In April 2007, I published a darkreading article on the size of the software security space with some analysis of what was happening. It took me a bit longer to gather the numbers this year, but I finally got what I needed and published an informIT article recently explaining how software security is growing.

I am very optimistic about the growth of the software security field over the last few years. Things are certainly moving in the right direction (toward white box analysis instead of outside->in black box, out of the myopic focus on Web apps, and toward full-lifecycle programs based on the touchpoints). The numbers show this growth and these trends objectively.

On a top secret mailing list I participate in, there was some recent discussion about a recent article published by Fortify slamming the Open Source community for failing to adopt software security (you can find the article on the Fortify website). Here’s what I posted to the list (identities masked to preserve secret identities):

I just downloaded and read the Fortify study. It’s more of a white paper than it is science, but it is reasonably well presented and seems not to be too terribly fluffy. You can download a copy for yourself from the Fortify website. In the end what we have is some evidence that there are some open source projects that are behind the curve from a security perspective. I don’t think this should come as a surprise to anyone.

Some specifics based on other postings:

[DoD open source guy] sez>> First, it’s Java-heavy.

This is true. As far as I know, all of Fortify’s open source work has been Java-based (see the Java Open Review project). I don’t see why this impacts the results very much. Though open source Java projects may be a bit less responsive to security, the conclusions in the report are clear about just what set of projects were considered. Then again, I am not at all sure what methods were used to pick 11 out of 101 JOR projects.

[Apache leader] sez>> My experience on the security team at Apache…

Incidentally, when it comes to the results reported, Apache (Tomcat) is the only one of the eleven projects that is reported to have security-specific email, links to security info and access to security experts. One the other hand Apache (Struts) is reported not to have these things, which [DoD open source guy] argues is misleading since the Apache ASF page has these things.

[crypto open source guy] sez >> A better summary would have been “Many developers still don’t care about security.”

Sadly this is true. However as an evangelist in the space I will point out that the commercial world appears to be making much better headway in software security than the open source community (present company excepted of course but I am donning my asbestos suit anyway). I think many of the reasons why commercial software has an unfair advantage were covered in a panel on open source and security that Peter Neumann, Fred Schneider, and I all participated in at Oakland in 2000 (I can dig up e-copies if anybody cares).

One project was singled out for good software security practice: Mozilla. Should we all try to be more like Mozilla?

The debate did not rage on on the top secret list, but it must be raging on somewhere, because Roger Thornton just posted a response to the Fortify blog which you cab read here.

Frankly I was hoping that we killed this thing dead at Oakland in 2000. Guess again!

I’ve written before about how useful comics can be in security training. See a previous blog entry here.

In that brief article, I called out some of Markus Schumacher’s training animations. I’m pleased to report that Markus has asked Cigital to host some of his material. Here are some links:

Example 1: Car Auction

Example 2: Online Application

Cross Site Request Forgery

Forceful Browsing

You can also find these links together in one place on our resources page.

Developers often ask security folk, “Hey, how do I protect credentials in config/property files?” or “Do I need to encrypt my production binaries?” I admire their asking security for help, but often times 1) they’ve not asked the question well enough to get a good answer and 2) security folk have a hard time getting to the root of the problem to provide decent guidance.

After teaching a threat modeling course recently I thought I’d demonstrate how considering an application’s architecture, who might attack it, and what impacts a business might face as a result of attacks interrupting or subverting the system’s ability to accomplish its business objective can be very helpful in framing context-free questions like I’ve posed above. I’m of course, talking about why threat modeling, even informally, is useful.

Let’s consider the above questions in a few contexts. I’ll ‘invent’ contexts for the purpose of this conversation, but you can likely see overlap in what you do with one or two, and incredible differences in the others.

Some circumstances will warrant protecting against threat actors making changes to configuration or the code loaded into the production environment in which extensibility of that environment’s code base and flexibility of its configuration are a reality. Examples of such environments might be:

• A mobile device or one distributed to consumers (such as phone, embedded device (TiVO, AppleTV, etc.) or similar)
• A outsourced hosting environment (Savvis, Google Cloud, etc.)

In both cases, you want to push updates or new applications/configuration in the production environment. Really, any organization that separates development from operations/deployment will have to ponder trust of its operators. Outsourcing is not a necessary condition.

