tssci security

Post to webappsec mailing-list on WAF and pen-test: dead again

There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use. However, WAF is dead and dying regardless.

I think that very large-installation, Internet-facing web applications require Anti-DDoS technology in the form of an appliance, preferably one that does rate-based behavior detection. I often feel that those same organizations also require SLB appliances, although I prefer to see these integrated with a switch fabric in a chassis-based, large backplane network switch. In a year's time, SLB Layer-2 technology could be replaced by VMware DRS clustering and/or an equivalent like Microsoft PRO. I was always a fan of Anycast to replace SLB at Layer-3. I continue to suggest these models/architectures today.

Can whitelist WAF technology be used by those same devices in the short-term (Anti-DDoS or SLB appliance)? Absolutely, as long as it's done by an expert and tuned to the applications. Should these devices sometimes be separated out of a traditional operational role, due to auditability and for compliance scoping purposes? Probably not. Should they perform monitoring, debugging capability, or solving hard production problems? Probably not.

The reason that the first question is a yes, and the others are a no is because Anti-DDoS and SLB devices are already performance-ready-capable of providing WAF whitelisting functionality (note: not in all cases, but this works especially well for devices that provide rate-based behavior detection before mitigation). Monitoring does NOT require an inline device. All it requires is network taps (or potentially port-mirroring, but most professionals recommend taps over SPAN ports). Also, infrastructure is changing rapidly, so it's not wise to invest in a dying model.

Additionally, I know that companies like Sourcefire and Reflex Systems are integrating at the VMsafe API layer, which is a hypervisor introspection layer much like XenAccess. This is really where much of the AV/IDS/IPS/HIMS/DLP/WAF/blacklisting-whitelisting technology belongs. VNET will also change the introspection layer (in addition to almost completely eliminating the physical network layer and SIM/SEM/SIEM/NMS/EMS moves & changes), as it simply adds to introspection functionality. I have already alluded to Cisco AXG becoming a VNET "module", but what if Reflex Systems or StoneSoft start integrating WAF not only as a VNSS (Virtual Network Security System), but also at the hypervisor introspection layer?

Fortunately, for application security, server virtualization and the evolutions it's bringing with it e.g VNET and VMsafe, are going to dominate traditional networks and cut their existing budgets. Unfortunately for application security, the new virtualization evolution also brings with it tons of object reuse (there are at least two new controls channels available to adversaries), and new ways of establishing covert channels.

This means a few things. First of all, the word "firewall" is dead, and therefore, the word "web application firewall" and the associated acronym, WAF, are also dead. Imagine today if there existed a control channel that, when taken over by adversaries, it became a covert channel that had unlimited object reuse control of every physical RAM on every computer in existence all at once. This is cloud computing, but virtualized.

Not only that, but we are saying that adversaries have already bypassed traditional firewalls by using the application layer i.e. Hacking Intranets from Jeremiah Grossman. Thus, this master, covert control channel is already on its way to being built (at least as man-in-the-browser). Imagine for a second that you don't use NoScript with Firefox and additionally implement the features of Chrome by using multiple Firefox profiles. Imagine for a second that you are a regular user, with all of those Clickjacking and modern application attacks available to anyone who wants to get to you.

Like many of us used the words "brick-and-mortar" to describe backwards-companies during the dotCom bubble, I think "fire-and-wall" well-describes organizations that continue to cling to traditional networks and network security as answers to Internet, Enterprise IT, and any operational risk.

Do I intend to sell you on the idea that we should all instead jump to Fortify RTA or Microsoft SRE? No. There are potential consequences to any of this. This is only the functionality required to reduce risk to applications, not the assurance that risks have been removed.

TCSEC says that we need to balance functionality and assurance. But nobody ever bothered to do any assurance. Assurance is the Microsoft SDL, SDL Pro, and SDL-IT. @Stake and Foundstone are gone and have split into tons of fractured security evaluation and risk assessment boutiques that have 1-300 developer-security-tester guru's that mix SAST and DAST with expert review.

