[SecurityRatty] tag: consultants

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems

Tue, 18 Nov 2008 19:47:55 +0000

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems

Quality of Protection Keynote

Alexandria, VA

October 27. 2008

Gunnar Peterson

Managing Principal, Arctec Group

Blog: http://1raindrop.typepad.com

When Andy Ozment asked me over the summer to do this talk at QoP, I knew back in August that the topic I wanted to address was security and economics. So to that end I would like to start by thanking all of our friends on Wall Street and here in Washington DC for providing such a rich tapestry of recent events that I can speak to.

Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is"[1], there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management.

Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter [2] talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.

So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation - "All these people are talking about risk, but they don't have any assets." You can't do risk management if you don't know your assets.

Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.

Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.

Warren Buffett's evolution as an investor can be broken up into two parts. He began his career very much influenced by Ben Graham, who sought to buy "cheap stocks", comparing the price of the stock to value of the company's assets, and placing many, diversified bets on companies whose share price was below the total assets. Note that the businesses may have been of unremarkable quality, but when the price was right Graham would buy in, wait for it to rise and then sell. This was the dawn of value investing.

Buffett's later career departed from Graham's strict, statistical measures, where he sought to buy into companies that were selling at a fair price, but were also high quality businesses. We will examine high quality in Part 2 of this talk, but first we go to Part 1 which is asset value.

Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to. You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.

When Warren Buffett was 19 years old studying at the University of Nebraska, he read Ben Graham's book "The Intelligent Investor", Buffett said he thought it was the best book on investing he has ever read and still feels that way today. In the Intelligent Investor Graham lays out the framework of value investing. Specifically, Graham talks about three concepts - Mr. Market, a stock is a piece of a business, and Margin of Safety.

Mr. Market is a fictional, teaching device invented by Graham. You imagine that you have a somewhat manic depressive business partner called Mr. Market. Every day, Mr. Market comes into the office and offers you quotes on companies, some days he is in a good mood and the prices are high, other days he is gloomy and prices are low. The market is a quote machine, for quoting prices, not a value assessment machine. Your job is to wait for the right price, and you are free to take as many passes and be as patient as you would like, Mr. Market will just show up the next day and throw out a new price.

Graham used Mr. Market to teach us the separation between a price of a stock, and the value of a company. The second big concept from Intelligent Investor is that buying a stock is buying a small piece of the underlying business. You are not buying a roulette chip, or a number that fluctuates in the newspaper every day, rather you are buying a piece of the company's existing and future cash flow. What the stock market says General Electric is worth yesterday, today or tomorrow is separate from GE's actual ability to generate cash flow.

The last big concept in "The Intelligent Investor" and the one seemingly most applicable to information security is the Margin of Safety. Graham's margin of safety involved calculating the intrinsic value of a business and then buying stock where the market cap of a company is less than its intrinsic value. So if a company has $100 million in assets and a market capitalization of $75 million, then an investor would get a 25% margin of safety. Ideally, Graham wanted to buy stocks that were selling for one half of their book value, i.e. with a 50% margin of safety. Graham said that buying stocks without a margin of safety, above their book value, speculation, not investing.

So price is readily available, but how do we calculate intrinsic value so that we can ascertain the margin of safety? Graham used quantitative statistical measures, relying heavily on the company's book value, like its hard assets. What would it take for a competitor to reproduce the company's assets - its factories, distribution system, and so on. The difference between the book value of the assets and market cap is the margin of safety.

What can we learn in information security from this quantitative approach? Where price and value are readily ascertainable we should build countermeasures and eliminate on vulnerabilities that give our assets a wide margin of safety. Since budgets are not unlimited we should prefer vulnerabilities that are cheap to find, cheap to fix.

First to the asset question, information security budgets like all IT budgets are crufty, they are not a reflection of today's top issues and priorities so much as an accumulating snowball of decisions, legacy contracts, and solution attempts to yesteryear's problems. Today the normal Information Security budget is just a legacy artifact from bygone years when the network was the purported greatest vulnerability. If you were around in 1995, you remember the great gnashing of gears as the enterprises opened up their networks, connected their back ends to the Web and began to transact business in the giant virtual space.

The security people huffed and puffed that it was dangerous but there was simply too much money to be made, so businesses went ahead. The security people would not go down without a fight and insisted on countermeasures. They got two - the network firewall and SSL. The firewall was used to separate the average Fortune 500s network of hundreds of thousands of machines, employees, consultants, and partners from the web at large. SSL was used to protect the network channel between the web server and the client browser. so the network firewall separated the network segments, and SSL in effect encrypted the last mile of many million complex transactions and computations.

