Conferences, OWASP

Rundown of the Twin Cities’ first OWASP conference

As I’ve mentioned here once or twice, the Minneapolis-Saint Paul chapter of the Open Web Application Security Project put on its first conference on Tuesday. By most accounts, it was a success and we’re likely to have another. I believe there were 150 attendees or thereabouts, which I think is pretty dang good for a few weeks of basic word-of-mouth advertising.

The University was gracious enough to donate the use of the theater in the student center, but we needed somewhere for lunch and were at least lucky enough to be able to stay in the building instead of walking across campus or send people out on their own. So logistics around the space were a little weird. I spent an hour or so of the morning just directing people to the registration desk on the second floor, then back down to for the talks in the theater in the basement (or is it 3rd and 1st floors? whatever). In the end, although it might have seemed mighty strange in the morning, I don’t think anyone minded much.

While I was playing usher, I missed Kuai Hinojosa’s introduction and the first part of Jeff Williams‘s presentation, but I did make it down for most of Jeff’s talk about ESAPI, the OWASP Enterprise Security API.  The popular frameworks don’t do nearly enough to guide developers toward building secure software, which is where ESAPI steps in as a set of APIs for building secure web applicationbs, with both an extensible interface and a reference implementation. Right now, the development of the main project is happening in Java, which I know was disappointing to many in the audience who don’t work with Java. But there is an active .NET ESAPI, as well as a less active PHP port, to which contributors are welcome and encouraged. If you are writing Java web apps, you should look at ESAPI now. It’s good stuff. Talks are underway to see about getting some of this in the next servlet spec, which would be fabulous.

Arshan Dabirsiaghi then gave an entertaining and engaging talk about the OWASP Intrinsic Security Working Group, which is a new project trying to get at the heart of the problems in web application security, largely having to do with browser security. Which is a mess. They’ll have their say about HTML 5, too, and will provide input hoping to steer the spec away from security disasters.

I was surprised at lunch to have an actually tasty vegetarian option, a portabello mushroom sandwich on ciabatta. It was probably the bread that sold me. Ciabatta’s the new hotness in bread, after all.

Anil Kumar Revuru from Microsoft spoke about a few things they have going on in the Connected Information Security Group. I had to step out during the first part, so missed much of what he had to say about their framework, but I did catch some of the tools he demoed. Pretty cool stuff, and the Anti-XSS library is a must-have if you do .NET web apps.

I’m torn about the threat modeling tool. On the one hand, it is clearly good work that I’m sure can prove beneficial once a team has worked with it for a while. I believe very strongly that threat modeling is a Good Thing. On the other hand, the threat modeling tool seems extremely heavy-handed, a lot of fiddling with an external application, and I can’t imagine working with a development team that would tolerate it. If I tried to introduce threat modeling with the use of that tool, I’d never get it off the ground. That said, a new version is due out next month, and Adam Shostack is involved. His paper on threat modeling experiences at Microsoft (PDF) was enlightening. So maybe I can hold out hope again. I’ll at least watch the demo available on an SDL progam page.

Brian Chess talked about static analysis and some of the interesting work in that space. I greatly enjoyed this talk, although I can’t remember much of it. :-) He talked about how static analysis tools have evolved, and what you can and cannot do with them. I will say this: a compelling metaphor goes a long way. His saying that “writing secure software is like making safe-to-eat burritos” caught some Twitter-love.

If you liked hearing about ESAPI and CISF, you might also have enjoyed hearing Elliot Glazer speak about the security framework at the Depository Trust and Clearing Corporation, which last year moved $1.86 quadrillion in transactions. Ahem. I hope to get a copy of his slides and post them to the OWASP site, since they were very text-heavy and hard to read but seemed worth reading. The framework seems well thought-out and practical, a bit process-heavy for some but not nearly as bad as you might think it would be, as everything he identified in the process always serves a clear purpose. And has saved them more than once.

Corey Benninger of the Intrepidus Group treated us to real-world phishing examples and trends, and walked us through the discovery of a simple but effective session hijacking attack against a brokerage that cost real money. These are always fun and frightening to see. A great way to round out the regular talks.