But the SAST+DAST market is less than $100M, while WAF is at least 20% more than that (although probably inflated).

I hate to be the bearer of bad news, but you don't just say "DO BOTH" because nobody will do the SAST+DAST work. We tried that last time, when tcp_wrappers and the DEC firewall came about The underground that wanted to keep their covert control channels alive started dumping rootkits on pre-pwned Unix machines. Then Dildog and others made it possible to easily access Windows machines, and after that - botnets and the like have reigned. There are already backdoors in our web applications. OWASP Scrubbr is not going to save us all by itself.

Who did the work back then? OpenBSD? Certainly not Microsoft, and even today their SDL appears to be failing by some, but imagine if it did not exist at all. We obviously have to do better with assurance practices.

Can functionality-based controls work easier, better, and faster than assurance ones? Are they that less complex and easier to train? Or is there just more written about them because it's easier to SELL them by baking them into products rather than customizing them to an ISV organization or an Enterprise development team?

If you are part of the group that is spending $120M on WAF technology, then you are hurting the SAST+DAST market because you're taking away that spending. Clearly, risk analysis is not taking place and people are spending based on familiarity in addition to PCI-DSS requirement 6.6, which all but forces the inequality to happen.

Look at the best in exploitation-countermeasure functionality-based controls that work on object reuse problems e.g. DEP, ASLR, SafeSEH, SafeInt, et al. Are adversaries still bypassing these? Security researchers in the offensive-research space are. These countermeasures are closer to the code (even HIPS is closer than network-based IPS), like many WAF suggestions. Is is true that we still require assurance even after 15 years of exploitation-countermeasure optimization? I remember when stack-guard protections were first coming out - they were seen as a huge joke (i.e. toy/researcher technology), much like Fortify RTA, CORE GRASP, Microsoft AntiXSS-SRE/AntiCSRF, GDS Security GPF, and HDIV are seen now.

I know to many of you out there, this looks like a rant, and I really could go on forever about this topic. So, go to the datacenter, give your WAFs a hug, and continue to buy into the "functionality is better than assurance" argument. You'll feel better in the morning, right after you forget that you just opened up your database to any talented people who want to make money from the data in it.

Also, pen-testing is dead. We no longer need to prove that applications are insecure. We know they're insecure - no matter how many functionality controls you layer on top of them. Unless YOU prove that the applications that YOU are responsible for ARE secure, you are working against the rights of users, consumers, cardholder data, personally identifiable information tied to healthcare and financial records, trade secrets, and the ability to control our critical infrastructure. Enjoy.

Guests on OWASP Podcast #6

Jim Manico invited Dre and I to join him with Brian Holyfield on this week's OWASP Podcast. Topics of discussion included our thoughts on web application security, WAFs, training, among others. Give it a listen, and tell us what you think.

OWASP Podcast Series #6 (direct download link)

Brian introduced a tool he has been working on, SPF - Secure Parameter Filter, which has the features we would like to see in WAFs, and would recommend people checking out as an alternative to implementing a commercial WAF as a short-term fix.

Introducing SSLFail.com

Hey all, I'd like to introduce all of you to a new site Tyler Reguly and I, along with Romain Gaucher and Jay Graver set up last week, SSLFail.com. The site's purpose is to point out the failures in various sites' SSL implementations. We'll be publishing tutorials, and informative articles on SSL in addition to pasting screenshots of high profile sites' failures.

We came up with the idea for the site when Romain came upon an SSL failure with Gmail. Tyler then blogged about it, and then I was getting errors with Facebook.

The interesting things about Gmail, when you go to https://gmail.com, Firefox was the only browser we tested to follow the 301 Redirect to another domain (www.google.com) with a proper SSL certificate. IE7 and Google Chrome on the other hand, asked the user for confirmation before the redirect. Is this a Firefox SSL failure? I don't know, and several others I've spoken with aren't sure how a browser should handle it either.