In 1995, this seemed like a good security architecture. When we built out these security architectures, the eCommerce market was derided as a toy. Amazon famously lost money for years - losing a little on every transaction but making it up in volume. When the market is nascent, a quaint security architecture offers cost effective protection. But what about 2008? Those cute little eCommerce buggers have grown they even make profits now - market caps measured in the tens of billions, accumulating large cash hordes, no debt, and the largest ones are in better financial shape than the financial services players that kicked sand in their face in the dotcom era.

And its not just eCommerce, the "real" economy Fortune 500 types are all connected as well. Directly and indirectly the Web is seeping into all businesses. Major changes from when the security architecture of the web was built out. But has the security architecture changed to reflect these new business realities? Not a bit of it!

We can use the book value of the IT budget investments and the book value of the Information Security investments to see what kind of Margins of Safety Information Security groups are engineering.

Let's look at some market data, Gary McGraw reviewed the numbers [2] in software security for 2007, breaking down software security sectors like tools and services. Here is a summary of his findings on software security tools:

"One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million."

These are very nice growth numbers, what company doesn't want 83% growth? However, the let's look at the total picture and compare the software security countermeasures against other security mechanisms. Gary McGraw's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space, in what alternate universe does this make sense?

This is where we begin to see that decisions in the People's Republic of Information Security have no real risk management thinking, they truly are swimming naked and hoping the tide doesn't go out.

Let's look at network assets. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion in just three vendors and you are going to "defend" that with allocating $150 Million worth of software security tools?

On the network side we are buying $900 million of security countermeasures (Checkpoint firewalls) to protect $39.5 billion worth of Cisco gear, about 2.3% of the network investment goes to security.

On the software side, we are buying $150 million of security countermeasures (like static analysis and black box scanners) to protect $98 billion of software (you know the stuff that runs the whole business), roughly coming to about 0.2% of the software budget goes to security.

This is very disturbing. From a prioritization standpoint The People's Republic of Information Security is misaligned by an order of magnitude at least. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball, it invests in network security not because those controls have greater efficacy (the whole point of networks is they are dumb), no, they invest in network firewalls because they bought a bunch in 1995, some more in 1998, and heck they just kept buying them, the Checkpoint rep kept showing up and taking CISOs out to play golf, contracts got renewed, and poof - there goes the security budget.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take network security as a target for a mature industry and assume that 2.3% is a reasonable margin of safety, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

My friend Brian Chess has a nice way of looking at this he says 2007 was the turning point - "the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists."

Now I am not suggesting that Information Security budgets have to be aligned with IT budget one for one, but I do think that looking at the overall IT budget is the starting point. If Information Security has a more cost effective security mechanism they should deploy it, but the starting point should be aligned to the business. Businesses spend most of their money on software, and there are very good reasons - competitive advantage, increased revenues and lower costs. Information Security spends most of its money on network security, and there is no good reason why, except that it was a seemingly good idea in 1995. You really don't have to go beyond the book value of IT investment as a whole versus Information Security to see a stunning disparity. Information Security's job is to deliver a Margin of Safety to the business, but they are not.

To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:

- Network: all the resources invested in Cisco, network admins, etc.

- Host: all the resources invested in Unix, Windows, sys admins, etc.

- Applications: all the resources invested in developers, CRM, ERP, etc.

- Data: all the resources invested in databases, DBAs, etc.

Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.

Then do the same exercise for the Information Security budget:

- Network: all the resources invested in network firewalls, firewall admins, etc.

- Host: all the resources invested in Vulnerability management, patching, etc.

- Applications: all the resources invested in static analysis, black box scanning etc.

- Data: all the resources invested in database encryption, database monitoring, etc.

Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!

Its not just about alignment for alignment's sake, its about applying controls as a way to have a Margin of Safety properly placed so that when not if there is a failure on a higher value asset you are relatively better positioned to deal with it.

The pure statistical approach can only take us so far. Buffett said he would be a lot poorer if all he did was listen to Ben Graham. Book value is great to see the diametric opposition mentioned above, but it doesn't really tell us much about the efficacy of the security mechanisms.

What we do get out of this statistical approach is a screen. The asset value screen filters out subjective opinion and narrows the field for where we need to dig in to do the high value, time consuming analytical work.

