Thursday, June 12, 2014

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  


Tuesday, June 10, 2014

Privacy and the internet

A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.


Internet Privacy Tips Statistics 2014This Infographic was published on AnsonAlex.com

Here is the last Inforgraphic on Privacy I have for this blog post.

Sunday, May 11, 2014

Tulsa School of Dev



Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...http://tulsaschoolofdev.com

Client Side Coding - JavaScript

JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.

The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.

Detection of DOM-based XSS can be challenging. This is cause by the following reasons.

• JavaScript is often obfuscated to protect intellectual property.
• JavaScript is often compressed out of concerned for bandwidth.

In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed.

Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.

Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing.

First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.

Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.

Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.

Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.

Code examples of JavaScript vulnerabilities.

<html>
<script type=”text/javascript”>
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>

Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.

Another example:

  1. var url = document.location.url;
  2. var loginIdx = url.indexOf(‘login’);
  3. var loginSuffix = url.substring(loginIdx);
  4. url = ‘http://mySite/html/sso/’ + loginSuffix;
  5. document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.

If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.

References:



  • http://docstore.mik.ua/orelly/web/jscript/ch20_04.html 
  • https://www.owasp.org/index.php/CRV2_SourceSinkRev
  • https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll
  • https://www.owasp.org/index.php/Static_Code_Analysis
  • http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf
  • http://www.jshint.com/about/ https://github.com/mozilla/doctorjs

Saturday, March 8, 2014

OWASP Wins SC Magazine 2014 Editor's Choice Award


On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor’s Choice award. This was the final award of the evening and presented directly from Illena Armstrong, VP, editorial, SC Magazine.

For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!



http://owasp.blogspot.com/2014/03/owasp-wins-sc-magazine-2014-editors.html

Wednesday, January 15, 2014

RSA, NSA, OWASP Continued


Bruce Schneier, a well respected security expert has written an essay that has an opposing view of the NSA and why the NSA surveillance program is not good security. I don't always agree with Mr. Schneier but he does make some good points and as a very respected security expert I think its good the read his essay. I am not re-printing it here but here is the link.

http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/

You can subscribe to Mr.Schneier security newsletter here…on the web at <http://www.schneier.com/crypto-gram.html>. 


On another subject here is a podcast where I was interview about the project I am leading with OWASP concerning the Code Review Guide book.

http://trustedsoftwarealliance.com/2014/01/13/appsec-usa-2013-larry-conklin-and-the-code-review-book-project/



Tuesday, January 14, 2014

RSA, NSA, OWASP

Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.

I do know that OWASP’s main core value is to present unfretted security information to everyone.

What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values.

I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements.

I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments.

Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.

So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.

One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.

Recap:
Unknowns… The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown. * The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.

Facts… Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.

Hopes… 
  • I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.

  • I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.

Resources: