Saturday, March 8, 2014

OWASP Wins SC Magazine 2014 Editor's Choice Award

On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor’s Choice award. This was the final award of the evening and presented directly from Illena Armstrong, VP, editorial, SC Magazine.

For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!

Wednesday, January 15, 2014

RSA, NSA, OWASP Continued

Bruce Schneier, a well respected security expert has written an essay that has an opposing view of the NSA and why the NSA surveillance program is not good security. I don't always agree with Mr. Schneier but he does make some good points and as a very respected security expert I think its good the read his essay. I am not re-printing it here but here is the link.

You can subscribe to Mr.Schneier security newsletter here…on the web at <>. 

On another subject here is a podcast where I was interview about the project I am leading with OWASP concerning the Code Review Guide book.

Tuesday, January 14, 2014


Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.

I do know that OWASP’s main core value is to present unfretted security information to everyone.

What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values.

I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements.

I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments.

Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.

So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.

One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.

Unknowns… The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown. * The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.

Facts… Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.

  • I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.

  • I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.


Wednesday, November 13, 2013

Mozilla Firefox Lightbeam

Lightbeam is a new add-on for Firefox. It provides a light (pun intended) on what third party companies you interact with when visiting web sites. Lightbeam works by recording all tracking cookies saved on your computer through the Firefox browser to see which advertisers or other third parties are connected to which cookies. Amazedly it can differentiate between “behavioral” tracking cookies (those which record specific actions on a site) and other tracking cookies. The data can be viewed visually and in text format.

I visited one the large brick-and-mortar companies that also has a decent e-commerce web site. Below is what I found out. I tried to organization the cookie data the best I could. Some of the companies are familiar to all of us like DoubleClick. But al lot of these companies I had no clue about most of these companies until I looked them up.

I would recommend that your turn on Lightbeam for a day and use Firefox exclusively. At the end of the day you will be amazed by how many companies are tracking you. Of course don’t be too surprise, the top companies in the tracking space bring in over 39 billion in revenue. This is big business. Don’t get me wrong I depend of these companies to profit by seeing what I do online. I don’t want to pay to use Google, Yahoo, or Bing to search the web. I like having services like Hotmail, Gmail for free. I want to have Amazon recommend books to me based on prior buys and searches. 

I also want to have a say into who is tracking me, what I do, how the information can be used and by who. The issue now is how big and powerful these business has gotten without anyone really realizing it. Now add that with powerful behavioral software and we are facing a monster. Like Pogo said, “we have met the enemy and he is us”. Privacy and the need for it are still valid in our connected world. How much of our privacy we keep is going to be decided on how much we are willing to get involved and learn what and who are behind the curtain. I would say right now we are facing an uphill battle.

Tag Management: 

Brand Management/Protection 

Ad content providers: 
* Tribal Fusion is a global online advertising provider. 
* Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end-users with low latency; high data transfer speeds, and no commitments. 
* apad’s proprietary technologies, advertisers can now employ consistent ads across multiple platforms: home computers, tablets, smartphones, and now even smart televisions

Tracking Management. (Technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web.) 
* is a domain used by Doubleclick. 
* is a domain used by AOL Advertising. 
* is a domain used by MediaMath. 
* s a domain used by Lotame. 
* is a domain used by Google Adsense. 
* s a domain used by ValueClick Media. 
* is a domain used by SpecificClick. 
* ATDMT is a tracking cookie served by Microsoft subsidiary Atlas Solutions. 
* A Google Company.

SEO Services. 
* GoogleLeadServices (not connected with Google Inc.) provides SEO services.

Big Data/Market analytics. 
* Ecommerce connecting customers to sales. 
* big data marketing platform. 
* is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising. 
* market analytics.

Consumer profiling/preference/psychology software. 
* Liveclicker is there to provide all the tools necessary to create one-of-kind interactive shopping experiences. 
* Inventory check based on buying preferences on web site visitor. 
* Tumri, an interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.

Saturday, November 2, 2013

Secure SDLC Processes

 I was reading about the differences between weak and strong typed computer languages and I came across the following sentence in Wikipedia “Programming languages are often colloquially referred to as strongly typed or weakly typed. In general, these terms do not have a precise definition”. This got me to thinking about a recent conversation I had about Software Development Life Cycle (SDLC) and mentoring. 

The terms SDLC and mentoring are used often in conversations but like strongly typed or weakly typed languages both terms do not have a precise definitions, worse is the definitions between organizations both commercial and academia can differ vastly. 

Mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge. Often it is the senior person given the responsibility to mentor the junior person. To begin this conversation lets settle on a broad definition of mentoring…. A relationship in which a more experienced person helps to guide a less experienced. However, true mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge.

How do we mentor secure coding/development to an organization? Who do we need to mentor? Upper management to add development time and cost to make sure the delivered product is secure for the organization, users both internal and external. With upper management we certainty need to use formal and informal transmission of knowledge and social capital. But we are hardly in a true mentoring relationship.

Peers, Peers have their eyes set on the goal of getting their projects into production. Most project incentives are based of development cost, meeting timelines, getting thru QA and getting user acceptance, not on being secure. Add all those pressures together and trying to throw secure coding into the mix except a few points about sql injections usually falls of to the floor while more pressing issues to ship the product take front stage. 

Let’s move off mentoring for a moment and move to SDLC. With SDLC, we have XP, Agile, JAD, RAD to mention a few. But now with Secure Software Development Life Cycle we can add OWASP’s OpenSAMM, Microsofts SDL, CIGITAL BSIMM just to name a few. To make matters worse every organization I have every been associated with takes various pieces of each SDLC and uses the methods they like best and even within those methods they not fully use the entire method as it was defined. To further muddy the waters most development organizations add their own brand of project management to their SDLC processes.

So how do we have a meaningful conversation on these? Maybe we don’t. Do we have each party give out a fully disclosed document on their definitions? Are our definitions only related to each other past experience or a combination of experience and professional research and training? Or at best muddle thru hoping each person understands the other.

I know I really don’t have an answer but the conversations are always fun. Maybe that is part of the answer instead of looking for the right answers lets talk about what strategies have work for us and what in the past did not work and where we want to go. 

What strategies do you use in your organization? Do mentoring and SDLC and security come together or is each item separate? Can you write down what your organization definition of the SDLC is? The steps it follows and where it defers from the published guidelines for that SDLC? If not is your organization using an ingrown ad-hoc SDLC that is documented and does your organization follow that document to the tee or a partial implementation? Remember seat of the pants is not really the way to go. No matter what S-SDLC you use, a plan is better than no plan at all. 

Tim Rains of Microsoft just release a blog post on developers using secure SDLC. Microsoft’s survey showed “security wasn’t considered a “top priority” when building software by 42% of developers worldwide.” His blog post goes on to say “While security development processes have been shown to reduce the number and severity of vulnerabilities found in software, almost half of all developers (44%) don’t use a secure application program/process today.”

I am speaking at APPSECUSA 2013. Nov 18-2013.

Sunday, October 6, 2013

Sql Injection, OWASP AppSec 2013, Free Training, Published Bad Code

Since 2003, SQL injections have remained in the top 10 list of CVE (Common Vulnerabilities and Exposures dictionary) vulnerabilities. Injection vulnerabilities is the OWASP (Open Web Application Security Project) number one vulnerability. 

The Verizon Business Data Breach Investigations Report 2013, SQL Injection was identified as the single largest attack vector responsible for data theft. The Verizon Business Data Breach reported, “60% of SQL injection attacks in the 2011 dataset were single-event incidents, meaning they exfiltrated data (or otherwise caused an incident) in the initial compromise and didn’t continue beyond that. Single-event incidents are often over and done in a matter of seconds or even milliseconds.”

Yet remarkable SQL injection is one of the low hanging fruits that can be resolved without much effort by any organization. So how is it that we still have SQL injection as a top ten vulnerability after 14 years; developer training, need to evangelize IT management, IT tools, code reviews? All of these can help in reducing the SQL injection. This blog I am going over some great resources for developer training.

Invest in your developers training. The payback is worth it. 

**APPSEC USA 2013** is a great place for developers to get together to learn how to defend their applications. This year APPSEC USA 2013 is in New York, November 18-21.

Jim Manico , VP of Security Architecture at WhiteHat Security and Board member of OWASP, gave a shout out to SafeCode is a very well funded non-profit secure coding organization. They are in the process of releasing a large inventory of secure coding training that is fairly high quality.
Check it out.

**Published example demo code**
But please be aware not everything out there is of the quality that it should be. Code Magazine – A leading independent developer publication that has a good emphasis on .Net development had two articles in its May/June 2013 issue, which showed examples of how SQL injection creeps into applications. Both authors should know better even for a demo article not to use dynamic SQL.

The first article “Creating Collections of Entity Objects” show sql statement. 

