Saturday, 6 February 2016

Is Google a geopolitical threat to the UK? (i.e. what would happen if it pulled the plug on UK's traffic)

During one of the recent Application Security training courses I delivered recently, one interesting example I gave during a section on "Our dependencies on Technologies and Frameworks that we don't fully understand" was the concept of how much of a threat to the UK economy is Google?

For example if Twitter or Facebook were not available from the UK, I don't think the impact would be significant.

But if Google and all its services (search, mail, calendar, maps, geolocation, docs, spreadsheets,  contacts, Google ID) was suddenly not available, I bet that there would be a significant disruption to a LOT of individuals, business and government agencies.

There is a lot of talk in the UK about the Geopolitical threat of Russia (and its control on natural resources used by the UK), but I'm pretty sure Google can do more damage.

Of course that it would be economical/business suicidal for Google to do such a thing, but that doesn't make it less real or dangerous.

Friday, 5 February 2016

Speaking at Codemotion Rome on "New Era of Software with modern Application Security"

Next march I'm going to be delivering the "New Era of Software with modern Application Security" keynote at Rome's Codemotion (17-19 March),

This is very exciting, since Codemotion is a developer focused conference, which is exactly the audience that we (AppSec) need to be talking to (and learning from).

The speaker line up is also pretty impressive (see more details here), so if you are around, this is a good conference to go to this year.

I still have quite a bit of work to do on my presentation and slides, but the key idea is to cover how a new generation of application security thinking (using TDD, Docker, Test Automation, Static Analysis, Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, ELK) not only makes apps more secure/resilient but it allows them to be developed in a much more efficient and productive way

Thursday, 4 February 2016

Job post on "Application Security Manager" for The Hut Group (in Northwich, UK)

Here is a real cool opportunity to work for a company that is focused on Application Security and developing innovative solutions to embed Application Security into the SDL (disclamer: I'm currently contracting for them as interim 'Head of Application Security')

You can see full details at https://www.linkedin.com/jobs2/view/102336625 and here is the main description
We are looking for an individual to who can take a hands-on approach to build and run an industry leading application security team. The Application Security Manager will develop, implement and run a secure application development program, with supporting standards and processes, and formal methodologies where relevant. 
Securing our applications and customer data is critical to the success of our business. The Application Security Manager will be a security evangelist who can translate security concepts to technical and non-technical audiences, and will approach application security from the perspective of business risk. This person will be the leading authority for Application Security within the group.
In addition to being an AppSec expert, the key for this role is to have significant development experience/knowledge.

A large part of the work is in supporting the existing network of Security Champions and working with devs/architects on figuring out how to secure the wide variety of apps they are developing (see here and here for more details on what these Security Champions do)

You can apply for the job at that LinkedIn page, and let them know that you saw this on my blog :)

Wednesday, 3 February 2016

First-Party-Only Cookies - nice solution to mitigate CSRF

Just saw https://tools.ietf.org/html/draft-west-first-party-cookies-01 which proposes

   This document updates RFC6265 by defining a "First-Party-Only"
   attribute which allows servers to assert that a cookie ought to be
   sent only in a "first-party" context.  This assertion allows user
   agents to mitigate the risk of cross-site request forgery attacks,
   and other related paths to cross-origin information leakage.

It looks really good, and it seems that Chrome 50 is going to support it https://www.chromestatus.com/features/4672634709082112

The current solution seems to be inspired by the SameDomain Cookie attribute as described at http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt

I actually prefer the SameDomain name to First-Party-Cookies :)

Reverse engineering recently patched Wordpress

On the topic of the recent Wordpress update (see https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release) I was asked an interesting question which was ‘how to test/exploit’ the patched vulnerabilities? (namely the SSRF one)

Since this seems to be an scenario where Wordpress has not released the details, one way to do it is to diff the current release with the previous one

Depending on the technology, this can be really hard (C++ patches requiring IDA Pro foo) or doable (.NET, Java, PHP)

Assuming that Wordpress is not distributed in compiled PHP (http://stackoverflow.com/questions/1408417/can-you-compile-php-code) this could be as simple as doing a file diff (it will depend on how many changes where made in the current release)

And how to perform this diff?

