Watchfire Application Security Insider

Hi There,

Just wanted to leave you all a quick note that we haven't forgotten how to blog :-) we've been busy over our heads with migrating things to IBM (called Blue-Washing around here), developing new version of AppScan (as always, we have to stay ahead of the pack), and researching new and interesting security vulnerabilities. In the meantime, here's a quick list of anecdotes to keep you busy -

• OWASP AppSec Europe 2008 is right around the corner. I strongly recommend attending this conference, as it looks like the agenda is packed with great presentations. The conference will take place in Ghent, Belgium, which means that good beer won't be a problem. If you haven't registered yet, I suggest you do so, and prepare to work hard in locating a hotel in the vicinity. Every single hotel is booked solid, and you might need to make some compromises. In addition, I am currently planned to be on the panel at the end of the first day ("The PCI 6.6 dogfight - to Scan or to WAF, this is the question") - I wouldn't miss a chance to voice my opinions
• Adobe Flash/Flex security- we have been researching Flex and Flash security a lot lately as a part of our continuous effort to stay ahead of the technology. RIA security is the next big thing, and the green pastures of security vulnerabilities are awaiting. Rest assured that readers of this blog will be the first to read about our research, and some of it will also be presented at the OWASP AppSec conference in NYC later this year
• IBM Rational Software Development Conference (RSDC) 2008 is coming up (June 1-5, 2008). This year's conference will host a full track on Application Security & Compliance (click to view agenda), and will include some great presentations in our field. I am also going to be there, and will give a session on Web 2.0 security (AS09). In addition, William Shatner is one of the keynote speakers - are you seriously going to miss Captain Kirk talking about software development?
• "Static code analysis is inherently doomed to fail" - at least that's what the author of this blog thinks. Well, I beg to differ, and for every reason mentioned in the above post, there's a reasonable solution or a workaround. In addition, I can't help but say - that's what happens when your scanner GREPs for security vulnerabilities ;-) ouch, don't take it personally...
• Cisco announces their own stab at building a web application firewall (WAF). I guess PCI 6.6. is kicking in :-) oh AppShield, where art thou? seriously now, I'm hearing and reading about WAFs everyday and in every blog - that's simply awesome to see that this market is finally picking up
• Charles is my new best friend. I'm not sure if I've mentioned it before in this blog, but this HTTP Proxy simply kicks ass (and it supports AMF message tampering for those pesky Flash remoting apps). Next to firebug (and of course AppScan), this is probably one of the best tools to have in your arsenal. Check it out
• Off topic - I just finished reading a book called "The Volunteer: The Incredible True Story of an Israeli Spy on the Trail of International Terrorists", while I'm not sure how "true" this story is, I did enjoy the espionage parts of it. I strongly recommend it.

That's all for now, and don't forget -

There are so many things to talk about these days, but I don't have the time to start writing long posts on each and every subject, so I've decided to dedicate yet another "periodic blurbs" post to them all.

• Anurag Agarwal started a (blessed) thread on browser security restrictions, in which he suggested a high level solution for vulnerabilities such as XSS and XSRF. After reading this thread, and following some of the links, I've discovered that there is an abundance of suggested solutions for browser insecurities, and it seems to me that a lot of people took a stab at what I believe would be the next evolution/revolution in web security. Now, all we have to do is start nagging to browser and server vendors, to join hands in the war against client-side attacks. If you are interested in "browser security revolution" - check out these links:

1. Ivan Ristic (Mod Security) proposed what I think is the most holistic and promising solution for browser security. He even gave it a TLA, calling it SBM (Secure Browsing Mode). You can't beat that.
2. Ivan's work references Gervase Markham's article called Content Restrictions - which I believe is probably the best solution around. This is a must-read article!
3. While researching the subject, I stumbled upon a very interesting research paper called "Defending against Injection Attacks through Context-Sensitive String Evaluation". The paper was written by two IBM researchers (go IBM!), Tadeusz Pietraszek and Chris Vanden Berghe, The paper describes an approach for defending against injection attacks such as XSS, SQL Injections, Shell command injections, etc. by addressing the root cause of these attacks - ad-hoc serialization of user provided input. Definitely worth reading.
4. PDP shares his own (pessimistic) thoughts on the subject of browser security. Here are a few quotes to wet your appetite:

   So yes, we can setup a policy but it will never take off. First of all standardization bodies needs to except it. Then browsers have to implement it and we have a browser war going on at the moment. No developer will implement a standard that is not widely adopted.

    

   IMHO we need to look at security personalization options within the browsers rather then inventing new standards that may crash and burn like they’ve done so far.

    

   Let’s get back to the question about CSRF. You can’t stop CSRF. This is it! The technology does what it is supposed to do. I see how some policies can be used for good, for example in situations where attackers are after your router through some sort of CSRF attack, but again, I seriously doubt that something like what Anurag has proposed will ever work. For sure it will improve the situation security wise in certain areas but at the same time will make Web technologies rather inflexible which is something that developers hate. I don’t think that people like crossdomain.xml either, and this is the reason why most sites allow everyone to connect to their stuff, although they probably don’t know about the dangers of doing that.