The second part of Warren Buffett's career and the second part of this talk leave behind pure statistical measures. In Warren Buffett's case he was joined by a guy named Charlie Munger who talked him out of the pure Ben Graham approach. Charlie Munger has a saying - "a great business at a fair price beats a fair business at a great price." Where Graham was focused on price and margin of safety, Munger wants a fair price but also a high quality business. This lead to Warren Buffett's company Berkshire Hathaway investing in companies like Coca Cola, Wells Fargo, and American Express, where the prices were far from dirt cheap (as Graham would have wanted), but the long term returns were outstanding.

In our world of Information Security, we start by aligning our priorities with the business using the thumbnail defense in depth approach, but then we would like to invest in high quality, effective controls.

To get at the notion of control quality and effectiveness, I am going to start part 2 of this talk with a brief history of software. The first web software was just static HTML, but web software really got interesting when developers started creating dynamic websites using CGI an PERL.

Once websites were hooked up to company databases and were not just serving static content, the security people realized they needed a security architecture, and they sprung into action. What they came up was was model that divided the world into "good stuff" which was comprised of all their networks, systems, and data; and then there was everything else the "bad stuff" on the Internet. So job one of the early days Internet security architecture was to separate all your good stuff (i.e. your network) for the bad stuff (the Internet). To do this the security people used a sophisticated tool called Visio to draw a flaming brick wall on the network diagram, and this flaming brick wall was supposed to keep the good stuff and the bad stuff separate.

The security people also realized that the data and session tokens that they served up from their Web server would have to traverse the "bad" neighborhood called the Internet, so they added one more security mechanism to secure the last mile of the transaction - SSL between the browser and the Web server.

And this was the state of the art security architecture used circa 1995 to protect the earliest dynamic web applications.

What happened next was that the dotcom boom started to happen and businesses realized they could make some real money on the Web, the web apps started to get more sophisticated, more personalization, richer session experiences and so on. This led the Java people to create JSP and the Microsoft people to create ASP, and of course the PERL people to create even greasier PERL scripts, all of this in the effort to pooling resources and sessions on the Web server. The security people defended this new application programming model with network firewall and SSL.

Around 1998, developers began building out more distributed N tier or 3 tier applications that separated the business logic layer, the presentation layer and the data access layer. Among other things, your web application could seamlessly integrate data from multiple back ends systems. Let's say you have pricing data in Oracle, order data in SAP, and customer data in a Mainframe. You write separate data access objects, apply business logic in the middle tier and then you tie it all together in a friendly user interface. At this point the web applications are beginning to integrate across departments and geographic boundaries, huge critical chunks of the business are now connected to the web. How did the security people defend this part of the business? They applied the same 1995 security architecture - network firewall and SSL.

Around 1999-2000 timeframe businesses relied on web applications for major parts of the revenue, and the apps were built in different technologies like Java and Microsoft technologies, but the customer didn't care (still doesn't), the customer wanted (and still wants) data access and functionality. So to integrate the disparate technologies, SOAP and XML were deployed so that Microsoft could talk to Java and so Websphere could talk to Weblogic and so on. And, oh yes, SOAP and XML were used to connect B2B networks so partners in a supply chain and business process can exchange data and interoperate. SOAP and XML present a fundamentally new programming model based on a message document style integration, where XML is used to mesh together data and functionality across platforms. SOAP and XML have no security model by default for authentication, authorization, and confidentiality. How did the security people deal with this? They kept the security architecture the same as they had in 1995 - network firewalls and SSL.

The software world did not stop innovating in 2000 of course, in the last few years we have seen Web services and XML form the basis of baroque and powerful SOAs and simple REST applications. We have seen Web 2.0 come on the scene, and entirely new networked applications built on top of that.

What we have not seen, is a single meaningful change in security architecture in 13 years. Developers have evolved, businesses have increasingly bet their entire business models on the web and they have increased security budgets. But what has the security architecture as its deployed in the field got to show for all of this? More firewalls and more SSL connections.

Since Information Security has proven incapable of evolving, it is time to learn from a discipline that has mastered innovation - software development, and yes, I will step back in case the lightning bolts hits.

What does software development focus on these days? Well, let's look at Service Oriented Architecture (SOA), all hype aside I look at SOA as a set of technologies that delivers three things:

Virtualization: we want Beijing, Bangalore and Boston to communicate.

Interoperability: we want our .Net stuff to talk to our java stuff.

Reusability: how many order/claim/pricing/customer systems does one company need?

To build out their SOA, developers separated the application interface from its implementation. So you can host the interface in a variety of locations, but its separate from the application logic and data.

This is also a useful trick for putting services like SOAP through the firewall. SOAP was designed as a firewall friendly protocol. When SOAP first came out, Bruce Schneier said calling SOAP a firewall friendly protocol is like having a skull friendly bullet. Which is a great line and explains why his books fly off the shelves, it does not explain, why security people think an architecture designed in 1995 is the one we should be using today. Maybe the problem is not that the developers figured out how to go through the firewall to get the data their customers want, maybe the problem is that the firewall is the sum total of the security architecture, and it never adapted.