Use Git :)

Just:

  1. install previous version
  2. commit all files
  3. install upgrade (which in Wordpress can be done via the web interface)
  4. review changed files (it might be useful to commit files that clearly are not related to the issue)

Monday, 1 February 2016

Come on Amazon, its time for 100% TLS (aka https)

On a thread about moving a site to 100% TLS (ie. SSL), which btw, is the right thing to do in 2016 if one wants to protect users from Man-in-the-middle attacks, I was asked this question:
I notice Amazon is not secure until you authenticate, then all pages become secure. This is an interesting approach. What do you think Dinis?
This really sucks!

Lots of eCommerce companies look at Amazon as the benchmark on what to do (and what risks to accept), so the fact that they don't support 100% TLS (as can see by googling amazon) is not helpful at all.

Here was my reply:
Well shame on Amazon for not also not doing 100% SSL 
That said, amazon has an amazing application security team (with https://firebounty.com/bug-bounty-program/16/amazon) and they have quite a lot of visibility into what is going on in their platform (namely on fraud and account hijack/abuses) 
Also, Amazon is getting there, for example note how if you start your amazon journey on https:// (in most cases) you still stay in SSL if you do some actions and go to checkout
Yes there are users that don't support TLS and in some cases there are a couple performance tweaks that will need to be done. But we shouldn't be downgrading the security of 99% of users due to a couple user's locations or browsers.

The ones to follow on this topic are ETSY (see https://codeascraft.com/2012/10/09/scaling-user-security) who did this change in Oct 2012

Wednesday, 20 January 2016

Published update to my Practical Git and GitHub book

You can get the latest version from https://leanpub.com/Practical_Git for FREE (by choosing the $0 minimum price).

Here is the email I send to my readers:
    Hi, thanks for being reader of my Practical Git and GitHub book. I just released a new version which contains a large number of content and images fixes.

    This version is very similar to the previous release, but I'm planning to make big changes in the next months.

    I'm going to add a number of new chapters and remove content that might be better in a different book.

    I really would like your feedback, so please don't hesitate to contact me at dinis.cruz@owasp.org or directly at the GitHub repo that contains all content and current Issues: https://github.com/DinisCruz/Book_Practical_Git/issues

Saturday, 16 January 2016

Published update to my Practical AngularJS book

You can get the latest version from https://leanpub.com/Practical_AngularJS  for FREE by choosing the $0 minimum price.

Here is the email I send to my readers:

Friday, 4 December 2015

JIRA Workflows for handing AppSec RISKS

Recently I have been acting as 'head of Application Security' for a couple UK companies, and one of my most effective actions has been to setup the JIRA workflow that you can see below.

The key to this workflow (and the secret of its success) is the action to get the business owners to click on the 'Accept Risk' button. 

That simple action makes the whole difference, since that is the moment that a particular RISK become REAL.

Now, the responsibility/decision/liability of NOT fixing an issue, is clearly mapped to an individual (which in some cases can even be the CTO).

Note that the definition of 'not fixing' should be 'will not be fixed in the next couple weeks'

Paying OWASP Leaders and some ideas on how OWASP should be supporting its projects

(based on an email to the owasp-leaders list)

The reasons why I believe OWASP  should not be allowed to pay owasp leaders are listed here http://blog.diniscruz.com/2012/04/why-owasp-cant-pay-owasp-leaders.html

And since I have not been on the OWASP board for about 5 years, I think we need to realise that IF it was possible to pay owasp leaders to work on OWASP projects, THAT (paying owasp leaders) would have happened by now (after all, there has been enough budget to make that happen)

The problem is that there is still this 'idea' that "IF ONLY we could do that (pay owasp leaders) amazing stuff would happen". 

Request for OWASP board to approve 100K for a project Summit in 2016

(sent to the OWASP leaders list in early Dec 2015, following the original request made in June 2015)

Bumping this thread, since I believe not much has happened since.

I would like to request again for "OWASP board to approve 100K for a project Summit in 2016. And then ask for a team or OWASP leaders to lead that effort"

Proposed new strategy for OWASP projects - They are Research Projects

(variation of an email send to the owasp leaders list)

I think a key problem is the expectation that OWASP should ever be able to develop professional, best in class and 'secure' apps.

