This is a guest post by Cigital consultant Romain Gaucher.

Every year since 2006, Jeremiah Grossman has organized a contest to recognize the Top Ten Hacking Techniques of the year. This year, I had the privilege of being one of the security professionals asked to judge along with Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Steven Christey, Jeff Forristal, and Michal Zalewski.

The scoring process was intentionally simple: given the list of 82 hacking techniques or selected exploits, we each nominated our top 15, in order. Appearing in a judge’s number one position would score the technique 15 points. Being ranked as a judge’s number two scored 14 points and so on. The techniques which received the most total points from all judges became the top ten.

Judges were given broad latitude in making their selections, but candidate techniques were judged primarily on pervasiveness, impact, novelty and coolness. I know a few judges who used a more formal evaluation methodologies than I did, rating each candidate individually and then sorting them. I didn’t.

Since I was already familiar with many of the candidate techniques listed, I didn’t have to go through them again and I was able to focus on the techniques I didn’t have time to follow or to dive into during the year.

After a few hours, I had a reasonable knowledge about of all the candidates. In order to get a more manageable list of candidates, I decided to do a first pass and create a list of techniques that I believed must be in a top 15. I came up with a list of about 30 finalists.
With this smaller list, I went back to the papers and blog posts to rate the techniques. I decided to combine some of the factors that Jeremiah sent us to simplify my evaluation and because I thought it suited correctly the goal of this contest. I used the Risk and the Originality of the techniques to rate them:

• Risk: pervasiveness and impact
• Originality: novelty and coolness

I considered those two factors to have the same weight. Even if in my daily job the risk represents the most important part of the evaluation, for the contest, the originality is a very important part.

The list of top ten winners can be found in Jeremiah’s blog post. Some of the candidate techniques were de facto winners because they would have such an impact and coolness. This is especially true for the research from Alexander Sotirov et al. on the Rogue CA certificate: totally elite. I’m sure most of the readers will remember the buzz of this attack last year at the 25c3 (Chaos Communication Congress). They started by teasing everyone and then, explained how, with a cluster of 200 PlayStation3, they were able to create a rogue certificate: way to go for a perfect man-in-the-middle or phishing attack!

With a different scoring vector (lower originality, but higher risk due to high likelihood than #1), we have our number two, the research from Luca Carettoni and Stefano Di Paola which is a the newly-named HTTP parameter pollution (HPP). This attack exploits HTTP request parameters (query string, POST variables, etc.) parsing discrepancies between different layers of the application (input/output handling, encoding issues) or server-side application stack (front-end/back-end, WAF, etc.). Even if this attack doesn’t look über-cool, it can facilitate a lot other type of injection-based attacks (XSS, SQLi, etc.) by, for example, hiding the payload from one of the defense layer (WAF for example).

I am a bit disappointed not to see any PDF related attacks in the final list (yes, it was in my top 15), because it was such a big deal in 2009. Most of those attacks come from the JavaScript support. For example, the PDF Silent HTTP Form Repurposing Attacks paper explains how an attacker can create a malicious PDF file executing JavaScript in the same domain. This is a great follow-on work to what Didier Stevens and others did on the PDF format. Some others techniques from my list didn’t make the final top ten such as the Socket Capable Browser Plugins Results in Transparent Proxy Abuse from Robert Auger. I find them both very interesting in reflecting discrepancies between server-side application stack and new client-side attack surfaces.

But anyway, this was a great year with many different attacks, some new, some really elite, others are improvements of already known techniques. Attacks are targeting different flavors of web security: cryptography, protocol design and abuse and software misbehavior. Research into techniques like these allows us to better understand the security problems we face right now and catalyzes joint work between vendors and the security community.

Finally, I’d like to congratulate my Cigital colleague, David Lindsay who, along with Eduardo Vela, came in at number 8 with cross-site scripting research that yielded surprising and sophisticated ways to evade filters and web application firewall (WAF) rules.

This is a guest post by Cigital’s resident songwriter, Paco Hope.