5. Several researchers from the IBM Tokyo research labs (Go IBM!), explain the security issues with today's browsers and propose their own solution for the problem in this very interesting presentation called "Security Model for the Client-Side Web Application Environments"

• I've seen a few cases lately, where people are becoming more and more aggressive about what they believe in. A friend from work claims that people in the software industry turn everything into a religion (e.g. Linux vs. Windows, Blackbox vs. Whitebox, Manual Pen Testing vs. Automated Scanning, etc.). When I started this blog, I promised myself that I will not get into personal fights with people, I will not slander, trash or badmouth anyone in the industry just because I don't share their thoughts - and believe me, this is hard, because I am a very enthusiastic person. Check out this latest soap opera (I tried to keep the actual time flow): "Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript" >> "Timing attacks on web privacy" >> "Putting up, then shutting up" >> "RSnake Puts Up" >> "Drama".

• [Trash Alert] The soap opera mentioned above, reminded me that some people in this industry really don't have any class or style. You see, some players in the web application security market are finding it hard to sell their products by presenting their own products' virtues and benefits, so they use the tactics of leeching on to their competition (usually using FUD), and in some cases, I believe they cross the line. BTW, the same competitor that was mentioned above, actually uses the Watchfire & SPIDynamics logos on their own web site - how desperate can you get to actually incorporate  your competitors' logo in your own ad?!?!

• While I am on the subject of "security wars", it seems to me that the web security market is so ripe (and hence, loaded emotionally), that people have completely lost their heads. Instead of joining hands and cooperating to educate the market, they prefer getting at each other's throats, over and over again. For crying out loud, we should all be saying the same thing -- Being secure is not about using whitebox or blackbox technologies, it's not about using a hosted service, or an application firewall, and it will certainly not come if you only use an automated scanner -- like anything else in the software world, security is all about perception, process, and methodology. If you want to secure your applications, make sure that you (and your development & QA teams) know what the actual problem is, that you have a process for eliminating security issues from the project inception phase, and up until the application goes GA (and even further). You have to implement a security process throughout your entire development lifecycle, using more than a single solution or product.

This industry needs to preach for a holistic approach to web application security, to encourage end users to use multiple solutions, tailored together for a complete solution instead of turning against its own members, in what oftentimes looks like a farce.

 That's it for now.

There a few things that I'd like to write about, but each of them is currently a bit short, so I have decided to cram them all into a single post that will summarize everything.

1. IBM Acquires Watchfire - most of the people I know already read about this (I got plenty of personal emails about it), and I should probably dedicate a large post to this subject one day, but I really don't have anything to say about this at the moment, other than saying that I believe this is a smart move for both companies, and hopefully for the entire web application security market.
   
2. Positive Security - I have just read an interesting article over at "The Register", which sort of talks on what I have written about in my post "Playing in the Sandbox" a couple of weeks ago. According to the article, It seems that Anti-Virus vendors are planning on replacing the old (and notorious) blacklisting technique with whitelisting (aka Positive Security Model). I can't stress how important this move is to the security industry. Actually, I would love to see more Positive Security based products in the Web Application Firewall market as well. I wanted to write a full post on this subject, but this will have to wait.
   
3. Myth Busting - a few days ago, I read a cool blog post over at Dargos Lungu, where Dragos did a short research called "Top 10 Open Source Forums" ("Top 10" being "The Top 10 Most Secure...") - according to the original research, BBPress and Beehive both won, with 0 (that's a zero people!) publicly known vulnerabilities in the past 12 months. Well, originally I was intrigued by the post, because I myself was looking for a secure web platform to install internally here at Watchfire - but then, my evil alter-ego took over, and me being me, I just had to validate with my own two eyes (and AppScan as my sidekick), that there are actually PHP forum applications out there, that are secure. To make a short story even shorter, it took about 5 minutes to locate the first XSS vulnerability in BBPress, and another 15 minutes to locate 3 XSS vulnerabilities in Beehive (check out Dragos' cool post on the subject).
   
4. AppScan eXtensions Challenge - for those of you who are not aware of this yet, AppScan 7.5 includes an extensions framework (AXF), which enables users to download and install all sorts of cool add-ons. In order to get people started with writing their own extensions, Watchfire recently announced an eXtension writing challenge. If you want to experiment with writing an eXtension, this is your chance, and as an incentive, we'll give away an XBOX 360 for the winning eXtension.
   
5. This one is a bit old , but have you seen the interview with Rain Forest Puppy?

That's it for now.

According to this eWeek article, Google has just bought Internet security startup GreenBorder Technologies Inc.

Here’s an excerpt from the article:

GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.

The article then goes on to describe the technology:

The technology creates a secure zone, called a sandbox, for online interaction. "Any type of activity and interaction, while you are on the Internet, will be directed to the protected environment," according to GreenBorder's site.

Out of the many ways to protect end users from malware, viruses and other types of malicious content, I am a strong supporter of this specific positive approach, and am very surprised (and saddened) to see that desktop anti-virus vendors have mostly decided to disregard this approach, and stick mainly to negative (signature-based) solutions.

Last week, I attended the OWASP (Israel) mini-conference, which included some very interesting presentations (one of which was our own Overtaking Google Desktop).

One specific presentation that caught my attention was "Fuzzing in Microsoft and FuzzGuru framework". The presentation was given by John Neystadt, Microsoft’s lead program manager for the Forefront Edge product (aka ISA server).