IBM Application Security Insider

There are so many things to talk about these days, but I don't have the time to start writing long posts on each and every subject, so I've decided to dedicate yet another "periodic blurbs" post to them all.

• Anurag Agarwal started a (blessed) thread on browser security restrictions, in which he suggested a high level solution for vulnerabilities such as XSS and XSRF. After reading this thread, and following some of the links, I've discovered that there is an abundance of suggested solutions for browser insecurities, and it seems to me that a lot of people took a stab at what I believe would be the next evolution/revolution in web security. Now, all we have to do is start nagging to browser and server vendors, to join hands in the war against client-side attacks. If you are interested in "browser security revolution" - check out these links:

1. Ivan Ristic (Mod Security) proposed what I think is the most holistic and promising solution for browser security. He even gave it a TLA, calling it SBM (Secure Browsing Mode). You can't beat that.
2. Ivan's work references Gervase Markham's article called Content Restrictions - which I believe is probably the best solution around. This is a must-read article!
3. While researching the subject, I stumbled upon a very interesting research paper called "Defending against Injection Attacks through Context-Sensitive String Evaluation". The paper was written by two IBM researchers (go IBM!), Tadeusz Pietraszek and Chris Vanden Berghe, The paper describes an approach for defending against injection attacks such as XSS, SQL Injections, Shell command injections, etc. by addressing the root cause of these attacks - ad-hoc serialization of user provided input. Definitely worth reading.
4. PDP shares his own (pessimistic) thoughts on the subject of browser security. Here are a few quotes to wet your appetite:

   So yes, we can setup a policy but it will never take off. First of all standardization bodies needs to except it. Then browsers have to implement it and we have a browser war going on at the moment. No developer will implement a standard that is not widely adopted.

    

   IMHO we need to look at security personalization options within the browsers rather then inventing new standards that may crash and burn like they’ve done so far.

    

   Let’s get back to the question about CSRF. You can’t stop CSRF. This is it! The technology does what it is supposed to do. I see how some policies can be used for good, for example in situations where attackers are after your router through some sort of CSRF attack, but again, I seriously doubt that something like what Anurag has proposed will ever work. For sure it will improve the situation security wise in certain areas but at the same time will make Web technologies rather inflexible which is something that developers hate. I don’t think that people like crossdomain.xml either, and this is the reason why most sites allow everyone to connect to their stuff, although they probably don’t know about the dangers of doing that.

5. Several researchers from the IBM Tokyo research labs (Go IBM!), explain the security issues with today's browsers and propose their own solution for the problem in this very interesting presentation called "Security Model for the Client-Side Web Application Environments"

• I've seen a few cases lately, where people are becoming more and more aggressive about what they believe in. A friend from work claims that people in the software industry turn everything into a religion (e.g. Linux vs. Windows, Blackbox vs. Whitebox, Manual Pen Testing vs. Automated Scanning, etc.). When I started this blog, I promised myself that I will not get into personal fights with people, I will not slander, trash or badmouth anyone in the industry just because I don't share their thoughts - and believe me, this is hard, because I am a very enthusiastic person. Check out this latest soap opera (I tried to keep the actual time flow): "Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript" >> "Timing attacks on web privacy" >> "Putting up, then shutting up" >> "RSnake Puts Up" >> "Drama".

• [Trash Alert] The soap opera mentioned above, reminded me that some people in this industry really don't have any class or style. You see, some players in the web application security market are finding it hard to sell their products by presenting their own products' virtues and benefits, so they use the tactics of leeching on to their competition (usually using FUD), and in some cases, I believe they cross the line. BTW, the same competitor that was mentioned above, actually uses the Watchfire & SPIDynamics logos on their own web site - how desperate can you get to actually incorporate  your competitors' logo in your own ad?!?!