A big part of this problem is that we have left Newton's world behind and entered Einstein's universe. Mainframes are Newton’s world, we have THE computer, THE price, THE record and so on.

As Pat Helland explained [4,5], Mainframes are Newron's world, but Distributed computing is Einstein’s world. More specifically in the Einstein world of distributed computing - "Computers don’t make decisions, computers try to make decisions." Our computers don't really make a decision, they say you can buy this book from Amazon at this price, we have it in stock and will deliver on such and such a date. But the warehouse runs out, the pallet gets dropped in the warehouse, your boo is crushed, and the package is stolen off your front step. The computer confirmed your transaction, but the real world intervened.

So we don't have iron clad decisions, instead its all about Memories (last time I checked your book was in stock), Guesses (we should be able to ship on this date) and Apologies (sorry the forklift ran over your book)

Translating this into security, security mechanisms don’t make policy-based decisions, security mechanisms try to make policy-based decisions

Some examples of memories, guesses and apologies in security

Memories

Security Policies - for example Triple A policy

Triple A policies can memorize a map of subjects, objects, and roles. They can even replicate these memories and play them back at runtime to try to make policy enforcement decisions.

Guesses

Security Policy Enforcement Decision

Unfortunately, while the policy enforcement decisions can be based on memorized logic, the decision itself is still a guess, even in the case of Triple A. Any guesses why? Because, the authentication process itself is a guess. It happens to be a guess that you then bind to a principal so it looks very official once you bind your guess to a Kerberos ticket or SAML assertion, but it still a guess.

Apologies

Giant Global Bank is sorry your account was compromised!

And this leads to lots and lots of apologies by companies with poor access control models.

Some additional examples of information security memories, guesses and apologies.

Example Memories - Triple A Security Policies, Audit logs, User account information , Authorization Logic - concrete mapping Subject, Resource, Condition, Action

Example Guesses - Security Policy Enforcement Decision Points, Authentication Logic, Monitoring, detection, fraud response

Example Apologies - Identity Management tools - provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction - Giant Global Bank is still sorry your account was compromised!

The point of this is that security memories, guesses and apologies utilize different processes, different people, and different capabilities to be effective.

What trends can we identify to lead us toward better qualitative analysis based on the best practices of virtualization, interoperability and reusability.

Virtualization

Finding Vulnerabilities in a Virtualized World is a problem because applications are more configured than coded. Runtime behavior and structure not apparent due to weak typing and inversion of control.

Result - finding bugs becomes harder. Action - use screens to target finding time and resources

Fixing Vulnerabilities in a Virtualized World is a problem because how do I locate the controls when interfaces run in Beijing, Bangalore and Boston?

Result - synchronization and/or replication of security policy is problematic. Action - decentralized policy enforcement points and policy decision points.

Interoperability

Finding interoperable vulnerabilities

XSS - Javascript is an equal opportunity offender - interoperability for developers and attackers alike.

Fixing interoperable vulnerabilities

App servers, ESBs, and services are the attacker’s red carpet to your enterprise, right into your book of business. Interoperable access control can be leveraged across the enterprise.

Use XML signature for authentication and integrity

…

Use XML encryption to protect sensitive data, don't pass sensitive data in the clear

My Credit Card Number

Encrypt the data

…

XNQ0a4legiie5mWFxO6CQkk2hhldYNnKroObue/LXS/VYtvaTgMbCujhGExDi+vlkU//Qc2/T6mx0WVTmBMT3z8rogha8jD+nS9Zr2Bc3CwoTh2lh8wL3D0DEu91iwJT9JByLGXvt7v9lyuxK0ooDOYEClsH974CPmTs3tBC+GQ=

To ensure that these controls are applied use automated tools like static analysis to scan for security mechanism use and coverage.