“Insider” and “Administrator” threats apply in the second case, whereas a “Malicious User/operator” applies in the former. In all these circumstances, we need to rely on the actor to operate and in some cases maintain the system, but we don’t trust the threat actor with code and certain sensitive configuration elements. That’s a pickle.

In terms of the threats’ capabilities, we expect an Administrator to have intimate knowledge of (and ostensibly administrative control over) the host on which our application is deployed. They do not, probably, have reverse-engineering capabilities, or deft programming skill in non-script languages except in rare cases. Insiders may simply have access to the host (physically or through remote login), may possess the same role as the running application, but probably do not possess root privileges on our underlying host without successfully exploiting it. Their skill level will probably be less than that of an Administrator in most cases.

A malicious operator will run the complete gamut of skills as a matter of fact: there are plenty of deep technologists and tinkerers you want to sell TiVOs and cell phones to. Depending on the size of the market, the data or functionality to be protected, and the possibilities through which a “hack” could be replicated and executed by non-skilled users (my mom will not not log into her TiVO but will definitely send her cell phone away to be “unlocked”), protective schemes may or may not be of much use.

It is because these threats’ vary widely in their skill set and their understanding of the construction of the application that I’ve combined consumer devices with hosting—seemingly unrelated architectures. Opaqueness and user/operator knowledge are slippery slopes. Some people hack their TiVO and some admins haven’t the foggiest of how to tickle an app

We’re drawn to potential impacts to make sense of the capabilities we discussed above and what they might be used for. I’ll treat each system architecture in term, giving a single attack scenario for each threat.

Hosting

The administrator lifts plain-text credentials out of a config file (u: oracle, pw: oracle) and conducts his/her own SQL-injection on the database, pulling tables and tables of user records, sells ‘em to organized crime: motivation, payoff, and impact. Let’s consider a code-replacement problem too, this time from the perspective of insider. An insider watches bug reports for a particular dev. team and after seeing a particularly insidious one, rolls back the version of production software to a vulnerable release, and follows the ‘script’ laid down by the bug report. He makes decent use of some coupon-codes, gets about 3-62” flat-panels shipped to his house for $3, and runs.

Consumer Devices

Here, let’s consider two scenarios as well. First, the malicious operator—a consumer—twiddles with his/her DirectTV until I figure out how it stores/sends its username/password up-stream. Discerning a weak password scheme (computable from a username) and having heard a neighbor brag about his “NFL Sunday Ticket” purchase, he/she downgrades service to the cheapest, then updates his/her DirectTV to send the neighbor’s username/password instead of their own. Beaucoup sports at petite pricing. In another scenario, imagine the malicious operator adding their own naughty code to the device to collect streams of content and drop ‘em to disk DRM-free.

One could imagine other goals, attack paths, and impacts easily. I’ve chosen these off the top of my head because they’ll demonstrate dramatically different protective schemes. I don’t know that they’re the most interest, common, or valuable scenarios to consider. I know-in some cases-that the scenarios I’ve listed are contrived.

Now, onto attacks and protective schemes:

Hosting: Code Update

Preventing insider (or even a malicious system administrator) from loading code can be accomplished by combining an organizational tweak with a platform feature (At least where Java and .NET are concerned). By demanding code and configuration (even code security policy) be signed before promotion into a production environment, and configuring the application container to check for these signatures, one can control what code executes in a particular container. Separating the “Application Deployer” role (the one who signs and delivers code) from “Application Developer” and “System Administrator” prevents either from placing a rogue binary in place of the expected (signed) one.

Outstanding issues with this scheme include how to validate code to be signed. Did the developer inject back-door functionality that remains undetected? And, of course, how do you prevent an administrator from loading malware outside the application container (either side-by-side on the host or as a proxy between the application and a connecting system)?

Consumer Device: Code Update

Code signing has worked for consumer devices as well. Other encrypted binary format schemes have been employed to not only disallow unauthorized parties from loading code, but also for protecting the IP contained within code updates while in transport over Teh Intarweb.