In an effort to go down in history as the “Weird Al Yankovic” of Software Security, I’ve released my latest single: This time it’s “White Hat Hacker Man” to the tune of Billy Joel’s “Piano Man.”

And here are the lyrics:

It’s five o’clock on a Saturday
The developers are trying again
The release manager waits in his cubicle
for the build scripts and smoke tests to run

He says how will we do this by Monday?
The security tests haven’t begun
It’s buggy and brittle
and does just a little
of what the sales guys downtown say it can

NIST 800-53, FIPS 140-2, PCI….

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Now Bob down the hall is a friend of mine
He uses tools right off the shelf
He can do just a scan
or maybe try something canned,
but he’s better than doing it yourself.

He says “why do we need these consultants?
I can do all this stuff just the same.”
He doesn’t realize, when the hackers come,
Who the management’s going to blame.

CISSP, MSCE, SANS GIAC

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Now Dave’s the development manager
And security’s a pain in his ass
Cause he knows first and foremost
Features get him his bonus
So security always comes last

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

Well it’s been a long day in security
The dev manager gives a sad smile
He knows this release
Despite all their pleas
Will miss their deadline by a mile

And metasploit overflows buffers
And the shell code runs on servers galore
And they burned another sprint
Instead of building security in
So assessments will go on some more

CCIE, OWASP, PMP

Chorus:
Break our new app white hat hacker man
Break our new app tonight
Cause we’re all scared to death of the auditor
But you’ll make us feel alright.

This is a guest post by Amit Sethi, Senior Consultant at Cigital.

When generating random numbers in Java for cryptographic purposes, many developers often use the java.security.SecureRandom class. And while the java.security.SecureRandom class is designed to generate cryptographically secure random numbers, there are a few subtleties in the API, and if it is used improperly the output can become predictable. At Cigital we have witnessed a number of cases where this is true. The following is a guide to the proper use of Java’s java.security.SecureRandom class.

First, let’s take a quick look at how the java.security.SecureRandom API works. The java.security.SecureRandom class does not actually implement a pseudorandom number generator (PRNG) itself. It uses PRNG implementations in other classes to generate random numbers. A number of actual PRNGs may actually be used when an instance of java.security.SecureRandom is created. The PRNGs are part of Java cryptographic service providers (CSPs). In Sun’s Java implementation, the SUN CSP is used by default. On Windows, the SUN CSP uses the SHA1PRNG implemented in sun.security.provider.SecureRandom by default. On Solaris and Linux, the SUN CSP default is to use sun.security.provider.NativePRNG which simply provides the output of the /dev/urandom PRNG provided by the operating system. If however, on Solaris/Linux, the java.security configuration file in the JRE is modified such that securerandom.source is set to something other than file:/dev/urandom, then the SHA1PRNG implemented in sun.security.provider.SecureRandom is used, as on Windows. Of course, an application can choose not to use the defaults, and can always specify a particular PRNG implemented by a particular cryptographic provider. In Cigital’s experience, most Java applications that use java.security.SecureRandom actually use the SHA1PRNG provided by the SUN CSP under the cover.

Now, an application will end up with an instance of SHA1PRNG implemented in sun.security.provider.SecureRandom using the following calls:

// The following will create SUN SHA1PRNG on Windows with
// default configuration and Sun JRE, and on Solaris/Linux
// if securerandom.source is modified in java.security
SecureRandom sr1 = new SecureRandom();

// The following will create SUN SHA1PRNG if the highest
// priority CSP is SUN
SecureRandom sr2 = SecureRandom.getInstance("SHA1PRNG");

// The following will always create SUN SHA1PRNG
SecureRandom sr3 = SecureRandom.getInstance("SHA1PRNG", "SUN");

Note that according to Sun’s documentation, the returned java.security.SecureRandom instance is not seeded by any of these calls. If after one of these calls, java.security.SecureRandom.nextBytes(byte[]) is called, then the PRNG is seeded using a secure mechanism provided by the underlying operating system (starting with JRE 1.4.1 in Windows and JRE 1.4.2 in Linux and Solaris). If java.security.SecureRandom.setSeed(long) or java.security.SecureRandom.setSeed(byte[]) is called before a call to java.security.SecureRandom.nextBytes(byte[]), then the internal seeding mechanism is bypassed, and only the provided seed is used to generate random numbers.