• While I am on the subject of "security wars", it seems to me that the web security market is so ripe (and hence, loaded emotionally), that people have completely lost their heads. Instead of joining hands and cooperating to educate the market, they prefer getting at each other's throats, over and over again. For crying out loud, we should all be saying the same thing -- Being secure is not about using whitebox or blackbox technologies, it's not about using a hosted service, or an application firewall, and it will certainly not come if you only use an automated scanner -- like anything else in the software world, security is all about perception, process, and methodology. If you want to secure your applications, make sure that you (and your development & QA teams) know what the actual problem is, that you have a process for eliminating security issues from the project inception phase, and up until the application goes GA (and even further). You have to implement a security process throughout your entire development lifecycle, using more than a single solution or product.

This industry needs to preach for a holistic approach to web application security, to encourage end users to use multiple solutions, tailored together for a complete solution instead of turning against its own members, in what oftentimes looks like a farce.

 That's it for now.

There a few things that I'd like to write about, but each of them is currently a bit short, so I have decided to cram them all into a single post that will summarize everything.

1. IBM Acquires Watchfire - most of the people I know already read about this (I got plenty of personal emails about it), and I should probably dedicate a large post to this subject one day, but I really don't have anything to say about this at the moment, other than saying that I believe this is a smart move for both companies, and hopefully for the entire web application security market.
   
2. Positive Security - I have just read an interesting article over at "The Register", which sort of talks on what I have written about in my post "Playing in the Sandbox" a couple of weeks ago. According to the article, It seems that Anti-Virus vendors are planning on replacing the old (and notorious) blacklisting technique with whitelisting (aka Positive Security Model). I can't stress how important this move is to the security industry. Actually, I would love to see more Positive Security based products in the Web Application Firewall market as well. I wanted to write a full post on this subject, but this will have to wait.
   
3. Myth Busting - a few days ago, I read a cool blog post over at Dargos Lungu, where Dragos did a short research called "Top 10 Open Source Forums" ("Top 10" being "The Top 10 Most Secure...") - according to the original research, BBPress and Beehive both won, with 0 (that's a zero people!) publicly known vulnerabilities in the past 12 months. Well, originally I was intrigued by the post, because I myself was looking for a secure web platform to install internally here at Watchfire - but then, my evil alter-ego took over, and me being me, I just had to validate with my own two eyes (and AppScan as my sidekick), that there are actually PHP forum applications out there, that are secure. To make a short story even shorter, it took about 5 minutes to locate the first XSS vulnerability in BBPress, and another 15 minutes to locate 3 XSS vulnerabilities in Beehive (check out Dragos' cool post on the subject).
   
4. AppScan eXtensions Challenge - for those of you who are not aware of this yet, AppScan 7.5 includes an extensions framework (AXF), which enables users to download and install all sorts of cool add-ons. In order to get people started with writing their own extensions, Watchfire recently announced an eXtension writing challenge. If you want to experiment with writing an eXtension, this is your chance, and as an incentive, we'll give away an XBOX 360 for the winning eXtension.
   
5. This one is a bit old , but have you seen the interview with Rain Forest Puppy?

That's it for now.

According to this eWeek article, Google has just bought Internet security startup GreenBorder Technologies Inc.

Here’s an excerpt from the article:

GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.

The article then goes on to describe the technology:

The technology creates a secure zone, called a sandbox, for online interaction. "Any type of activity and interaction, while you are on the Internet, will be directed to the protected environment," according to GreenBorder's site.

Out of the many ways to protect end users from malware, viruses and other types of malicious content, I am a strong supporter of this specific positive approach, and am very surprised (and saddened) to see that desktop anti-virus vendors have mostly decided to disregard this approach, and stick mainly to negative (signature-based) solutions.

Last week, I attended the OWASP (Israel) mini-conference, which included some very interesting presentations (one of which was our own Overtaking Google Desktop).

One specific presentation that caught my attention was "Fuzzing in Microsoft and FuzzGuru framework". The presentation was given by John Neystadt, Microsoft’s lead program manager for the Forefront Edge product (aka ISA server).