Watchfire Application Security Insider

When IBM and HP made their recent purchases (Go Big-Blue!) there was a lot of uneasy stirring everywhere. Some from genuine concern, some from pure jealousy. There were of course little sneers aimed at sowing fear in the hearts of automated web scanners clients. Shaking up what looks like a pretty sturdy future. It fueled the belligerent fire that was already burning. Recent back-and-forths got to a point where even Ory, that stays away from this usually, had to comment on them in a recent blog post. It's all degrading into a weird Latin-American Telenovela. In that case, the up side of these purchases (and future ones, I'm sure) is the calming affect. People tend to feel a bit more secure in a large nest. In addition, big companies frown when employees make them look bad with inconsiderate trash-talk. It looks like that's just what is needed: a little adult supervision. Like street gangs, some are resorting to cyber-graffiti. We all want to feel rebellious and anti-establishmental, but it needs to calm down before someone gets cyber-violent on somebody.

The final trash-bit that prompted Ory's comments were answered to in a classy fashion. Very Classy. Nicely done. Very grown up. This? not so much. The link, sadly, is no longer there...I guess the adults were keeping an eye out after all. I'm referring to an interesting, to say the least, response to a recent court filing of Cenzic vs. SPI. There has got to be a better way of expression then School-yard rules. The hacking world (web-application research or not, it's still hacking) is feared and misunderstood in the world, and this does not really inspire the kind of feelings that says "Hey, these guys are serious, professional, and we should all take notice". Really? A sarcastic, juvenile "Yo' Mama" was the best thing you could come up with? An adult, intelligent human being?

Save it for the basketball court. We all feel passionate about our work, but it can certainly be kept on a professional level.

Now, don't get me wrong. I'm sure that 17th century mathematicians trash-talked each other in the back of the chapels "Newton stole my derivation for that..." and "I can show Euler where he can shove his graph for this..." . I'm sure that if Farnsworth vs. Zworykins and Marconi vs. Baird had access to the blogosphere, they would be every bit as nasty as we can be. Albeit, a little more clever, I would bet.

And they sued. Oh man, did they sue. Which brings me back to IBM.

IBM holds about 40,000 patents world wide. It has generated and filed for tens of thousands more, I would imagine. Now, IBM isn't looking to corner any markets with these ideas. It's not going to generate the next $100BN in revenue. Microsoft crossed the 5000 mark in 2006. Contrary to common opinions, Microsoft generates the bulk of its revenue from cornering markets, not suing for patent rights.

So why are they doing it? Why invest millions in research and in patent applications? 40,000 patents represent hundreds of millions of dollars in filing fees alone. Well, they serves as a counterweight for cross-licensing patent agreements. Beside being bitter business enemies, IBM and Microsoft have one of the biggest cross-licensing agreement out there.  "Share and share alike" may be an over generous description, but it is certainly beneficial for everyone. Whoever does the best job wins. That's how the big boys play it. That's how the adults manage their business.

I wonder how many people have heard of Farnsworth or Zworykins. The number of people that heard of Marconi is larger by several orders of magnitude (albeit, still not enough people are aware of him). Why? Because at the end of the day he did a better job. He made a better radio and gave us a better TV. No matter who was there first and who owns this patent or other.

We've talked about the OS wars. I have no strong feelings either way. I want what's easiest for me to use. And at the end of the day, if we have more competition, we're all better off. The only reason we should want Mac and Linux to charge forward, is so the world can get a better Windows! In that case, everyone wins. (I'm a Mac user, if anyone out there wanders)

Everyone should understand, as has been remarked before, that we need to synergize (how markety of me) pen-testing, code scanning, and automated testing . But in each field, we must have fair and professional competition. Otherwise, all the world will get is a crappy Windows-esque application for our web-application security needs.

Suing for patent rights on something so vague and encompassing is truly the last resort of the desperate. It wont get anything done. Patent cases take years and years, and they never saved a company from the market forces. They make a lot of lawyer wealthy, but no one ever got rich from hard work, they say (SCO vs Linux, anyone?).

Anyway, we need to be a bit classier in our collaborations and competitions. Academic research on one hand and business competition on the other. They are not mutually exclusive. 

We should give each other credit for the work, and still out-do each other in field.

Dare I ask: Why can't we all just...get along? (You have to imagine Jack Nicholson asking this of the Martian ambassador for the right affect, although being stabbed in the back countermands my point).

Last note: I used Telenovela in counter to Ory's Soap Opera because this will not go on forever, and the end is predictable.

There are so many things to talk about these days, but I don't have the time to start writing long posts on each and every subject, so I've decided to dedicate yet another "periodic blurbs" post to them all.