For those who are not familiar with the inner workings of cryptographic PRNGs, their job is to take a relatively small random seed and use it to produce deterministic output that seems random to anybody that does not know what the seed is. The PRNG tries to ensure that the output does not reveal any information about the seed, and that somebody observing the output cannot predict future outputs without knowing the seed.

By bypassing the internal secure seeding mechanism of the SHA1PRNG, you may compromise the security of your PRNG output. If you seed it with anything that an attacker can potentially predict (e.g. the time when the PRNG instance was created), then using java.security.SecureRandom may not provide the level of security that you need.

Finally, regardless of how well the PRNG is seeded, it should not be used indefinitely without reseeding. There are two approaches that can be used for longer-term security of PRNG output:

• Periodically throw away the existing java.security.SecureRandom instance and create a new one. This will generate a new instance with a new seed.
• Periodically add new random material to the PRNG seed by making a call to java.security.SecureRandom.setSeed(java.security.SecureRandom.generateSeed(int)).

In summary, keep the following in mind when using java.security.SecureRandom:

• Always specify the exact PRNG and provider that you wish to use. If you just use the default PRNG, you may end up with different PRNGs on different installations of your application that may need to be called differently in order to work properly. Using the following code to get a PRNG instance is appropriate:
  SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
• When using the SHA1PRNG, always call java.security.SecureRandom.nextBytes(byte[]) immediately after creating a new instance of the PRNG. This will force the PRNG to seed itself securely. If for testing purposes, you need predictable output, ignoring this rule and seeding the PRNG with hard-coded/predictable values may be appropriate.
• Use at least JRE 1.4.1 on Windows and at least JRE 1.4.2 on Solaris and Linux. Earlier versions do not seed the SHA1PRNG securely.
• Periodically reseed your PRNG as observing a large amount of PRNG output generated using one seed may allow the attacker to determine the seed and thus predict all future outputs.

This is a guest post by Cigital’s resident songwriter Paco Hope.

Sometimes we just let our hair down and have a good laugh over security stuff. I was telling my wife about some ridiculous code I had recently reviewed. While I didn’t go into details, she got the gist of it (she also gets “Little Bobby Tables,” too). I finished my story by offhandedly saying “there must be 50 ways to bypass their SQL protections.” She responded by singing “there must be 50 ways to inject your SQL” and that’s how the whole thing got started.

So what was it that was so ridiculous that it brought me to sing? Here’s the pseudocode of a routine called “ValidateQuery()”. Its role is to take user input from a .Net application and validate it to remove potential injection.

ValidateQuery():
WordArray = TokenizeString( ‘ ‘ ); /* split on space characters */
For each Word in WordArray
    if it is ‘delete’ then return
    if it is ‘purge’ then return
    if it is ‘drop’ then return
    if it is ‘truncate’ then return
End For

That’s it. If your string contained anything else (for example ‘update’), it would be fine. They did do a case-insensitive match, so ‘dElEtE’ would get caught, but that’s hardly praiseworthy. This was the sole protection against user input that was fed—good ole string-concatenation style—into SQL queries.

Note that this is NOT a web application, this was a Windows EXE written in C#.Net. For those of you who think SQL injection is a web only problem, think again. The other classic screw-up in this application was putting all the enforcement of roles and access controls in the client itself. While this may work when your business logic runs on an application server in a 3-tier architecture (that presumably cannot be controlled or modified by the end user), that approach doesn’t work when the business logic runs on the user’s PC. A quick SQL injection to change your roles in the database, and this thick client would start working for you just fine—as admin, or a higher privileged user.