Anyways, just wanted to point out this new site, which has already gotten some attention from lonervamp at terminal23 and hype-free.

SANS Top 25 Procurement Language and the OWASP Secure Software Contract Annex

As many of you have probably already heard, SANS, in a combined effort with MITRE released the CWE/SANS Top 25 Most Dangerous Programming Errors. There have been numerous discussions on both the Secure Coding List and Webappsec mailing lists, along with a column from Gary McGraw and 11 reasons why Top 10 (or Top 25) lists don't work. This post is not about that.

Back in 2004, OWASP published the Secure Software Contract Annex (referred to as OWASP Contract hereon out) to help software buyers and sellers achieve a meeting of the minds on application security. The OWASP Contract was generously placed in the public domain so that end-users could use it without license burdens. Since that time, the OWASP Contract has been widely used, even included in a Government acquisition guide (with full attribution). Now SANS has published their SANS Application Security Procurement Language (referred to as SANS Contract) along with the release of the CWE Top 25.

There is no question, that the SANS Contract contains a ton of language from the OWASP Contract. Roughly 75% of the SANS Contract is taken from the OWASP Contract (see below for a side-by-side comparison).

In comparison the original contract put out by OWASP, the SANS-added contract language is very biased. The OWASP Contract was meant to be fair, and balanced -- between the software developers and the software buyers. In the SANS Contract, the terms have been slanted to solely benefit software buyers and SANS. Yes, SANS; through including terms that require developers "pass competency tests on application security," which map directly back to SANS-offered application security training and certification exams. In their contract, the vendor bears the burden of almost every term.

In no way do I intend that this post undermine the incredible efforts the MITRE organization has done with the Common Weakness Enumeration project. Steven M. Christey of MITRE even suggests "promoting these efforts *NOW* while people are still paying attention."

Instead of looking to the CWE/SANS Top 25 and SANS Application Security Procurement Language, I suggest everyone review the OWASP Application Security Verification Standard and OWASP Secure Software Contract Annex. These two OWASP documents, brought together, set the bar for application security, and take a truly positive approach. No longer are we enumerating badness -- creating lists of things to watch out for -- but what makes an application truly secure. Take it one step further, and look at Andrew van der Stock's OWASP Coding Standard to what developers should be doing.

So I leave you all now with the following comparison between the two contracts and leave the rest up for discussion.

Side-by-side comparison (diff -u output)

OWASP Contract (Dec 2004)

SANS Contract (Jan 2009)

WARNING: THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. OWASP STRONGLY RECOMMENDS THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT.

DISCLAIMER

THIS DOCUMENT SHOULD BE CONSIDERED GUIDANCE ONLY. IT IS STRONGLY RECOMMENDED THAT YOU CONSULT A QUALIFIED ATTORNEY TO HELP YOU NEGOTIATE A SOFTWARE CONTRACT

  1. PERSONNEL AND ORGANIZATION

(a) Security Architect Developer will assign responsibility for security to a single senior technical resource, to be known as the project Security Architect. The Security Architect will certify the security of each deliverable.

Personnel

The Vendor shall identify in writing the person who will be responsible for overall security of the application development, management, and update process throughout the Contract period. The person identified shall be a single senior technical security specialist, to be known as the project Security Lead. The Security Lead shall certify in writing the security of each deliverable.

Security Training

Developer will be responsible for verifying that all members of the developer team have been trained in secure programming techniques.

Security Training

The Vendor shall be responsible for verifying that all members of the developer team have been successfully trained in secure programming techniques.

Trustworthy Developers

Developer agrees to perform appropriate background investigation of all development team members.

Background Checks of Developers

Vendor shall perform appropriate background investigation of all development team members and shall certify that all individuals who will be involved in this Contract and the software development process have cleared the background investigation.

Vulnerabilities Are Expected

Both Client and Developer will strive to identify vulnerabilities as early as possible in the lifecycle.

Vulnerabilities, Risks and Threats

The Vendor shall agree in writing that he will strive to identify vulnerabilities, risks and threats as early as possible at any time during the software lifecycle.