In terms of reusability findings and fixes consider two bug findings

Session management bug: session state is passed around to every component, service and user. Makes for many high priority findings in audit report, also the fix is required on virtually every program

Data validation bug: Data access object (DAO) has a SQL injection hole. One major high priority finding in report. DAO used by many business logic classes, one fix location serves many classes

To bring these factors together, I generally use a scorecard index [6], so you can measure such things as transport security, message security, threat protection and so on. The hard work in developing the index is developing a useful scale. A scale for XML tokens could use the following

0: no token

1: hashed token

2: hashed and signed token

3: hashed and signed token from standard authoritative source

An example scale for XML validation could use:

0: no validation

1: schema validation

2: schema validation against hardened schema

3: schema validation against standard, hardened schema

These indexed scales are used to show maturity across the factors in the scorecard. The first part of the talk described value, the value assessment is used to focus time and effort on high value assets. The value assessment can be determined quantitatively. There is hard analytical work to qualitatively determine the scorecard, index, and scales, the quantitative value assessment is used to screen out high value targets for these endeavors. The scoring index is used to track progress and improve quality over time. In the best case scenario, automated tools are used to perform the checks described in the index, and once security is automated just like software developers we may see security innovation make progress in years not decades.

Thank you for your time.

1 "Risk Management is where the Money Is" by Dan Geer, http://catless.ncl.ac.uk/Risks/20.06.html

2 Berkshire Hathaway 2007 Shareholder Letter by Warren Buffett, http://www.berkshirehathaway.com/letters/2007ltr.pdf

3 "Software [In]security: Software Security Demand Rising, by Gary McGraw

http://www.informit.com/articles/article.aspx?p=1237978

4 "SOA and Newton's Universe" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/20/soa-and-newton-s-universe.aspx

5 "Memories, Guesses and Apologies" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx

6 "Web Servicres Security Checklist" by Gunnar Peterson, http://arctecgroup.net/pdf/WebServicesSecurityChecklist.pdf

After Election: Files Stolen In Obama And McCain Campaigns Cyberattack, Obama-themed Malware Makes Rounds

Wed, 05 Nov 2008 21:49:21 +0000

According to an article published Wednesday by Newsweek, hackers broke into computer systems of both the Barack Obama and John McCain campaigns and stole a large amount of data Officials with the FBI and the Secret Service notified Obama staffers in August of the breach after tech consultants for the campaign detected what they thought at [...]

Applying SDL Principles to Legacy Code

Mon, 27 Oct 2008 14:24:00 +0000

Hello, this is Scott Stender from iSEC Partners, one of the SDL Pro Network partners. As security consultants, we at iSEC work with a variety of companies to drive security throughout their development cycle. Clients with mature security processes ask that we help carry out parts of their process, from requirements analysis to penetration testing. Other clients need help defining their security processes, and we help define and kickoff a program based on the Microsoft SDL, other defined processes, or variations thereof, depending on the client’s needs and abilities. Whether participating in an existing process or helping define one, I personally have been lucky enough to have seen my fair share of successes and failures, and it is this perspective that I hope to share in this guest post.

I find that legacy code poses a unique challenge for organizations rolling out a new security process. Often, the resources dedicated to maintaining older code are a small fraction of those devoted to new features or products. Furthermore, the original developers for such features have often moved on, leaving no subject matter experts to drive reviews. The astute reader will ask “How do I apply the principles of the Microsoft SDL to legacy code when I have no development resources and nobody knows how it works?”

The answer is “Start small, and build expertise over time.”

A Rising Tide Lifts All Boats

The best thing a security engineering team can do to improve security in the short term is to drive code quality, and the first step in this process is to define and enforce a secure coding standard. This helps on two fronts:

1. It will improve code quality and reduce implementation flaws across the entire code base. Unlike other security processes, driving a secure coding standard is relatively easy to accomplish across an entire code base, regardless of the code’s age, by a focused security team. That is not to say that it is easy without qualification – a large batch of spaghetti code will require a lot of work to untangle! Such an effort can only be called “easy” when compared to, say, comprehensive identification and remediation of design flaws across legacy features. Even so, improving code quality through the use of secure coding standards offers a unique combination of high impact, applicability to features, and ability to be carried out by a core team that makes it a sensible first step.

2. The security team might notice that some sections of code have more standards violations or outright flaws than others. This is an instance of vulnerability clustering, a concept that has been used to predict vulnerability rates and improve quality in the functional realm. The evidence is anecdotal, but it stands to reason that portions of code that consistently violate secure coding standards are good places to start looking for other classes of security flaw. These are security hotspots, and should be high on the prioritized list for further review.

Security testing may also be applied to legacy code, but initial activities should be considered on a case-by-case basis based on the expected return on investment. Such testing ranges from using inexpensive off-the-shelf tools to exercise common interfaces to rather expensive custom testing and formal analysis. It is worthwhile to begin with off-the-shelf tools, such as those that target file parsers or web applications, and tools created as part of your greater secure development efforts. These can help identify easily-found flaws and suggest improvements to the coding standards. Comprehensive security testing, on the other hand, is best tackled after the Legacy Security Push.