An aside: I’ve seen a code signing scheme “to prevent malware from being placed on victims’ devices.” However, they granted code signing certificates to anyone willing to register (with their address and some other information). Because they’d give signing ability to (basically) anyone who asked, their scheme did NOT prevent malware from getting onto the device. Instead, it only allowed for tracking of who was responsible for signing that malware ;-) Likewise, a system whose dynamic update function was protected by “proprietary encryption”, thus disallowing anyone from seeing patches or deploying malware in their stead. Because this “proprietary scheme” was basically just LZW, it was trivially broken.

Consumer Device: Storing Credentials

Preventing a malicious operator from observing and gaming credentials will take an entirely different tack. Think about how smart cards or GSM cell phones work. In these cases (both potentially operated by unsavory folk), a card contains both logic and a secret, known to a central authority. When the central authority (a web site, something the smart card is docking with, or inserted in to) needs to authenticate the user device, it issues a challenge to the card. Logic on the card then computes a response to this challenge based on the secret it holds and issues a response. Even if the device’s user is able to intercept both challenge and response, it should remain opaque (and therefore not suffer replay).

Advanced techniques, such as Differential Power Analysis, may be able to extract key information from such schemes even when implemented correctly. A more interesting limitation of this scheme is plausibility of its deployment. Fobs are expensive to deploy and may not even fit within the architecture being analyzed.

Hosting: Storing Credentials

‘The trickiest of problems of the bunch to solve. I’ve seen a lot of different schemes discussed, some commercial, some home-rolled. One can thwart an administrator not skilled in reverse engineering and slow down a well-trained one by encrypting configuration, true. However, schemes that involve placing encryption secrets in the code that protect those config files can ultimately be reversed by a skilled administrator. Situations in which said secret was stored elsewhere and passed to the application to be used during start-up raise complexity a fair amount and can also be reversed if the administrator can debug or attach to the application’s process. And, to finish the summary, the credentials must ultimately be used somewhere. Often, it’s easier for administrators to MitM the application and that somewhere rather than do all this reversing we all find fun.

Once some kind of reasonable encryption scheme is employed (to prevent trivial attack), protective scheming should focus on detection of access to down-stream resources using lifted credentials, rather than making the problem THAT much more difficult to reverse. Think about it this way, the way I wrote up this threat, its attack scenario, and impact, it seems to me these efforts would be sufficient to exonerate the company from negligence in the case of actual attack. This may in fact be their goal, rather than preventing attack, as always depending on the impact of successful attack.

In turn, you can see that the way each problem was presented, its potential solutions vetted, and next steps were discussed depended on the threat and the architecture under consideration. I hope these few examples help frame and answer (or ask) your next “how do I secure” question.

At RSA this year, I did a quick video interview with Dennis Fisher an old friend who is now the lead editor of Search Security. The resulting video is here

Here are the questions I answered during the interview (along with some bonus pointers that I’ll include in this posting). As you can see, we mostly talked about software security:

• Let’s talk about where things stand with the state of software security in the industry today. Are you optimistic?
• I’ve heard a lot of people say that solving the software security problem is going to cost a lot of time and money in the development process. Is that true?

  See this informIT article.

• I know there’s a lot of training that goes on in the professional world in terms of software security for developers, but is that happening more in colleges and universities right now compared to five years ago?

  See this IT Architect article.

• What about the commercial software vendors. How much progress are they making on this problem?
• Are there one or two problems that really worry you in software security right now?

  See this IEEE S&P article.

If you like this video, please let the Search Security people know so they feel compelled to do more.

My buddy Jim Menard sent me this link when we were talking about comments Don Rippert made about the futility of MDA.

Don Rippert’s comments were (in summary) that by the time you got to any level of specificity in the model that the complexity of the models made them harder to follow than code.

I’ve been using Enterprise Architect to reverse engineer code by loading the code into EA and looking at the generated UML. I’ve given up and gone back to emacs.

A recent discussion about the virtues of the Chief Programmer method motivated me to re-read “The Mythical Man-Month”. What a great book. I read it while on vacation and kept on saying to my wife “Why don’t they make all computer science and software engineering undergrads read this book?” When I came back, I asked some of my co-workers if they had read the book. The only ones that had were “old guys” (like me) and one “young guy” who attended UNC where Brooks taught. That’s sad and I encourage everyone young and old to read this book.