We were then treated to an appearance by Richard Stallman. Given fifteen minutes, he explained how free software is an ethical concern. Free-as-in-freedom, of course, not free-as-in-beer. I’ve seen him do this a couple times, and I have to say that he does it well. His talk might not have had an obvious bearing on security, but I’m glad he was there. We don’t talk about ethics enough. I don’t, anyway.

All the talks will be posted online. Stallman’s will of course not be available in Flash, because that is not a free format. For him, expect Ogg Theora.

All in all, I think this was a good conference,  I can’t believe we pulled it off and charged only $25 per person! That was no doubt a key factor in getting people to attend. I mean, for twenty-five bucks it’s almost easier to pay out of pocket than to try to convince your boss to pay. ‘Course, for $25 it’s hard to imagine a boss not paying. And to hear these great speakers at that price… marvelous. We were fortunate this time in that the speakers found their own way here instead of having OWASP pay their way. Hopefully we can keep the cost down in the future.

There are things that we can do better in the future. I already mentioned the weird physical logistics, for example. I’d like to see even more along the lines of practical guidance on how to build security into web applications. That’s a core strength of OWASP conferences that I think we should play up as much as possible: they’re for builders more than for breakers. If you look at the agenda, the talks were largely focused on building, but they sometimes got a bit abstract. The only other real concern I had is the perception that OWASP is focused on the enterprise to the exclusion of, well, non-enterprise. That’s not my impression of the organization, but with a focus on Java and .NET in the talks, and with almost no Macs in the audience, it’s an easy impression to give. We have a thriving tech community in the Twin Cities, not all of it so enterprisey, and it would be good for everyone to engage them.

A tip of the hat to Lorna Alamri, who did most of the leg-work for the logistics of actually getting the conference going, and to Kuai Hinojosa, who has done a tremendous job this year growing the chapter and getting the word out about OWASP and web application security. Both had great ideas for the conference, and it really came together. Bang-up job.

OWASP

Registration open for Oct. 21 OWASP conference

Registration is open for the one-day OWASP conference we’re holding on the Saint Paul campus of the University of Minnesota. It’s not free as we’d hoped it would be, but it’s still only $25. Not bad for a day of web application security. Here’s the speaker list:

  • Jeff Williams, OWASP founder and CEO of Aspect Security.
  • Arshan Dabirsiaghi from Aspect Security will speak about the new OWASP Intrinsic Security Working Group, which focuses on addressing root causes of application security problems.
  • Anil Kumar Revuru from Microsoft will talk about the Microsoft Connected Information Security Framework and Tools.
  • Brian Chess of Fortify Software will speak about static analysis and its role in improving software security.
  • Elliot Glazer from DTCC, on information security architecture layers and key processes.
  • Corey Benninger from the Intrepidus Group will give us real-world phishing examples.
  • Richard Stallman will talk about… well, whatever Richard Stallman talks about. Later that evening he will give another talk at the U.

Good stuff. We probably won’t be able to handle on-site registration if you just walk in that day, and space is limited (we’ll be in the theater at the student center), so register in advance.

OWASP

Summarizing meetings so I don’t have to!

I was about to write up my notes from Wednesday’s OWASP meeting, but Tim did a pretty good job. He starts by pointing out something I hadn’t really thought about:

The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

This is a danger of what is still a pretty insulated community. It’s easy to toss out terms like clickjacking and ESAPI and expect that an audience at an OWASP chapter meeting, a self-selected group interested in web application security, will know it all. That’s clearly not the case. Tim follows this stuff pretty closely, works in the area professionally, and still there were terms thrown about that weren’t clear.

I don’t mention this as a criticism of Andrew. I do it as a reminder to myself to know your audience. I did the same thing today, dropping a reference to where Google screwed up their SAML implementation in their single-sign-on service, and it didn’t occur to me until later that the guy I was talking to probably had no idea what I was talking about.

Anyway. It was an inspiring talk. Andrew was drumming up support and interest in contributing to a number of OWASP projects.