Developer and Client agree to work together to understand and document the risks facing the application. This effort should identify the key risks to the important assets and functions provided by the application. Each of the topics listed in the requirements section should be considered.

The Vendor shall identify the key risks to the important assets and functions provided by the application. The Vendor shall conduct an analysis of the attached 25 most common programming errors and document in writing that they have been mitigated.

Developer agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.

The Vendor shall provide secure configuration guidelines in writing to the Purchaser that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.

Developer agrees to provide documentation that clearly explains the design for achieving each of the security requirements.

The Vendor shall provide written documentation to the Purchaser that clearly explains the design for achieving each of the security requirements.

Developer agrees to provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for unit test.

The Vendor shall provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security-relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one other Developer against the security requirements and coding guideline before it is considered ready for test.

  1. DEVELOPMENT ENVIRONMENT

(a) Secure Coding Developer shall disclose what tools are used in the software development environment to encourage secure coding.

(b) Configuration Management Developer shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files.

(c) DistributionDeveloper shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client.

  1. LIBRARIES, FRAMEWORKS, AND PRODUCTS

(a) Disclosure Developer shall disclose all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source.

(b) Evaluation Developer shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement.

  1. DEVELOPMENT ENVIRONMENT

(a) Secure Coding The Vendor shall disclose what tools are used in the software development environment to encourage secure coding.

(b) Configuration Management The Vendor shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files.

(c) Distribution The Vendor shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to Client.

(d) Disclosure The Vendor shall document in writing to the Purchaser all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open-source, or closed-source.

(e) Evaluation The Vendor shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement

  1. Security Analysis and Testing

Developer agrees to provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this activity should be considered and detailed in the plan. Developer will execute the security test plan and provide the test results to Client.

  1. TESTING

(a) General The Vendor shall provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this test process shall be detailed in the plan. The vendor shall implement the security test plan and provide the test results to Client in writing.

  1. SECURITY ISSUE MANAGEMENT

(a) IdentificationDeveloper will track all security issues uncovered during the entire lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue will be evaluated, documented, and reported to Client as soon as possible after discovery.

Tracking Security Issues

The Vendor shall track all security issues uncovered during the entire software lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue shall be evaluated, documented, and reported to Purchaser as soon as possible after discovery

10. ASSURANCE(a) AssuranceDeveloper will provide a "certification package" consisting of the security documentation created throughout the development process. The package should establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.(b) Self-Certification The Security Architect will certify that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery.

(c) No Malicious Code Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.

  1. DELIVERY OF THE SECURE APPLICATION

The Vendor shall provide a "certification package" consisting of the security documentation created throughout the development process. The package shall establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.

Self-Certification The Security Lead shall certify to the purchaser in writing that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery.

No Malicious Code Developer warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.

  1. SECURITY ACCEPTANCE AND MAINTENANCE

(a) Acceptance The software shall not be considered accepted until the certification package is complete and all security issues have been resolved.

(b) Investigating Security Issues After acceptance, if security issues are discovered or reasonably suspected, Developer shall assist Client in performing an investigation to determine the nature of the issue.

  1. SECURITY ACCEPTANCE AND MAINTENANCE

Acceptance The software shall not be considered accepted until the Vendor certification package is complete and all security issues have been resolved.

Investigating Security Issues After acceptance, if security issues are discovered or reasonably suspected, Vendor shall assist Purchaser in performing an investigation to determine the nature of the issue

Happy New Year -- 2009

This is our last post for 2008, a year that has come and gone faster than I imagined. I've been told the years only go quicker the older you get, so I do my best to enjoy it to the very last bit.

Anyways, both Dre and I would like to wish all of our friends and readers a Happy New Year. See you in 2009.

Cheers and Na Zdrowie!

Na Zdrowie!

Na Zdrowie!

« Newer entries — 3 — Older entries »

blog comments powered by Disqus