The book, however, is a little dated. To prove one of his points, Brooks describes as “extravagant” the use of and additional “10 bytes” to implement leap year support in OS 360’s date code. Now, 10 bytes “back in the day” was indeed extravagant, but for a programmer that has been brought up coding in today’s environments, 10 bytes is less than the guy’s email signature.

As I pondered these 10 bytes, I reminisced about some code I had to maintain in the RSTS/E kernel. The code was:

CMP (PC), 4(SP) ;Is 4 off of SP 4? Saves 2 bytes

This took me and another guy more than a couple of minutes to figured out, but sure enough it saved those precious two bytes. So, just how precious were those two bytes?

Adjusting for the fact that these two bytes were on a 16-bit architecture and today’s machines are 32-bit, I figured that those two bytes are equivalent to 128K. What would you do to save 128K in a space sensitive area of your system or perhaps that application you’re writing for your mobile phone?

So, what does this have to do with software security? Nothing. But, after all, I was on vacation.

[This a guest post by Cigital’s Troy Jones, written in reference to episode 25 of The Silver Bullet Security Podcast, an interview with Jon Swartz.]

Gary,

Listening to your podcast with Jon Swartz today, you briefly mentioned Ralph Nader a couple of times. You said almost in jest, that “… we need a Ralph Nader for Security.” This got me thinking about a recent brownbag you gave on Software Security, where you mentioned that clients have implied needs for security but may not explicitly state their needs. I think the concept of implied need for software security and what Nader did to impact auto safety are entirely related.

Back in the 60’s people expected that the cars they bought were “safe”. Safety was not a marketing angle used by the car companies, and people did not shop around for the safest cars, but no one would buy an “unsafe” car. They just trusted and expected that the big auto makers had already thought about safety and “built it in” because no reputable car manufacturer would sell an “unsafe” car, would they?

It was not until Ralph Nader wrote “Unsafe at any Speed” that people began to question the safety of the cars they bought. When it became apparent that Detroit was selling them unsafe cars, the public outcry (not the book itself) prompted congress to act to enable novel new safety standards like seatbelts, bumpers that actually worked, and eventually crumple zones and air bags. So, people had an implied need for auto safety, but did not express that need until they became educated to the fact that they were not safe. Then they expressed their newfound need for safety to the politicians and also voted with their pocket books, buying safer cars. When consumers were provided with valid safety evaluations, from Consumer Reports and the National Highway Traffic Safety Commission, they changed their buying habits. Auto manufacturers (eventually) changed their approach in response. After years of fighting increasingly stringent safety regulations, they now compete to be able to advertise that their minivan has the highest safety rating.

So, what does all this have to do with software security? One point is that “safe” is relative term. You are safe if you feel safe. It is hard or impossible to know if you are actually safe but it is easy to have your illusion of safety shattered by hard facts. Your average consumer today may be oblivious or vaguely concerned about software security, but they don’t have the information necessary to make discriminating choices about what software to use or buy and to stay away from. There is no Internet Highway Safety Commission and no ratings to refer to. Without this information, people are unable to express their implicit needs. They are driving metaphorical Corvairs and they don’t even know it.

Another point is that safety and security are both relative. The worst Yugoslavian POS manufactured today is probably much safer than any car rolling off the Detroit auto lines in 1965. It is conceivable that 50 years from now people will look back and wonder how we survived without collision avoiding auto-pilots in our cars! People’s expectations for “safety” evolve over time and hopefully their actual safety improves as cars are better engineered, but there is no endpoint- no “safety finish line”. I think this analogy applies to “Software Security”. Software should get more secure over time if security is considered an important goal, but software will never be 100% secure. Good for job security but bad for everyone who depends on software to work securely.

A third point is that the initial reaction to unsafe autos was to build safer highways. Wide-open, straight, and fast highways seemed to be more cost effective than engineering better automobiles. It was not until highway traffic deaths began to skyrocket that everyone realized how effective automobiles are at killing the occupants involved in an accident at 75 MPH with no seat belts. The same approach has been taken on the internet. Bigger pipes and better firewalls should take care of the problem. No need to design and build more secure software! But the common folk will eventually realize that building a super information highway to their most confidential data has lots of unintended negative consequences, especially when it is so easy for the crooks to get past the vigilant but not-too-bright night watchman.