  • OWASP Top 10 security vulnerabilities in web applications. The 2009 update is in the works. It will again be data-driven, as the 2007 update was (mostly).
  • OWASP Developer’s Guide. A lot of the testing-focused content in the current edition can be removed, since there’s now a Testing Guide. There’s strong interest now in not spending time on what’s done wrong, and instead explaining how to do it right. For SQL injection, for instance, instead of explaining why dynamic queries are dangerous, it’s more valuable to show prepared statements with bound parameters.
  • Top 10 Coding Standard. Andrew introduces this in a recent blog post. The idea is to set a minimum standard for what needs to be done to develop secure software.
  • Application Security Desk Reference. This is pretty much what it sounds like, a reference. If I recall correctly, it should build on the Honeycomb project that was donated to OWASP several years ago, a thorough categorization and reference to web app sec.

There were others — there are a lot of OWASP projects — but those are the ones that stuck with me, partly because I’ve been thinking about what it would take to create short, self-contained courses in web app security and how these docs would fit in.

What’s really cool is that there are lots of ways to contribute in small ways to these projects. Especially with the Top 10 and the Guide, just working on small bits — a paragraph or two — is entirely possible.

I was briefly tempted to throw my hat into the ring to work on PHP ESAPI, a port of the Java Enterprise Security API project at OWASP. But I know I won’t make the time for it, and it’s been a while since I’ve done serious PHP. Besides, it would probably mean that Andrew would make me the lead. :) If you have killer PHP skills, please consider it. We sure as hell need this.

On top of all this, the highlight of the evening was meeting Andrew van der Stock in person. That’s been a long time coming.

Politics

Don’t vote

I’ve never bought the argument that if you don’t vote, you can’t complain. It goes back to my anarchist days, when I would argue that it made as much sense as saying that by participating in an unjust system, you’ve chosen to give up your right to complain when that system fucks you over. I’m not an anarchist anymore, but I still don’t buy it. You never give up your right to complain.

Neither should you take your vote for granted.

Don’t vote. Watch this:

(via)

Science

Fantastic NASA video

NASA has this stunning video of the moon orbiting the earth from the point of view of the Deep Impact spacecraft, 31 million miles away. Just watching the earth rotate is impressive enough, even for someone raised on science fiction movies. But then: whoa! What’s that?! The moon passes through the scene. Wow.

It seems so simple, but it blows me away. I’ve lost track of how many times I’ve watched the video. I remain astonished by how big the moon is compared to the earth. Every time I watch it, I’m left with an overwhelming sense of how inconceivably huge the universe is. And here we are, just floating in it.

OWASP

Andrew van der Stock at OWASP Twin Cities on Wednesday

At the risk of making this an “all OWASP, all the time” blog, I do want to say that Andrew van der Stock will be speaking in Minneapolis tomorrow (Wednesday) at 6:00 p.m. Actually a little after 6, since we usually let folks trickle in for ten minutes or so.

Andrew is the project lead for both the OWASP Guide and the OWASP Top 10, among other worthy activities. Let me tell you, those are monumental tasks. He’ll be talking about the Developer Guide 3.0. WIth the publishing of the OWASP Testing Guide, a lot of the content in the current developer guide has become redundant, so we should expect a different (more concise?) focus in the new version.

I’ve been looking forward to meeting Andrew for a long time now. Since his move to the U.S. from Australia a couple years back, I’ve been hoping we might cross paths. Looks like tomorrow’s my chance. Hope to see you there.

Science

Periodic Table coolness

Through two completely different paths, within an hour I discovered two different and very cool sites about the Periodic Table of the Elements. First, the source for the coolest periodic table poster I have ever seen, periodictable.com:

periodic table of the elements poster

Poster of the Elements. Wow!

Next, a project from the University of Nottingham, the Periodic Table of Videos. They’ve done a short video for each of the elements. Here’s sodium:

Blogging, Time Management

Waking up

A coworker stopped me the other day: “You have been busy,” he said, “you haven’t been blogging.”

A quick look through the history of my blogging will show a lot of varation in frequency of posts and a general slow-down in recent years (only some of which I can attribute to Twitter), but it’s still true: I have been busy, and I haven’t been blogging because of it.

Not long after I started the new job, we started in on a professional services engagement with an identity management architect, to help validate (and correct if necessary) the direction we were going and to help lay the foundation for future work. What we’re doing is huge, and we want to make sure we’re doing it right. The next couple months were unrelenting weeks of nothing but day-long meetings and preparation for those meetings. I take issue with the methodology — it’s fair to say that a death march is just plain wrong — but it’s over now. More or less.

And I am exhausted.