The Legacy Security Push

Coding standards and basic testing provide bang for the buck, but formal security processes seek to provide security assurance. The challenge for legacy code is that it needs to play catch-up. Security processes that occur early in the development cycle, such as requirements analysis, design review, and threat modeling, are particularly difficult to achieve years after the fact. The main goal of the Legacy Security Push is to create the deliverables from these efforts, the most important of which are security requirements and a full risk analysis.

It may sound trivial, but security requirements are essential. Not only do they define proper operation for the system in question, they also define assumptions that are suitable for relying systems. It is very common to find security flaws in legacy systems that arise from well-intentioned but incorrect assumptions such as “I assume that the Foo authenticates server Bar when initiating a bank transfer.” It stands to reason that Foo would do so for such an important activity, but this assumption must be validated. It is very common for older features to have been deployed in and written for different environments where the security assumptions that are "obvious" today just didn't apply at the time.

When reviewing legacy systems, the first step is to identify such requirements. If the original architects, developers or managers are available, they can provide valuable insight at this stage. More often than not this is not the case, and analysis must instead rely on what documentation is present and interaction between the software and its consumers. The goal is the same as in requirements analysis during project inception, except that in this case one must turn the process on its head and reverse engineer requirements from system behavior. At the conclusion of this effort, requirements can be theorized – “Foo must authenticate its server Bar before initiating a bank transfer.”

Risk analysis can be performed once a plausible set of requirements have been identified. Threat modeling is a more structured means of performing such an analysis, with the eventual goal of identifying means by which requirements can be violated by an attacker.

As with requirements analysis, original developers would be a valuable resource to consult. With or without such help, the first step is to identify how the software works. In many cases, help is not available and performing this task requires a great deal of effort. For features of moderate size, this author has spent upwards of a month reading code, using process profiling tools, and walking through the software with a debugger to identify program flow and security-sensitive functionality.

Once completed, actual system behavior should be documented and compared against the requirements theorized. It might be that the requirements should be re-evaluated (New requirement: Do not assume that Foo requires server authentication) or the system may need to be changed (New bug: Foo does not verify the CN for Bar). At the end, this information should be sufficient to support a comprehensive threat modeling exercise where security requirements, risks, and their mitigations can be documented.

Next Steps

Bringing a legacy feature up to par with its newer kin requires a relatively small number of items: improved code quality, clear security requirements, and a thorough threat model. As we have seen, performing even these tasks is quite the effort! I am sure that it is little comfort to be reminded that accomplishing these tasks has simply laid the foundation, and that the true benefit is that the newly-reviewed legacy feature is able to participate fully in the security processes that remain: reviewing cross-component security requirements and assumptions, comprehensive testing, and incident planning, to name a few.

Unfortunately, there is no silver bullet in security assurance. The soundness of the design and implementation of legacy software is just as important as in newer software, which is why any complete secure software development process will look backwards as well as forwards. Feature by feature, from higher priority to lower, the overall security of the software improves as legacy code receives the full security treatment it deserves.

Did you find the silver bullet? Might you think that defining security requirements is unnecessary? Perhaps “It is old and has not been attacked yet.” is a valid security strategy! Please comment below or email me directly at scott@isecpartners.com and share your thoughts.

Corporate fraud, in-flight Wi-Fi, R&D tax credit, more

Wed, 22 Oct 2008 20:00:00 +0000

Mergers and acquisitions are not usually quick affairs. Just the due diligence process of examining a company's enterprise IT systems--the infrastructure, applications, outsourcing deals and vendor contracts--can take up to a week, according to industry consultants.

McAfee bolsters network access security

Sun, 19 Oct 2008 20:00:00 +0000

McAfee is making it possible for customers to enforce network access policies on unmanaged devices such as laptops owned by visitors or consultants.

Mark Curphey On Builders and Breakers

Fri, 19 Sep 2008 08:02:10 +0000

Superb post by Mark on what I think is the biggest problem we have in security. One thing you learn in consulting is that no matter what anyone tells you when you start a project about what problem you are trying to solve, it is always a people problem. The single biggest problem in security is too many breakers not enough builders. Please understand I am not saying that breakers are not useful, we need them, and we need them to continue to get better so we can build more resilient systems. But the industry is about 90% breaking and 10% building and thats plain bad.