The last point I would make is that it took a fairly long time and a number of contributing factors for something to be done about auto safety. While Nader’s book was certainly a catalyst, it was not the “Auto Safety Pearl Harbor”. He merely recognized and assembled the information in a concise format that allowed people to understand and take action against a problem that had been growing worse for a long time. My guess is that the same will be true for software security. There will not be a “Software Security Pearl Harbor”. But through your continued evangelizing, through books like Jon Swartz’s “Zero Day Threat” and by their own negative experiences, people will eventually realize that something has to change and will demand action from software vendors, perhaps increased regulation from Congress, and maybe even a rating system to identify the worst offenders and the most secure software available so that they can make better choices. I am convinced that attitudes will begin to change soon, as the current rate of increase in cyber-crime has us on a trajectory to reach 1% of total GDP with 4 years. If that happens, it will definitely get the attention of quite a few people and may drive the expression of latent needs for software security.

There are three new books (recently released) that are worth a look. Once is an absolute necessity for any security practitioner. The others may be interesting for some readers of the blog.

The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson’s Security Engineering book. Ross did a complete pass on his classic tome and somehow made it even better. It also comes in handy as a weapon as it is so heavy. Books like Ross’s are a refreshing reality check from the usual pablum published in computer security.

Simply put, this is a must read book for every security professional. I don’t have my real copy yet from the publisher (but they say one is on the way), but I did take a close look through the manuscript. Ross retains his number one slot on my list of top 5 things every software security person should read.

Incidentally, I interviewed Ross for Silver Bullet last year (in April). Ross’s episode is the most popular of all 24 episodes released to date with over 18,000 downloads. You might want to give that a listen as well.

The other two books that are worth a look are Crimeware and The New School of Information Security. Lets cover them in reverse.

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book.

Crimeware is an academic tome written by my friend Markus Jakobsson. I contributed a chapter on software security bug taxonomy. My copy showed up last night, and I have earmarked more time to read it thoroughly. The enemy has changed over the last decade, and criminals are bringing the game to a new level.

Spring may not be the best reading time, but it does appear to be the best time for a crop of interesting new security books!

Some people start “Security Testing” by buying and using a pen-test tool on project. Such tools uncover security vulnerabilities (though they seldom help with root cause analysis or even obtaining double-digit code coverage).

These tools are degenerate, at best, in facilitating a security testing strategy. Why? Because, these tools are “black box” tools. What are black box tools?

The term “black box” stems from old testing literature and means “without internal knowledge”. An external perspective has always excluded “code” but sometimes goes as far as (in my opinion appropriately) software design. Obviously, you need to know something about the application’s architecture and design to test it though and the slope gets slippery.

In the realm of penetration testing, the term “black box” often has meaning beyond the tester’s knowledge of the product. OSSTM defines “black box” to mean that neither attacker nor defender are given knowledge of each other. They mean for this test procedure to accurately represent the kinds of opportunities, need for stealth, accessibility, and exploit that a real attacker would have, and also to evaluate the defender’s abilities to identify and prevent or recover from attack.

Because black box tools to a large extent run canned tests they will not satisfy my security testing goal (see previous entry) of having run tests that one traces back to requirements. ‘Requirements that one created as a result of doing risk analysis that determines exactly what behaviors (and their impacts) should be avoided were the software attacked.

Arguably, security folk have “cached” this risk analysis and these implicit requirements in the pen testing tool. Fine, this is that small benefit that I mentioned pen tests do provide. And, they DO find bugs. Again, this is at best a degenerate case of security testing in the same way running a fuzz testing tool is a degenerate way of conducting functional testing.

For QA folk wary of accepting the previous statement, it will suffice to say that you wouldn’t defend your job based on achieving less than fifty percent coverage would you?

Vendors have begun using hybrid approaches (this will only become more common). Do these approaches solve our coverage problem and allay our concerns?

I demo’d Compuware’s DevPartner, which has a poorly advertised (and perhaps now nacent) security scanning capability, a few years back and was pretty impressed with the start they had made in hybrid .NET analysis. I’m not sure where it’s gone since then. Fortify’s PTA also combines static and dynamic analyses to help prioritize static findings and provide root cause analysis for dynamic ones.

These hybrid tools don’t get our security testers off the hook either though, as they’re still not addressing the project-specific risk analysis nor are they anchoring tests in requirements.