OWASP Passfault improves on password strength and password policies.
I’ll be representing Partnet at the SANS AppSec Summit at the end of this month. We will participate on a panel called What you can learn from small businesses about AppSec. I love working for a smaller company. I think the flexibility, and the “buck stops here” mentality makes small businesses more effective than larger businesses. But I think there is a misconception that small companies are not disciplined – that they have a “wild-west” like attitude. That may be true generally, but not here. Discipline and ownership of security are what I think is the “secret sauce” to a successful AppSec program. We’ll talk about it at the SANS AppSec summit. If you are attending, please come by and say hello.
At Defcon, I aquired a new tech hero. Defcon is all about finding vulnerabilities. The glory goes to the most creative and most damning hacks. I’m not condemning hackers. I think the world is more secure because of them. But it bothers me that all the glory goes to breaking in, but there is no glory in fixing or protecting.
Moxie Marlinespike has been breaking SSL for years. SSL is the technology behind the padlock icon in your browser. In school I marveled at SSL’s protocol. To me it was like an armored truck delivering my internet traffic. Moxie broke that perception for me years back with his many discoverys of how to get around the armored truck. In particular his SSL-strip presentation at blackhat rocked my world, (and it still has the potential to rock your bank account).
Not content with exposing the weakness of SSL, Moxie wants to fix it. At defcon he explained the problems with certificate authentication and proposed a fix: convergence. It changes the way we establish trust in certificates. Here is his explanation of the problem. Here is his proposal to fix it. It’s a real solution. You can try it on firefox today. If you want to be part of the solution you could host a notary. Here is a write up on the sophos blog.
So this is for Moxie, the SSL-Hero, more than a hacker, he finds the problems and fixes them. No offense to hackers, they find the holes. No offense to developers who create fix the holes. But it takes a super hero to find and fix.
How will you stay safe when surfing the web this new year? We’d like to offer some tips. Security takes up a large part of our work in building a web site for the DOD. As we try to keep current on new web attacks, we often find vulnerabilities that cannot easily be fixed. It seems to take years for web-sites to address the problems. For example, session side-jacking has been around for years. But it wasn’t until firesheep made the vulnerability so easy to exploit that major websites like hotmail and facebook have started to address it (Facebook still hasn’t fixed the problem, but they say they are working on it.)
We don’t have to wait years for web-sites and browsers to address these new attacks. To protect ourselves, we use Firefox or Chrome with an arsenal of pro-active plugins. Here is a collection of our favorite Firefox add ons that help us use the web more safely. These are what we recommend to our friends and family. Here is a list, in order, of the most protective add ons for firefox and why:
RequestPolicy – keeps web-sites contained to their own domain, helping prevent cross-site attacks, specifically Request Forgery(CSRF). Here is a CSRF attack scenario: Suppose you are logged into you bank, […]
This picture by Dustin Sacks shows the extreme measures one can take to feel secure. It’s amusing that only one of the hundred or so locks actually anchors the bike to the bike rack. Government web pages need to be secure, but currently there are many, many, different security practices—so many that it can be over-whelming. Some are more important, while others are just cosmetic and provide only a false sense of security. Some are not needed and may actually open the door to more attacks. Over-zealousness may result in a situation like the bike pictured above.
Low Hanging Fruit
Why climb up the tree for an apple if you can reach the apple from the ground? Removing the low hanging fruit for hackers needs to be first priority. The OWASP Top 10 Risks represents the current low-hanging fruit. If these risks are ignored, your site will be the first to get hacked. For a development team the CWE/SANS Top 25 Most Dangerous Software Errors are more valuable and instructive.
Regular training has helped Partnet uncover and resolve vulnerabilities in DOD EMALL that was thought to be secure. It has helped DOD EMALL stay ahead. Because of training with the OWASP top ten, Partnet added protection against CSRF attacks nearly a year before these protections were required by the Application Development and Security STIG in May.
A government website cannot be content with simply removing the low-hanging fruit. But with so many security activities, it’s hard to know what to focus on next. For adding depth, the OpenSAMM (Software Assurance Maturity Model) project from OWASP provides that guidance. It organizes many of the best security practices into a maturity model. It organizes 12 general security practices into four business functions: Governance, Construction, Verification, […]