• Anurag Agarwal started a (blessed) thread on browser security restrictions, in which he suggested a high level solution for vulnerabilities such as XSS and XSRF. After reading this thread, and following some of the links, I've discovered that there is an abundance of suggested solutions for browser insecurities, and it seems to me that a lot of people took a stab at what I believe would be the next evolution/revolution in web security. Now, all we have to do is start nagging to browser and server vendors, to join hands in the war against client-side attacks. If you are interested in "browser security revolution" - check out these links:

1. Ivan Ristic (Mod Security) proposed what I think is the most holistic and promising solution for browser security. He even gave it a TLA, calling it SBM (Secure Browsing Mode). You can't beat that.
2. Ivan's work references Gervase Markham's article called Content Restrictions - which I believe is probably the best solution around. This is a must-read article!
3. While researching the subject, I stumbled upon a very interesting research paper called "Defending against Injection Attacks through Context-Sensitive String Evaluation". The paper was written by two IBM researchers (go IBM!), Tadeusz Pietraszek and Chris Vanden Berghe, The paper describes an approach for defending against injection attacks such as XSS, SQL Injections, Shell command injections, etc. by addressing the root cause of these attacks - ad-hoc serialization of user provided input. Definitely worth reading.
4. PDP shares his own (pessimistic) thoughts on the subject of browser security. Here are a few quotes to wet your appetite:

   So yes, we can setup a policy but it will never take off. First of all standardization bodies needs to except it. Then browsers have to implement it and we have a browser war going on at the moment. No developer will implement a standard that is not widely adopted.

    

   IMHO we need to look at security personalization options within the browsers rather then inventing new standards that may crash and burn like they’ve done so far.

    

   Let’s get back to the question about CSRF. You can’t stop CSRF. This is it! The technology does what it is supposed to do. I see how some policies can be used for good, for example in situations where attackers are after your router through some sort of CSRF attack, but again, I seriously doubt that something like what Anurag has proposed will ever work. For sure it will improve the situation security wise in certain areas but at the same time will make Web technologies rather inflexible which is something that developers hate. I don’t think that people like crossdomain.xml either, and this is the reason why most sites allow everyone to connect to their stuff, although they probably don’t know about the dangers of doing that.

5. Several researchers from the IBM Tokyo research labs (Go IBM!), explain the security issues with today's browsers and propose their own solution for the problem in this very interesting presentation called "Security Model for the Client-Side Web Application Environments"

• I've seen a few cases lately, where people are becoming more and more aggressive about what they believe in. A friend from work claims that people in the software industry turn everything into a religion (e.g. Linux vs. Windows, Blackbox vs. Whitebox, Manual Pen Testing vs. Automated Scanning, etc.). When I started this blog, I promised myself that I will not get into personal fights with people, I will not slander, trash or badmouth anyone in the industry just because I don't share their thoughts - and believe me, this is hard, because I am a very enthusiastic person. Check out this latest soap opera (I tried to keep the actual time flow): "Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript" >> "Timing attacks on web privacy" >> "Putting up, then shutting up" >> "RSnake Puts Up" >> "Drama".

• [Trash Alert] The soap opera mentioned above, reminded me that some people in this industry really don't have any class or style. You see, some players in the web application security market are finding it hard to sell their products by presenting their own products' virtues and benefits, so they use the tactics of leeching on to their competition (usually using FUD), and in some cases, I believe they cross the line. BTW, the same competitor that was mentioned above, actually uses the Watchfire & SPIDynamics logos on their own web site - how desperate can you get to actually incorporate  your competitors' logo in your own ad?!?!

• While I am on the subject of "security wars", it seems to me that the web security market is so ripe (and hence, loaded emotionally), that people have completely lost their heads. Instead of joining hands and cooperating to educate the market, they prefer getting at each other's throats, over and over again. For crying out loud, we should all be saying the same thing -- Being secure is not about using whitebox or blackbox technologies, it's not about using a hosted service, or an application firewall, and it will certainly not come if you only use an automated scanner -- like anything else in the software world, security is all about perception, process, and methodology. If you want to secure your applications, make sure that you (and your development & QA teams) know what the actual problem is, that you have a process for eliminating security issues from the project inception phase, and up until the application goes GA (and even further). You have to implement a security process throughout your entire development lifecycle, using more than a single solution or product.

This industry needs to preach for a holistic approach to web application security, to encourage end users to use multiple solutions, tailored together for a complete solution instead of turning against its own members, in what oftentimes looks like a farce.

 That's it for now.

