Tuesday 31 May 2011

Let's Hack Google :)

Google just took another step in improving the state of their web applications: Rewarding Web Application Security Research. Kudos to them, and I hope this program is a great success.

This is a great development for WebAppSec (following on the footsteps of others like Mozilla)

Unfortunately this page also show how weak the OWASP brand is, since there is NO mention of OWASP on that page.

For the ones that keep worrying about 'abuses of the OWASP brand' , I am much more worried about the cases where it IS not used (like this one).And every-time we kick a fuzz about 'somebody XYZ is abusing the OWASP brand' is another sign we send to the outside world that we are a mess to deal with.

The way OWASP should measure success is by the opportunities that we are able to materialize. And our failures are the opportunities we miss. This was a good opportunity missed.

But we are not too late to join the party, so the interesting question is "What can we do, so that Google (and others) point to OWASP resources in pages like this?". We have good/amazing quality materials at owasp.org that could be referenced, and ideally we should also take the opportunity to add the 'how to fix it' angle (this would highlight the power that OWASP has since we can cover the: attack, detect, mitigate, fix and defend angles)

And if a new 'clean' website with only a couple owasp references is needed (with more details being provided via links to the main owasp.org website), then why don't we just do that!

Another interesting angle would be to use this type of public initiative as a sign of 'Security SDL maturity' by companies. So far, the data points to the fact that only companies that have a very solid SDL and security teams are confident enough to make this type of public statement (for example why isn't Sony doing the same thing :) ) . The Firefox crowd actually has good metrics on this (as presented at the Summit) and it would be great to explore more this concept/idea.

Tuesday 24 May 2011

We need to give our clients 'scripts' not pdfs

At the end of our security engagements our 'Findings should be delivered as 'scripts', not as a big list in a pdf' (with links and screenshots). These scripts need to cover the entire spectrum of our analysis (i.e. from BlackBox to WhiteBox, from Browser Automation to Source-Code, etc...)

The scripts should allow the client (and the developers) to initially validate the findings, and then validate the fixes (or mitigations). Ideally these 'scripts' should be delivered as 'Unit Tests' and should cover a large number of exploit variations (for example for SQLi/XSS vulns, run through the respective FuzzDB payloads)

Monday 23 May 2011

Mono team fired from Novell and Miguel starts a new company

With my O2 work focus of the last months I missed this big event (see details here http://tirania.org/blog/archive/2011/May-16.html)

There are a lot of interesting angles here (which I need to find the time to write about), and since O2 is an active used of the Mono Project, this is also a great opportunity to work together with them.

The other interesting angle is the funding and how even Mono who is a very popular and widely used project, still doesn't have a clear and easy to execute business model (which (in my view) is one of the current failings of Open Source at the moment)

Should the NHS IT Project go Open Source and what about its security?

As expected by many, the UK's NHS IT program is going downhill: http://www.computerweekly.com/blogs/public-sector/2011/05/nhs-it-system-condemned.html

I am on thread that asked the question 'should NHS be buying FOSS Code' and my initial reaction is YES!!

Here are my thoughts:

I think the FOSS (Free and Open Source Software) angle should be explored here, since if the source code of what was developed was released under a Free license the buyer (UK Gov and NHS) would have a lot more control over the technology developed.

And in a case like the NHS where one needs global standards implemented from the bottom up (i.e. adopted by each NHS practice), a core technology stack that is Free would give a LOT of independence to the local NHS practices (they could accept the 'mothership' packages or develop their own). Yes their might be some fragmentation but we would probably be much better than where we are today.

Note that the requirements of delivering such technology in such Open/Free way, would force the main/code developers to have strong engineering practices (namely in the areas of application interdependencies and deployment).

But I guess the first question is: How much FOSS is already included in this project? What technologies are they using?

I have to admit that I don't know a lot of details about this project, but it would be very weird it was all 'proprietary' technology.

Also, since my specially is Application Security, are you guys aware of any published information about the security reviews done to these applications? (my experience is that systems that 'struggle' to work as they were supposed to, are usually full of serious security vulnerabilities (since there is a moment where the mandate is '...just get it to work...' which usually means that 'application security' is moved even down on the priority scale))