   1:  da = New SqlDataAdapter(“SELECT * FROM Product”, _
   2:      “Server=Localhost;Database=Sandbox; Integrated Security=Yes”)

Not good at all. I can just see someone reading this article downloading the code and making it work for his or her needs and adding a software vulnerability that a cyber criminal can exploit. The average data breach cost any organization about $300.00 per record. TJ Max’s data breach cost exceeded over $250 million in 2007. 

A quick fix, 

   1:  SqlDataAdapter myCommand = new SqlDataAdapter("GetProductsStoredProcedure”,
   2:  myConnection);

The next article “Creating a Robust Web Application with PHP and CodeIgniter” in this example we read things like…

   1:  strQuery = “INSERT INTO logs “& _
   2:  “(custername, cevent, computer) “ _
   3:  Values (‘” & strUserName & “’,’” _
   4:  & strEvent & “’, ‘” & _
   5:  strComputerName & “’)”

However we should have read code like this from the author.

   1:  $name = $_GET['username'];
   2:  $event = $_GET['event'];
   3:  $computerName = $_GET['ComputerName'];
   6:  if ($stmt = $mysqli->prepare("INSERT INTO logs (custername,cevent,computer) VALUES (?, ?,?)")) {
   7:  $stmt->bind_param("ss", $name, $event, $computerName); // Bind the variables to the parameter as strings.
   8:  $stmt->execute(); // Execute the statement.
   9:  $stmt->close(); // Close the prepared statement.}

Don’t forget about another great resource OWASP has Cheat Sheets.

SQL-injection Infographic
 SQL Injection Tutorial Infographic


Saturday, August 3, 2013

How unique are you? Your Zip code knows.

When I am out shopping and ready to checkout the clerk asks me for my Zip code. My family readily gives out such information and often apologizes to the clerk when I refuse to give out my Zip code. When I respond with that is personal information my reply is just eyes rolling with your just being grumpy. Of couse there is some truth in that. But still we have the question is how much information can they(retail store) get by knowing my Zip code? The answer is a lot.

Famed Harvard Professor Latanya Sweeney who has done pioneering work on data privacy has a web site where you can now test your uniqueness. Her site asks for your gender, birthdate and Zip Code. Remember the retail store has an advantage because they have your name and Zip code. Give it a try. You might find that you not as unique as you think you are and using your Zip code really can help identify you and in most cases with 100% accuracy.

Dr. Sweeney explains that “365 days in a year x 100 years x 2 genders = 73,000 unique combinations, and because most postal code have fewer people, the surprise fades”.

Here is a sample output using a made up person…
74012 (pop. 57526) Male Birthdate 12/13/1987 Easily identifiable by birthdate (about 1) Birth Year 1987 Lots with your birth year (about 378) Range 1987 to 1991 Wow! There are lots of people in your age range (about 1894)

A lot of retailers today use services like GeoCapture. This service produced by Harte-Hanks ( simply captures your name from your credit card and with the clerk entering your Zip code into the POS during the transaction. Using the GeoCapture service your store matches the collected information to a comprehensive consumer database to return an address.

Beside your address GeoCapture can…

  • Identify customers, understand purchase behavior, and follow up with dynamic, personalized marketing.
  • Provides customer contact information and purchase history.
  • Extensive, proprietary matching logic and nickname tables identify customers easily with accuracy rates close to 100%.
  • Can be used in conjunction with Reverse E-mail Append for customer identification.

Here is the PDF from Harte-Hanks that describes services offered to retail stores. Of course if you shop in your own Zip code and the clerk enters the store Zip code. They got you.

Ok here are some simple proven ways to help protect your privacy.

  • 1. Sign out of online accounts when not using them, Hotmail, Facebook, etc. (This is becoming more difficult with always on mobile apps).
  • 2. Don’t give out personal information when shopping.
  • 3. Encrypt your hard drive on your computer.
  • 4. Turn on 2-step authencation for all app that provide this. Gmail does.
  • 5. Pay cash for embarrassing things.
  • 6. Change your Facebook settings to Friends Only.
  • 7. Clear your browser history and cookies on a regular basis.
  • 8. Use an IP masker.
  • 9. Set and use your passcode on all of your wireless devices.
  • 10. Remember everyone now carries a phone with a camera. If you do some something stupid it is very likely someone took a picture of it and posted it on the Internet.

I thought this was a cool site and I wanted to share it with you. Smile your on camera, maybe.