The motherhood and apple pie lessons to take away?

• SQL Injection can happen, even in EXEs
• Don’t roll your own protection, use parameterized queries
• Don’t trust business logic that runs on a user’s PC

Musically, I’m pretty proud of the fact that I managed to use the words “unhandled exception” in a song. They fit the rime and meter perfectly. I’m trying to come up with a tune to parody for cross-site scripting. If you have ideas, I’m open. I think I’ll get someone else to sing next time. A kind of Gilbert & Sullivan arrangement where I’ll just be the librettist. :)

This is a guest post from Paco Hope, Technical Manager at Cigital.

I read a blog entry about “re-aligning training expectations for QA.” It has some useful points that both developers and so-called “security people” need to hear. I disagree with some implicit biases, however, and I think we need to get past some stereotypes that sneak out in the article.

Bias #1, obviously, is the focus on the web. Despite its omnipresence, there is more non-web software than web software in the world, and non-web software does more important stuff than all the web software combined. The role of security in software testing is vital, and the presence or absence of web technologies does not change that. Despite writing a book on Web Security Testing, I know my place in the universe. Quality assurance and software testing are disciplines far older than the web, and their mission is so much bigger than finding vulnerabilities.

Bias #2 is vulnerabilities über alles. By talking about weaving vulnerabilities into security test plans, we’ve overlooked the first place where security goes into the QA process: test strategy. Look at any of the prominent folks in QA (James and Jon Bach, Michael Bolton, Rex Black, Cem Kaner), the people I’m privileged to share podiums with at QA conferences like STAR West, STAR East, and Better Software, and you’ll see that security is part of the overall risk-based testing strategy. Risk-based testing has been around for a really long time. Longer than the web.

Before anyone talks about vulnerabilities to test for, we have to figure out what the business cares about and why. What could go wrong? Who cares? What would the impact be? Answers to those questions drive our testing strategy, and ultimately our test plans and test cases.

Bias #3 is that idea that a bunch of web vulnerabilities are equivalent in impact to the business. That is, you just toss as many as you can into your test plan and test for as much as you can. This isn’t how testing is prioritized.

You don’t organize testing based on which top X vulnerabilities are likely to affect your organization (as the blog suggests). Likelihood is one part of the puzzle. Business impact is the part that is missing. You prioritize security tests by risk severity—that marriage of likelihood and impact to the business. If I have a whole pile of very likely attacks that are all low or negligible impact, and I have a few moderately likely attacks that have high impact, I should prioritize my testing effort around the ones with greater impact to my business.

Bias #4 is the treatment of testers like second class citizens. In the blog article, developers are “detail oriented” have a “deep understanding of flows.” Contrast this with QA who merely understand “what is provided to them.” They sound impotent, as if all they can do is what they’re told. Software testing, despite whatever firsthand experience the author may have, is a mature discipline. It is older and more formalized than “security” as a discipline. Software testing is older than the Internet or the web. If software testing as a discipline has adopted security too slowly, given security’s rise to the forefront in the marketplace, that might be a legitimate criticism. But I don’t approve of the slandering QA by implying that they just take what’s given them and execute it. QA is hard and there are some really bright minds working in that field.

As someone who has been training in risk-based security testing for several years now, I totally agree with some points, but very much disagree with others. I agree that the “bug parade” (as we call it) of top X vulnerabilities to find is the wrong way to teach security testing. Risk management, though, has been a fundamental part of mainstream QA for a very long time. Likewise, risk management is the same technique that good “security people” use to prioritize their results. Risk management is certainly how the business is going to make decisions about which issues to remediate and when. Risk management is what ties this all together.

If there’s something that QA needs to learn that they’re not already learning, it’s the weaving of “security” into the risk management techniques they already know how to do. If testers fall short in their ability to apply risk management techniques, then they are falling short against the QA yardstick, there’s nothing particularly security-related in this observation. If they are applying mature QA practices with modern risk management, but are not adequately addressing the software-induced business risks facing their stakeholders, then some security training might be in order. That security training should be built on the foundation of modern QA practice, including risk-based testing.

So, in some ways we agree: speak the lingo of QA. But in other ways we disagree. I think the original article fails to give credit to the decades of substantial research and practice in QA. In other words, it’s a lot more than speaking the language. It is standing on the shoulders of giants, not their toes.

This is a guest post from Meera Subbarao, a senior consultant at Cigital.

Continuous Integration commonly known as CI is a process that consists of continuously compiling, testing, inspecting, and deploying source code. In any typical CI environment, this means running a new build every time code changes within a version control repository. Martin Fowler describes CI as:

A software development practice where members of a team integrate their work frequently, usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an automated build to detect integration errors as quickly as possible.

Many teams find that this approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly.

While CI is actually a process, the term Continuous Integration often is associated with three important tools in particular. As shown in the screen above the three pillars of CI are:

• A version control repository like Subversion, or CVS.
• A CI Server such as Hudson, or Cruise Control
• An automated build process like Ant or Nant

So, let’s look at each of these in detail:

Version Control Repository:

Version control repositories also known as SCM (source code management) play a crucial role in any software development environment. They also play a very important role for a successful CI process. The SCM is a central place for the team to store every needed artifact for the project. It is mandatory for the teams to put everything needed for a successful build into this repository. This includes the build scripts, property files, database scripts, all the libraries required to build the software and so on.

The CI Server:

For CI to function properly, we also need to have an automated process that monitors a version control repository and runs a build when any changes are detected. There are several CI servers available, both open source and commercial. Most of them are similar in their basic configuration and monitor a particular version control repository and run builds when any changes are detected.

Some of the most commonly used open source CI servers are; Cruise Control, Continuum, and Hudson. Hudson is particularly interesting because of its ease of configuration and compelling plug-ins, which makes integration with test and static analysis tools much easier.

Automated Build:

The process of CI is about building software often, which is accomplished through the use of a build. A sturdy build strategy is by far the most important aspect of a successful CI process. In the absence of a solid build that does more than compile your code, CI withers. With automated builds, teams can reliably perform (in an automated fashion) otherwise manual tasks like compilation, testing, and even more interesting things like software inspection and deployment.

Now that we have seen the important tools in our CI process, let’s see how a typical CI scenario looks like for a developer:

• CI server is configured to poll the version control repository continuously for changes.
• Developer commits code to the repository.
• CI server detects this change, and retrieves the latest code from the repository.
• This causes the CI server to invoke the build script with the given targets and options.
• If configured, CI Server will send out an e-mail to the specified recipients when a certain important event occurs.
• The CI server continues to poll for changes.

Why is CI Important?

This is one of the most frequently asked questions, and here are a few points to note about this powerful technique:

• Building software often greatly increases the likelihood that you will spot defects early, when they still are relatively manageable.
• Extends defect visibility.
• CI ensures that you have production ready software at every change.
• CI also ensures that you have reduced the risk of integration issues by building software at every change.
• CI server can also be configured to run continuous inspection which can assist the development team in finding potential bugs, bad programming practice, automatically check coding standards, and also provide valuable feedback on the quality of code being written

Now that we have a basic understanding of CI, why CI is important for us, and the tools required to run a successful CI process, in a series of upcoming articles we will see how to setup CI, how to maintain code quality, continuously run code inspections, generate documentations, provide feedbacks to the teams and so on. Stay tuned….

This is a guest post from Brian Mizelle, a managing principal at Cigital.

Today, Microsoft announced the launching of its SDL Pro Network. Cigital is proud to be part of this pilot offering, and pleased to continue to take the message (and the delivery) of software security to the market. As a network of independent software security professionals, the SDL Pro Network will collectively take our best of breed experiences and work collaboratively to develop unified service offerings around Microsoft’s SDL methodology.

At Cigital we are proud of our extensive experience running more than six large-scale enterprise software security initiatives spanning customers in financial services, independent software vendors, and embedded systems. We have trained several thousand developers, architects and executives on the fundamentals of software security. We have rolled out tools and best practices for many of our best customers. We have helped to grow the software security market from its infancy. Cigital is the largest and most experienced software security services provider in the world, and we look forward to continuing our market leadership through our partnership with Microsoft.

The number of firms delivering software security services is small and forms a tightly knit community, including companies of varying sizes, experience and areas of expertise. As a group, we have all read and embraced the three top software security methodologies, including CLASP from OWASP, the Touchpoints from our own CTO Dr. Gary McGraw, and of course, Microsoft’s SDL. Regardless of what flavor of methodology our customers subscribe to, we all share the common goal of educating and delivering services that protect our clients’ assets and good name through better software security. Collaborative efforts that bring together the best minds in the business can only help improve what we do with our own customers and broaden our thoughts on the subject.

Kudos to Microsoft for pulling the SDL Pro Network together. Our clients will all benefit from the experience…stay tuned to this space for more.

[This a guest post by Cigital's Troy Jones, written in reference to episode 25 of The Silver Bullet Security Podcast, an interview with Jon Swartz.]

Gary,

Listening to your podcast with Jon Swartz today, you briefly mentioned Ralph Nader a couple of times. You said almost in jest, that “… we need a Ralph Nader for Security.??? This got me thinking about a recent brownbag you gave on Software Security, where you mentioned that clients have implied needs for security but may not explicitly state their needs. I think the concept of implied need for software security and what Nader did to impact auto safety are entirely related.

Back in the 60’s people expected that the cars they bought were “safe???. Safety was not a marketing angle used by the car companies, and people did not shop around for the safest cars, but no one would buy an “unsafe??? car. They just trusted and expected that the big auto makers had already thought about safety and “built it in??? because no reputable car manufacturer would sell an “unsafe??? car, would they?

It was not until Ralph Nader wrote “Unsafe at any Speed??? that people began to question the safety of the cars they bought. When it became apparent that Detroit was selling them unsafe cars, the public outcry (not the book itself) prompted congress to act to enable novel new safety standards like seatbelts, bumpers that actually worked, and eventually crumple zones and air bags. So, people had an implied need for auto safety, but did not express that need until they became educated to the fact that they were not safe. Then they expressed their newfound need for safety to the politicians and also voted with their pocket books, buying safer cars. When consumers were provided with valid safety evaluations, from Consumer Reports and the National Highway Traffic Safety Commission, they changed their buying habits. Auto manufacturers (eventually) changed their approach in response. After years of fighting increasingly stringent safety regulations, they now compete to be able to advertise that their minivan has the highest safety rating.

So, what does all this have to do with software security? One point is that “safe??? is relative term. You are safe if you feel safe. It is hard or impossible to know if you are actually safe but it is easy to have your illusion of safety shattered by hard facts. Your average consumer today may be oblivious or vaguely concerned about software security, but they don’t have the information necessary to make discriminating choices about what software to use or buy and to stay away from. There is no Internet Highway Safety Commission and no ratings to refer to. Without this information, people are unable to express their implicit needs. They are driving metaphorical Corvairs and they don’t even know it.

Another point is that safety and security are both relative. The worst Yugoslavian POS manufactured today is probably much safer than any car rolling off the Detroit auto lines in 1965. It is conceivable that 50 years from now people will look back and wonder how we survived without collision avoiding auto-pilots in our cars! People’s expectations for “safety??? evolve over time and hopefully their actual safety improves as cars are better engineered, but there is no endpoint- no “safety finish line???. I think this analogy applies to “Software Security???. Software should get more secure over time if security is considered an important goal, but software will never be 100% secure. Good for job security but bad for everyone who depends on software to work securely.

A third point is that the initial reaction to unsafe autos was to build safer highways. Wide-open, straight, and fast highways seemed to be more cost effective than engineering better automobiles. It was not until highway traffic deaths began to skyrocket that everyone realized how effective automobiles are at killing the occupants involved in an accident at 75 MPH with no seat belts. The same approach has been taken on the internet. Bigger pipes and better firewalls should take care of the problem. No need to design and build more secure software! But the common folk will eventually realize that building a super information highway to their most confidential data has lots of unintended negative consequences, especially when it is so easy for the crooks to get past the vigilant but not-too-bright night watchman.

The last point I would make is that it took a fairly long time and a number of contributing factors for something to be done about auto safety. While Nader’s book was certainly a catalyst, it was not the “Auto Safety Pearl Harbor???. He merely recognized and assembled the information in a concise format that allowed people to understand and take action against a problem that had been growing worse for a long time. My guess is that the same will be true for software security. There will not be a “Software Security Pearl Harbor???. But through your continued evangelizing, through books like Jon Swartz’s “Zero Day Threat??? and by their own negative experiences, people will eventually realize that something has to change and will demand action from software vendors, perhaps increased regulation from Congress, and maybe even a rating system to identify the worst offenders and the most secure software available so that they can make better choices. I am convinced that attitudes will begin to change soon, as the current rate of increase in cyber-crime has us on a trajectory to reach 1% of total GDP with 4 years. If that happens, it will definitely get the attention of quite a few people and may drive the expression of latent needs for software security.

We’re pleased to have a guest blogger for this Justice League entry. Michael Cohen is a Senior Security Consultant at Cigital where he is responsible for leading, assessing, architecting and implementing secure software for Fortune 500 companies. Michael also works with Cigital teams on enterprise-wide security solutions intended to improve an organization’s security posture and help them meet audit and regulatory requirements. Michael just gave a talk to the Washington, DC IASA chapter that was well received, and is now the subject of this entry:

When I hear software architects talk about the architecture they’ve crafted to depict the various structures and behaviors of a system, they point out interesting techniques they’ve applied that best convey how the system should work and be put together. An architect’s enthusiasm for the little details reveals a great sense of accomplishment and creativity, but most of all good architecture conveys sorely needed information in order to help those who develop, test and maintain the system. Sharing the tips and tricks gathered from the field is what helps our community move forward to building better software. A classic example of this is the Design Patterns book written by the Gang of Four.

Not too long ago I was also sharing my ideas on architecture and security at a local IASA chapter here in Washington, DC. The group was a crowd of like-minded architects who work for large Fortune 500 companies, government agencies, and promising local startups. My topic was pragmatic secure architecture. The basic idea was to look at some real ways to incorporate security into architecture using Cigital’s risk management and threat modeling practices. You can find the slides for my presentation here.

For the uninitiated, threat modeling is a way of depicting where threats (think malicious people, attackers, and so on) can touch a software architecture and how they may be able to exploit critical assets using various attack patterns. Threat modeling is valuable for determining an architecture’s security posture. In addition, identifying risks in user requirements and business goals, and tying those risks to a threat model results in a map of how design flaws impact the system, its users and the overall business. Threat models coupled with identified high-level risks are a great way to get other stakeholders involved with security decisions. And mind you, these are stakeholders who would otherwise be unable to contribute and supply critical feedback.

The attendees at the chapter meeting were glad they attended the presentation and heard something worthwhile that they could use in their daily architectural activities. Many people brought up interesting points about how to best protect critical assets, what a real risk to a system is, and what is considered a good enough mitigation. What I found particularly interesting was how threat modeling provided a way for everyone to contribute interesting ideas about where security vulnerabilities may exist and how they could be mitigated (which, if you think about it, is the entire point of threat models).

I encourage any architect to share their ideas on building a better architecture with their peers, whether it be at a local organization or at a conference. As a senior security consultant at Cigital, I like to take shared ideas and mold them into my own unique way of thinking about the world. The best results come when I can apply new ideas to my daily activities as I help our customers assess and create more secure software.

… On an entirely separate note, McGraw still owes me money. I’m watching you, Gary.

Technorati Tags: software architecture, software quality, software security, touchpoints