the middle of the screen. I don't know if this means I have a broken laptop yet, or if this is how crappy all PCs are. I hope it's not broken, as I've invested so much time in getting to where I am at the moment.

Conclusion

In short, the machine is very fast at some things. Except for booting and running Office seems a bit tardy. The external display connectors don't seem to be working properly. At least, it found my Bluetooth mouse and used it without any additional issues.

As a Mac user, I cannot understand why PC manufacturers don't take that little bit of extra time and make sure their product works out of the box with minimal fussing. The circusware was very annoying. That should go, as should the sticker vandalism. The patching was annoying but necessary. It shouldn't require multiple reboots. Someone should test the installation of Office 2010 with a product key card before creating the image. A slightly longer power cable would really help and is not that expensive. And supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although in terms of raw speed, the equivalent Mac is about twice as expensive as what I've spent on the Asus, the reality is that my two year old Mac boots up faster, starts Office 2010 faster in emulation than this thing, and has a better screen and a longer battery life. The price of a Mac with my Mac's performance is $1499, only a few hundred more. If the display ports are broken, I'll have to do all of this again with a replacement unit next week. Argh!

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don't get it.

Top 2010 Defenses

I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me)

Defenses change the world. Defenses make software more secure – permanently, and not just for the week or two until the latest sexy attack is patched. But defenses aren’t sexy and don’t get invites to all the cool conferences, so there’s no prizes beyond a grateful planet.

Yet.

I’m not very surprised to see that attacks are getting all the pretty girls and invites to sexy parties.

Researching attacks as a priority MUST stop. It’s wasting incredible talent. We KNOW that input validation and output encoding is the answer to nearly all the attacks in this year’s Top 2010 attacks (seriously – go look). Input validation and output encoding is unfortunately not sexy. It’s hard work.

Building is far, far, far harder than breaking. If you have elite security researcher skills, you should show your stuff by putting your research time and resources into making the planet safer for everyone. Not everyone can do it. Building a solid defense is at least two to three orders of magnitude harder than finding a new form of XSS or a defect in some poor Gawker PHP script. Just one novel concept can take thousands of hours of hard graft. You still need to know how to break – a defense is useless unless you’ve tested it. But on top of that, you need to know how to code and know HTML/JavaScript backwards. Building defenses takes a lot of effort and in my view is why we have so few serious defence researchers.

Nominations

As I’m starting so late, let’s make it serious to allowing all of 2010 to pass. Nominations can be sent in until Australia Day (January 26, 2011). I’ll put up a vote for folks to say which is their favorite. The winner of our eternal gratitude will be announced on Valentine’s Day.

Please e-mail me – vanderaj (a.t.) owasp.org with your nominations. I’ll update this post continuously until the cut off date.

I’d like to start with:

I know it’s heresy in some ivory tower circles that I nominated WAF modules written by a colleague, but honestly, we need defense in depth measures until coders and frameworks make WAFs somewhat obsolete.

Please send ’em in.

E-mail bankruptcy 2010

I’m very sorry to do this – again – but I’m going to declare e-mail bankruptcy on Dec 31, 2010. I have failed miserably in keeping my personal inbox clear and replying to e-mails this year. That has to change as it lets a lot of good folks down.

If you have sent mail to me and I have not replied, please wait until Jan 1 and send it to me again. I will deal with it as soon as I get it.

My only new year’s resolution is to do the Inbox Zero thing properly this time around.

CPRS / ETS / “a price on carbon” is back. WTF!

The government never seems to learn. They nearly lost the election, they lost their previous leader, and the opposition lost their previous leader over a money spinning taxation mechanism called “a price on carbon”.

No second order mechanism has ever succeeded in their intended effects, and always have unintended consequences. Legislating first order effects is simply much cheaper for everyone, with far more certainty for investors and consumers.

Points in case:

  • Cars are 40x less polluting than their 1970’s counterparts, not because we put a tax or trading scheme on noxious fumes, but mandated that exhausts had to be cleaned up.
  • In Australia, incandescent light bulbs are hard to buy now, and soon will not exist. For most homes the savings from using CFLs and LED bulbs are modest, but over the entire population, this is a huge CO2 / energy saving.
  • Leaded petrol, paints, and toys (mostly) don’t exist any more. Far less health issues now, saving the community millions of dollars and enabling everyone to be at their full potential.
  • Insulation is mandatory, saving most folks 30-40% in kw/h on their heating and cooling bills compared to even 20 years ago.
  • Mandatory water saving mechanisms (dual flush toilets, water saver shower heads, high efficiency appliances, etc) have cut average Victorian household water use from 450 litres per person per day in the 1980’s to around 150 litres per person today. If only we could get oldies to give up their climate inappropriate English gardens and grass, I think we’d make more in roads to way less than 150 litres per person / day.

Effectively, these first order regulations and effects have been 100% successful in their aims and outcomes. They usually saved the consumer a great deal of money, and cost the government little to nothing.

The price on carbon is simply a way to allow speculators to make billions, polluters not change a thing, kill the investment market in renewables and green technology, and all of us pay more for the same outcome – terrible and expensive climate change. The government of course, will make billions from selling permits to suckers not bright or powerful enough to get them for free.

As I’ve noted previously, the 80/20 rule should be applied source to sink on our use of fossil fuels and the carbon life cycle. Concentrate only on the things that can be easily changed for everyone by eliminating “does not scale” from the equation. It’s easier to shut one coal fired power station than it is to get millions to stop commuting every day, for example. No one or any industry should be exempt from this review. In my view:

  • Using carbon based fuels should be phased out by 2025 as most cars last about 15 years. This gives time for the car makers to get serious about non-fossil fuel alternatives and the confidence that there will be a long term market for them. We need those fossil feed stocks for other necessary things, such as medicines, plastics and so on, and not to fritter away on cars or busses or planes. This would kick off jobs in electric car research and manufacture, as well as stimulate the economy in building re-charging stations and so on.
  • Eliminate subsidies for high energy users such as aluminium smelters and concrete plants. They should pay the going rate for electricity so their products better reflect the actual costs of production and damage to the environment. There is nothing “eco” about aluminium or concrete.
  • From today, the government should just fess up and legislate the inevitable – there should be no more coal or gas fired power stations built in Australia, and no more coal exports will be entered into. However, no coal power station will be forced to shut down within their designed life time. It was never going to happen anyway even under a CPRS as they were getting their polluting credits for free, so may as well let those who run them now get their investment back. Power stations have a long lag time, and we need time to build the necessary nuclear and renewable power stations to replace them. But we can make it a statement of fact that there should be no more coal. Investor confidence problem solved.
  • The greens need to get off their anti-nuclear hobby horse. Nuclear power is clean and modern reactor design can use a lot more of the fuel reducing nuclear waste dramatically. It does require a lot of fresh water, but that’s also solvable in many parts of the country.
  • Make it mandatory that houses are to be built with solar power, solar water heating, much better insulation, appropriate siting and design for their climate, and require ground heat pumps to reduce their impact on the grid. If a house uses 20% to 80% less electricity and gas, that’s not only savings to the owners but less public power required and many millions tonnes of emissions we didn’t emit during the life of such houses.
  • Promote policies that dramatically reduce the requirement for folks to move large distances every day. There are so many it’s not funny, from enforcing urban boundaries and consolidation, telecommuting is the default work style unless required to be on site (say for manufacturing or retail sales), eliminating 99% of public servant flights for interstate meetings by requiring video conferences, public transport investment, change car registration to include a distance component as the major cost factor, eliminate car tax benefits for those who use their companies to buy luxury or even bottom dweller cars to enable a daily commute. There’s so many pro-commuting policies that need to be removed or changed. I’m sure you could think of many more that I’ve left out.

The last 20% of things that folks worry about but are hand waving at their best – things like useless status LEDs and clocks in consumer goods. Yeah, dumb design, but honestly, not going to kill the earth any time soon. Let’s not waste time on those now. There’s far bigger fish to fry, like using cold water to wash clothes rather than 50 C water, and eliminating the daily commute for at least 20% and preferably 80% of all workers. Since I’ve stopped wasting life and fuel going to an office, my fuel bill has dropped from using about 50 L a week before leaving Australia, to using about 30 L every two to three weeks now. This is a dramatic improvement in my quality of life (my commute is about 10 seconds from my breakfast), and a dramatic drop in fossil fuel use. We save at least $100 per month in fuel alone. Imagine if most folks could do the same? I realize that not everyone can telecommute, but I think the majority of the poor sods who go to CBDs to work in a souless life sucking cubicle every day could easily telecommute. That should be the default going forward. Working from home would revitalize the local shops, such as cafes and shops as more folks would be home during the day, again reducing the commute for the weekly shop instead of driving a long distance to the nearest mega mall.

Realistically, first order effects are simple, cheap and effective. They tend not to be fund raising mechanisms, which is why our government won’t choose them, but without first order changes to our policies and life styles, the planet is stuffed. Second order mechanisms such as a “price on carbon” just means we’re poorer because we’ll be paying 50-200% more for our electricity that still burns coal, with a polluter who has no reason to change their ways.

Let’s get some action happening, and not a price on carbon.

Arbib is a spy, or we are the 50-57th states of the USA

Mark Arbib, agent provocateur of the right wing ALP and one of those involved in the coup against Prime Minister Kevin Rudd, turns out to be a protected source of the United States.

The Age calls Mark Arbib a “confidential contact” for the USA, but so was convicted spy Jean-Philippe Wispelaere.

According to Wikileaks disclosure of US diplomatic cables, Arbib met with the US embassy on many occasions and fed information to them that would be news to the public as well as his political party and so called friends within the ALP. In Australia – and for that matter most countries – we’d call that spying for a foreign country. Arbib never held a foreign affairs portfolio or had any dealings with DFAT, so this it is extraordinary that a savvy political operative would risk his political future for … what?  I don’t know.

Will Arbib be sacked or have the decency to resign? Unlikely. Gillard would be afraid to act against Arbib as he knifed her predecessor and owes her job to this man. If she has a spine, there’s no better time to act than now – it’s obvious he has to go. No hard feelings, mate – nothing personal, but you possibly broke Australia laws that explicitly prohibit this type of activity.

Realistically, as someone who really like the USA, we should just get over the charade of being an colony of Britain independent country, and become the 50th to 57th states of the United States of America. Being a puppet state is so embarrassing.

Force.com secure code review howto Part 1

For those of you who have to review unusual platforms, here are my notes for reviewing apps coded in Apex and Visual Force. As I learn more, I might add some additional entries, but I’ve been so constrained with time for so long, don’t hold your breath.

Terminology and Basics

Force.com is Sales Force’s SAAS API for ISVs and customers to write custom CRM apps atop the Sales Force platform. To provide some serious platform lock in, they use a new strongly typed language called Apex. Apex is sort of Java based. Java programmers will be somewhat familiar with its capabilities, but it has some surprising differences. As a reviewer, there’s nothing really head hurty when reading the code, but it’s important to realize it’s not grandpa’s Java you’re looking at.

Some things you’ll come across:

Meta data. You’ll see code with associated XML files. This XML data has a lot of stuff going on that describes it and allows Force.com to correctly handle it, particularly static resources. You can’t just ignore meta data – you need to inspect it.

Visual Force is a MVC based framework. It appears to act like a tag library with the <apex:… prefix, used inside files with a .page extension. These mimic the traditional type 1 JSP model. I think most of you will be familiar with this model and will not have too many difficulties in reviewing it. However, there are some asynchronous AJAX helpers (timers, future events, etc) that you will need to be aware of, particularly in relation to race conditions.