It’s still predominantly made up of an army of skilled hackers focused on better ways to break systems apart and find new ways to exploit vulnerabilities than “security architects” who are designing secure components, protocols and ultimately secure systems. If you don’t believe me go have a conversation with a so called application security consultant about SAML or security issues in Enterprise Message Buses and you’ll almost definitely draw blank stares. Ask application security consultants if they know about the latest HTTP or HTML spec and they’ll likely say yes (and want to demonstrate the latest issues) but if you ask them about the latest WS-x spec you’ll likely draw more blank stares. When was the last time you saw an attack drawn out as a UML sequence diagram? This is worrying and somewhat sad. I don’t think we are culturing, encouraging and nurturing people with the right skills to make a positive difference.

This is exactly my experience as well. Not only that, we have too much destruction and not enough construction, this is a big enough problem all by itself. I would go one step further and say we need creative destruction, breakers breaking things that lead to better systems over time. Maybe we need an OWASP Builders project?

In any case, for my small part I am builder. I teach a class (and will at OWASP) that is 100% focused on building secure Web services, identity management, distribut authN, authZ, message security and so on. I can tell you first hand there are not a lot of people approaching the problem from a builder mindset.

Software Security May Live in Interesting Times

Wed, 17 Sep 2008 02:57:27 +0000

Next week is the OWASP App Sec conference in New York, I am doing Web Services security training and talking on Web services security and the OWAPS Top 10; and it should be "interesting" to be there in the middle of Hurricane Subprime as the MBAs scramble to restructure the global financial system. On the plus side, the Yankees are not going to make the playoffs.

The financial industry has driven a lot of things in technology and with all of the massive changes there I would expect it to have a major impact ons software security. Financial services were set to spend $568 billion on technology this year, and for one example, Merrill Lynch spent $566 million last quarter alone.

I think that software security for better or worse has been driven by financial services to this point. In my podcast with Gary McGraw, I talked about software security "what got us here, won't get us there" syndrome. Where some vendors and consultants have success with a certain technology or process in a big bank, then they bless it as "hey this works!" and try and roll it out at an insurer, healthcare company, or manufacturer; and are surprised when it doesn't work. A lot of times they assume that the client just doesn't get it, but they do, they just have a different business model. Most of the other industries have far fewer hard edges and more integration to deal with.

Software security should benefit from opening up to dealing with other business models. I guess now we're going to find out.

Golf Driven Security

Tue, 26 Aug 2008 13:00:50 +0000

I don't have anything against the sport, in fact I think that if the software security people want to get in the enterprise security game they have to get a lot better at golf. I blogged about how the network security sector is about fifteen times larger than software security sector, prompting one person to write saying that we have invested wisely in network security, eliminated the problems and will address the software security problem with internal processes and tools.

The problem is that compared to software security we are clearly overspending on network security, the hardware/software is unchanged for a decade - in any other area of computing the cost would be falling like a rock (how much would 1995 version of Oracle or Windows cost now? 5 cents on the dollar, yet CISOs still cut $900M worth of checks to Checkpoint each year). The problem is there is no market effect because the CISO's budget keeps increasing and they have no idea what/where/how to spend so they just play golf with their Checkpoint rep and send in the renewal.

Internal processes and tools are necessary yet nowhere near sufficient to "solve" software security. One reason we "have gotten rid of" network attacks is that no one cares. its a 1990s 31337 attacker goal, not a mafia enterprise goal (botnets aside). business, be they legit or criminal, wants data and functionality. so its all about apps and data. we are just at the very begining crawl stage of even understanding how to solve these problems. That's why when i hear security consultants harsh on something like static analysis I just laugh. are they better than a top 1% resource in the world? no way. do we have a multi billion dollar gap to close? ya sure, ya betcha. We need things that scale.

People dont write their own virus protection, but for some reason attempt to do their own input validation, it is the same exact problem. people routinely write their own authentication, authorization and audit. i could go on.

I have rarely seen an industry so ripe for disruptive innovation as software security.

Thoughts on Token Security

Tue, 26 Aug 2008 12:35:23 +0000

RSnake has a piece up on Token Security which raises some good points, but also misses some perspective. Firstly any article that makes a serious attempt at mitigating FUD is most welcome, especially in a space that is as overloaded as identity. That said, I think RSnake is taking too narrow of a view, specifically B2C, on federation and tokens. It is true that works on the web eventually filters into the enterprise, but it is also true that sometimes that things that start out as enterprise technologies later become cost effective on the web. So I would not assume that the current status quo on the web will hold. I don't think it will, the identity problems are too big and there is too much money at stake.

I encourage you to read his article, here are some of my thoughts

"consumers hate tokens."

Except that people use atm cards every day. Consumers will absolutely be inconvenienced, if there is some value created. The problem today is not the token, its the lack of a value proposition to the person you are inconveniencing.

"Everyone wants to be the single federation platform for everyone else."