I spent the latter part of 2006 writing a book. It didn’t work out for various reasons, but at the beginning of 2007 I looked up and realized that I had been nose-down for months, doing very little else with my free time except writing, and I had no idea what had been going on. It was disconcerting. Disorienting.

That’s how I felt at the end of this project, like I was just waking up from a long, fitful sleep. I had spent so long with such a rigidly controlled schedule that I wasn’t sure how to organize my time. It’s taken a while to sort that out, but of course it’s not like I’m lacking in any way for work to do, so I feel like I’m getting in a decent rhythm again.

Just in time for the Republican National Convention to come to town and disrupt everything.

Security

“Secret” Questions

I hesitated to write this, but the question has come up several times recently, so here you go anyway.

I don’t like secret questions for password retrieval. You’ve seen these, I’m sure: when you create an account somewhere, you’re presented with a list of questions to choose from and answer. The idea is that if you lose your password, if you answer the question correctly you can reset your password. Classic questions include mother’s maiden name, pet’s name, favorite song, that sort of thing.

You see secret questions because they are cheap and easy. If a customer can self-assert and reset their own password without getting someone on the phone — or if it’s a web site for which you’ll never get any help anyway — that’s a Good Thing, right? The downside is that secret questions reduce the security of passwords. (Passwords themselves are broken, as even the New York Times reports, but that’s a story for another day.)

When passwords can be retrieved or reset as the result of answering “secret” questions, answers to those questions are essentially passwords themselves. Weak ones.

Let me say that again, because it’s important and not everyone pays attention the first time. Answers to “secret” questions are weak backup passwords.

Answers are not held to the same password policies that the actual passwords are. Many systems nowadays make you jump through all sorts of hoops to have a certain complexity to your password, often enforcing a mix of letters, numbers, and punctuation. This is important to prevent dictionary attacks, a brute-force technique in which attackers cycle through hundreds of thousands of possible words, plucked from dictionaries (a word like “snowball” or name like “Voldemort” won’t stand up long to attack). It is trivial and fast to crack most passwords.

Secret questions can often be answered in a single word, a word that would violate the password complexity policy but that is still allowed as the backup password.

Answers to secret questions are often trivially discoverable. It would not take a determined attacker long to find my mother’s maiden name, my home town, or the name of any of my pets. Not only that: they’re dictionary words. Dictionary words are weak passwords.

Questions may have a limited number of answers.

  • Favorite color? Chances are good that most people will answer from just a handful of possibilities: blue, red, green, yellow…
  • Year of birth? It’s a safe bet that there will be fewer than 80 possible answers, probably quite a bit fewer.
  • Home town? Lots of people come from big cities like New York and Beijing.

When users can supply their own questions, chances are pretty good that they’ll choose poor questions, again with trivially discoverable answers. People are not good at choosing security questions. Not long ago I once walked through the office and asked a dozen coworkers what their security questions would be. The most common response? “Last four digits of my SSN.”

Four digits. I rest my case. You can argue that people could have lied, and I hope that some of them did. But seriously. Four digits.

You should also be concerned that if you allow users to create their own questions, you will inadvertently end up storing private or sensitive data (say, ahem, SSNs), which may violate your privacy policy.

The situation can be improved somewhat by well-chosen questions — NOT letting users choose their own — and perhaps using multiple questions, although something about that makes me uneasy. It’s far better to use something in addition to secret questions, such as demonstrated control of a resource: email, a cell phone, smart card, or fingerprint.

Password retrieval systems are often poorly designed and easily subverted. “Secret” questions are just one example. I have rarely encountered a password retrieval systems that lock accounts for repeated failed attempts in the same way that repeated failed logins do. Passwords are sent in cleartext emails, which is not just a problem by itself but also suggests that the passwords are stored in cleartext. Considering that we too often rely on just a password for authentication — a situation that has got to change — we should do better.

Environment, Personal

Praying Mantis in the back yard

I was hanging up laundry to dry when I spotted this praying mantis on the table next to me:

Praying Mantis Praying Mantis

I’m not sure where in the world it came from. These critters are not native to Minnesota and won’t survive the winter, but after taking a lot of pictures of it with my son and checking that it wouldn’t do damage (thanks @jojeda), I put it in the front garden where it could feast happily on whatever insects it found there.

Next »