Objects. Sales Force have defined an object interface over their CRM data model. This has some interesting gotchyas, in particular, queries across these objects is called SOQL, and is pretty much a semi-injection proof sub-dialect of SQL 99. There will be an entire blog post for those issues primarily as there’s several ways code can be written to be unsafe.

Triggers. Triggers are executed after users undertake actions within the public site / sand box application. I need to learn more about them before I write about them, but they are the start of the flow of execution after the user does things within the application. If you have custom classes, they are generally called by triggers.

Bulk importer and Batch Apex. ETL support. I need to learn more about this functionality before I comment.

Flash and Flex support. Just in case some of the options weren’t scary enough, you can implement your presentation and business logic in a client side language. Sweet. I will not document Flash / Flex support as a) I hate Flash and have it disabled b) I have yet to see such code in action and I hate slamming or praising things I’ve not used. c) I don’t have any Flash or Flex tools to build test cases, so it’s going to be hard to nail this one down. Feel free to steal my thunder here if you so desire.

Web Services. These are traditional SOAP web services. Instead of using WS-Security, Sales Force have implemented their own session manager. Probably a good idea since no one besides Gunnar Petersen understands WS-Security. However, we all know that web services can be a mine field, so I will experiment with them and see how things work in a much later article.

Ajax. The Ajax API is one of the newest, and allows Javascript to make pretty much any call to the web services back end that a traditional SOAP web service can. Without WS-Security. Awesome. I’ll be looking into this issue a bit later as I learn more.

Some things they did right

Please don’t take my tone for disparagement, for it is not. There are some cool things Sales Force did right:

  • Everything is escaped by default. You have to add code or an attribute to get this wrong.
  • CSRF protection in every form. You have to do the wrong thing to be CSRFable.
  • The easiest way to do SOQL is sorta magically injection proof. There are injectable ways, but again, you have to work at it.
  • Many defaults chosen by Sales Force are good – SSL by default. Yay. SAML by default for SSO. Yay. GET and POST only. Yay. UTF-8 only. Yay. UCS-2 only. Yay. Illegally encoded Unicode characters are replaced. Yay. Content Type is safe unless you do the wrong thing. Yay.
  • Sending cookies or headers are escaped. I’m not sure they’re properly escaped yet, but they are escaped.
  • There are encoders for not just HTML and URL, but for JavaScript and others. Yay
  • To promote code into production out the sand pit requires at least 75% test coverage. O.M.G. YAY! Tests are also not counted towards billing. There’s exactly zero reasons not to test your code.

This is but a part of the overall list of goodness. But that doesn’t help you figure out how to secure code review things yet.

The trouble for secure code reviews is several fold:

  • There are no static code review tools to review Apex code. This is a serious deficiency that will only get worse if others try to emulate Sales Force’s success in crafting an entirely new language and API for their SAAS offerings.
  • The security documentation is relatively sparse, and only gives hints as to how to shoot yourself with XSS, CSRF, SOQL, fine grained access control and other issues. This series is an effort to break through that and provide more documentation.
  • There is a tight coupling between the code in your IDE and the sand box / public site. If you break this nexus, you do not have configuration data. With Sales Force’s “No code” logo, they hide some code and configuration from you. So expect to ask for the login and hope it’s not production.
  • Sales Force have given a lot of thought to security, and many common Java issues are “fixed” or safe by default. But as Apex is a serious systems language, it allows you to shoot yourself in the foot. I don’t know yet as to the extent of it, but I will find out with some luck.

If you’re from Sales Force, please don’t worry. I’m not about to give away 0days – I am not a weak minded moron who delights in creating grief with no solutions. This series will be primarily about how to review Force.com code, followed by advice on recommendations for “fixing” it. Which is most likely to be “Do it how Force.com told you to do it in the manuals”.

In defense of Microsoft’s SDL

Richard Richard Bejtlich says on Twitter:

I would like fans of Microsoft’s SDLC to explain how Win 7 can contain 4 critical remote code exec vulns this month

I am surprised that Richard – an old hand in our circles – can say such things. It assumes defect free commercial code is even possible, let alone what everyone else but MS produces. As much as we’d all like to have defect free code, it’s just not possible. It’s about risk reduction in a reasonable time frame for a acceptable price. The alternative is no software – either cancelled through cost overruns or delayed beyond use. This is true of finance industry, health, government, mining, militaries, and particularly ISVs, even ISVs as well funded as Microsoft.

In the real world,

  • We create building codes to reduce fires, damage from water leaks, damage from high winds, and improve earth quake survivability. But houses still burn down, water floods basements all the time, tornadoes destroy entire towns, and unfortunately, many buildings are damaged beyond repair in earth quakes.
  • SOX requires organizations to have good anti-fraud / governance, yet still IT projects fail and still companies go out of business due to senior folks doing the wrong thing or auditors stuffing up
  • PCI requires merchants and processors to handle CC details properly, yet we still have CC fraud (albeit much less than before PCI)
  • We engineer bridges not to fall down, but they still do.
  • The SDL requires certain calls not to be used. This should prevent common classes of buffer overflow. However, you can still write code like this:
char *MyFastStrcpy(char *dest, const char *src)
{
   char *save = dest;
   while(*dest++ = *src++);
   return save;
}

Does code using calling that function likely to have buffer overflows? Sure does. Standards and better design eliminate stupid issues like the above.

It’s not a perfect world.

The code MS works on nearly all dates back to prior to the SDLC push in 2001. Windows 2008 has roots in code started in the late 1980’s. They literally have a billion + lines of code running around with devs of all competencies poking at it. The idea that there should be zero defects is ludicrous.

Richard, if you’ve completed a non-trivial program (say over 100,000 lines of code) that does not have a security defect from the time you started writing it, you’re a coding god. Everyone else has to use programs like the SDL to get ahead. Those who don’t, and particularly those that do no assurance work are simply insecure. This is risk management 101 – an unknown risk is consider “HIGH” until it is evaluated and determined.

Let’s take the argument another way. If the SDL has failed (and I think it is succeeding), what would be the signs?

We know empirically that LOC ~= # of security defects. However, the number of critical remotely exploitable issues affecting Windows 7 is dramatically less than that of XP at the same time of release. Like 10x less. That’s an amazing achievement that no one else in the entire industry has managed to do, despite knowing how Microsoft has achieved that amazing effort.

What are the alternatives? Until Oracle saw the light a few years ago, they had the hilarious “Unbreakable” marketing campaign. Sadly for them, they were all too breakable. See D Litchfield for details. Not reviewing or keeping dirty secrets secret does not make things secure. Only through policies requiring security, standards that eliminate insecure calls like dynamic SQL calls or strcpy(), careful thought about security in the requirements process, secure design, secure coding, code reviews, and pen tests to validate the previous steps do you have evidence of assurance that  you are actually fairly secure. The SDL is a framework that puts that cycle into motion.

Oracle got it. They’re now pumping out 30-40+ CPU’s per quarter for several years in a row. I’d prefer 4 remotely exploitable issues once or twice a year than 40 per 3 months thanks. But even so, I’m glad Oracle has jumped on the SDL bandwagon – they are fixing the issues in their code. One day, possibly in about 5 to 10 years, they’ll be at the same or similar level that MS has been at for a few years now.

I agree that monocultures are bad. I use a Mac and I have been unaffected by malware for some time. But do I believe for even one second that my Mac is secure just because it’s written by Apple and not Microsoft? Not in a million years. Apple have a long way to go to get to the same maturity level that Microsoft had even in 2001.

All code has defects. Some code has far fewer defects than others, and that code is written by Microsoft in the last few years.