This will never work. and that's a good thing. i think most companies already realize this though. I think the walled garden model has gone the way of the dodo.

"Federation will never work. It won’t work because the single most important consumer Web applications in the world are scared of it. Banks hate the concept because it becomes a weakest link in the chain problem."

Federation works quite well. have a look at google for one example. The reason banks hate federation is that their infosec people have a mainframe mindset, they are focused only on resource protection. the problem is they dont run mainframes on closed networks, they went and connected it to the web and so now they need to think about subject and claim security not just resource security. its not hatred its a lack of understanding stemming from a legacy mindset.

Linking up identity providers and relying parties into a federation has been a solved problem for quite some time.

"Tokens don’t actually solve most security problems, like man-in-the-middle, phishing, and keystroke-logging malware."

Rule 1. there are no silver bullets in security

Rule 2. dont forget rule 1

but...

...there is a rule 3

rule 3. just because a security mechanism doesnt solve all of our problems doesnt mean its worthless.

I see this with security consultants all the time, they playa hate on static analysis or some scanning tool where they can find hundreds of things the tool doesn't. Fair point except 99.9999% of IT can't and won't find them. Engineering is about solving one incremental problem at a time.

"Oh yes, and finally, consumers are going to have to carry around 13 of them just to make sure they can log into whatever they need to log into since no one will federate."

This misses the point of federation. i carry around one atm card its up to banks, Visa, Cirrus and so on to make sure i get my cash. the funny thing about banks not understanding federation is that they have the bet example right in front of their noses, the problem is its in a different department so they never see it.

"Global federation is nowhere near a solid concept in the consumer space, despite what the vendors will try to sell you."

rule 4. do your own due diligence

Tokens and federation are important building blocks for our digital future. I will leave you with a story that Robert Morris Sr. told at Defcon several years ago:

"This is a long term problem. If you work on it and make any progress against it, you'll find yourself much smarter at the far end, than you were at the near end.

When I was in Norway about 5 years ago, I was there very close to the summer solstice. I was wandering around town at 2 o'clock in the morning and there was plenty of light out. You come to a sign that says New Minsk about 60 km and it points south.

And I ask the lady "what country is this?"

She scratched her head for a bit, and said "well I think its Norway"

I said "well who plows the roads?"

"well Norway does, but he have to pay them."

There is a triple boundary in this town that I was in between Norway, Finland and Russia.

But what I did there, was, I had a card about wallet size, I stuck it into a machine, I punched in four digits, and it gave me about 2,000 krone, whatever the hell that is.

Now there are a lot of participants in that transaction. When I put a card into that machine, punch in a pin, and it gurgles for awhile, and finally gives me, a fairly large amount of money. There are a lot of participants in that transaction. The bank that owned the machine that gave me the money, it gave some money away -- that bank wants it back. The pin is necessary to convince my own bank that I'm me. But I don't want my pin to be broadcast all over the world. My bank in the us, it hasn't really given out or taken in any money, really. But there is a lot of credits involved here. Somebody needs to charge somebody else for having more money available. Even though there was actually no cash transfer.

And the problem that I have in mind is
- who are all the participants in an ATM transaction?
- what do those participants need to satisfy their problems?
- how is that in fact done?

In a general way, does the atm system actually work in some reasonable sense? To which the answer is by the way: yes. The atm system damn well works. With extremely high reliability and accuracy. It surprises me. Its quite a bit different than voting machines.

People said China was safe, but danger still lurks in the so-called "safe" places.

Tue, 12 Aug 2008 12:06:00 +0000

The unfortunate stabbing death of an american who travelled with the Olympians showed that we should not take safety for granted.

Without being there, it is difficult to know, but one wonders if the press got it right when they reported that the killer did not know that the people he attacked were from America. It is highly probable that most American tourists would stand out on the streets of Beijing. If they followed the advice of security consultants who advise about trying to "blend in", there is a chance that they would be less obvious, but due to the fact that many were there to support the atheletes,I think it is very likley that the killer was able to identify them as being American.

The attacker did commit suicide after the attack, so there is a good chance that he was mentally disturbed. When we travel abroad, or even within our own countries for that matter, we should not only be looking for potential terrorists. There are a lot of other categories that can cause harm; burglars, robbers, purse snatchers, street con artists, kidnappers, people under the influence of alcohol/drugs and so on.

For many people, it is difficult to switch from relaxed tourist one minute to a defensive positon the next. Remember that it is alright to be cautous and suspicious. You don't have to make friends with everyone you meet on the street. It is much more important to be able to come home safe and sound to your family at the end of your trip.