It has been almost ten years since anyone could buy a car without one or more air-bags (at least in the US and Europe). It has been more than twenty years since cars without three-point restraint seat-belt systems were available. Car manufacturers were not happy about all of it at the beginning because it drove costs up and it involved additional research investment.

Public opinion and related industries drove lawmakers to push (and then mandate) technologies such as air-bags, early warning break lights, and anti-lock breaking systems. Aside from the consumers' enjoyment of safer transportation, insurance companies also benefited (financially) from the deal. Today car safety is a burning issue for anyone looking to buy a new car.

Why don't we see public pressure to make our web-sites safer? Why do most people scrutinize their prospective car better then their bank's Internet safety policy? Why do people read about crash-test results in magazine and new-papers motor sections? Why do so many people know what it means that “Somecar SL” made by “MotorMaker Inc.” scored a 5 on the European NCAP tests?

The answer is education: People look at the little lock at the bottom (or top) of their web browser and say "Yey! Safety!" Curiosity might drive some of them to look at the certificate behind the lock, and read about how one important sounding company verified and authenticated and identified the web-site. Web application security is so much more than that.

Jeremiah Grossman wrote about education. I agree that web-developer and web-testers should be made more aware of the dangers inherent to web-applications. But not only them. The users of these applications need to be able to demand safety, except they don't know they need to.

Ever see a crash test dummy thrown through a window? Who hasn't? There isn't a person alive today in the western world that hasn't marveled at the speed an airbag opens, catching, in slow-mo, the dummy's head it slams helplessly towards the steering wheel. It's in commercials, news reports, and MTV videos. It certainly drives the point home. We all want air-bags in our cars. We know why. We know what can happen if we don't. We care about safety features and design of our vehicles in a level that exceeds the knowledge required for normal use.

And to ease our minds, we do not crash cars to test them. We have bodies we trust to do that for us. European standards institutes, independent safety magazines, etc.

What about web-applications?

I have to confess: until three months ago I was a part of the ignorant mass. I clicked on the Locked icon and in knowing self-importance thought: "VeriSign, yes, good. Oh, look, forms and fields! Yes. Very good! This site is secured. It is safe."

I was even clever enough not to press links in emails: always copy-paste them into the browser. You never know what really lurks behind the link's text, certainly not from an unfamiliar source.

But then I came to Watchfire and learned a few things. About the inexcusable ease that a web-application can be hacked, if the right web-app-developer fell asleep on the job.

I saw a live presentation of the Google-desktop hack. I then thought: I don't know anything about UTF-8 or URL encoding. Despite thinking of myself as Internet-clever, I considered the following scenario:

I get an email from a friend, telling me to check out a funny Google-search. I look at the link and despite all the odd ?, %, &, and numbers it looks perfectly normal to me. I copy, and paste it into my browser. I get a host of pictures of nuns riding unicycles.

Now, my friend got the message forwarded from another friend, which came from a brother, which came from a class-mate, who's not really sure who the mail was from, but thought nuns on unicycles are pretty hysterical. This way a chain of trust is established that resulted in me exposing my machine to the whims of a malicious hacker through my beloved Google Desktop application (which is a web-app for all intended purposes).

But it’s not just trust-chains. It’s the promise of fun that makes most people ignore common sense and develop trust toward things that do not warrant the trust. The phenomenon is widely recognized and has been named: The Dancing Pigs Problem. People are easily tempted by dancing pigs. People are easily distracted by shiny, sparkly, exciting things. As remarked by Bruce Schneier, even if the warning is clear and unambiguous, the everyday web-surfer will choose to ignore it with the promise of some enjoyment.

As a community, web-app security needs to tackle the masses. We need a way to drive the point home. People use the Internet and its peripheral services and have no understanding of the technology or the risks involved. People download, share, do business, send and receive, talk, watch, play, read, write, and live virtual lives in a virtual universe. People learn about internal combustion and the hazards of navigating traffic in high school. There are vehicle-safety documentaries by the dozens. The only documentaries about the Internet are about sensational hackers and their crimes. People are angry at attackers, and not about their web-app providers for not protecting them and their data.

As technologists and engineers, we are so used to the Internet technologies. All the ignorance out there does not even occur to us. We need to start with simple examples, not to be afraid to approach the public as children. Remember that we need to start at the beginning. Explain things step by step until a greater understanding prevails.

Once the users become more and more clever, they will start approaching their service providers and ask them: What body governs and approves your site security? Which standards do you hold yourselves to?

The web-application providers will start generating and seeking standards on their own. The security community needs to help bring that change about, and then to be there to work together with the industry to create the safer Internet-world we all need and deserve.