These conversations always tend to have a base on the idea that OWASP 'should not have a lot of projects' and 'only focus on a couple high-value/high-quality ones'. This never gains traction because that goes completely the model and culture of OWASP projects.

The reality is that really good a solid projects at OWASP are the exception and the outliers.


Monday, 9 November 2015

Do you deserialize Java objects? Jenkins zero day and vunls in WebLogic, WebSphere, JBoss, OpenNMS and Appache commons

Security Champions, last week the What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? vulnerability research was published and it included a number of quite worrying exploits on Java apps, more specifically on apps that use the Apache commons library (update: it looks like this is not a vuln in Apache commons, but in how it is used).

This is following up the Java Deserialization research published earlier this year on Marshalling Pickles and Exploiting Deserialization Vulnerabilities in Java (which is a variation of the XStream/XMLDecoder vulns/research I was involved in 2013)

It also looks like the Jenkins issue mentioned in the latest research doc is a zero-day on Jenkins: Mitigating unauthenticated remote code execution 0-day in Jenkins CLI

Since this is a vulnerability that allows RCE (Remote Code Execution), it is really important to understand your internal/external exposure to java deserialization, Jenkins and apache commons usage.

Monday, 2 November 2015

Four amazing years and good luck TM 4.0

After working very hard on multiple versions of TeamMentor (TM 2.0, 3.0, 3.5 and 4.0), the time has finally come for me to let TM go, and move my Application Security efforts in other directions.

The last 4 years at SI have been an amazing experience and I've learned a lot.

Not only I increased my development skills (.NET, Java, Eclipse, Node, Javascript), I finally understood what TDD is all about and where security fits within the SDLC.

I really want to thank Ed and Jason for the opportunity, and the amazing worldwide TM development team (Serge, Michael, Lucy, Roman, Salle) for making TM 4.0 a reality.

I'm sure mine and SI paths will meet again. In fact I'm still contributing a couple bug fixes to TM, so I'm still around :)

Good luck to SI and all the team

PS: In case you are curious, I'm now helping UK companies to set up their Application Security Programmes (i.e. I'm a part-time 'Head of Application Security')

Thursday, 29 October 2015

How to detect SQL Injection at SQL Server level (via SQL Errors)

Question: how to detect SQL injection on an high-volume SQL Server just by looking at SQL Queries errors?

I know some guys (like ETSY) are doing this, but when I was talking with some MS SQL Server DBAs today, they couldn't find an easy way to do it at the SQL server.

The logic is that there should be no SQL compilation errors in an Production SQL server, so any errors that occur, must be:

Monday, 19 October 2015

What are Security Champions and what do they do?

Security Champions are a key element of an AppSec team, since they create an cross-functional team focused on Application Security 

Here is an good definition for you to customise to your culture and workflows:

What is an Security Champion?
  • Security Champions are active members of a team that may help to make decisions about when to engage the Security Team
  • Act as the "voice" of security for the given product or team
  • Assist in the triage of security bugs for their team or area
What do they do?
  • Actively participate in the AppSec JIRA and WIKI
  • Collaborate with other security champions
    • Review impact of 'breaking changes' made in other projects
  • Attend weekly meetings
  • Are the single point of contact for their assigned team
  • Ensure that security is not a blocker on active development or reviews
  • Assist in making security decisions for their team
    • Low-Moderate security impact
      • Empowered to make decisions
      • Document decisions made in bugs or wiki
    • High-Critical security impact
      • Work with AppSec team on mitigations strategies
  • Help with QA and Testing
    • Write Tests (from Unit Tests to Integration tests)
    • Help with development of CI (Continuous Integration) environments
Further reading

Wednesday, 14 October 2015

Mapping the attack surface for client side code (i.e. JS code)

Although at first it might look that on a browser the concept of attack surface doesn’t matter, unless you are building a pure html website with NO Javascript, you will also need to consider the attack surface of your code.

The attack surface is basically the ways the code execution can be affected/influenced by an attacker’s data/actions 

For Javascript code that is running on browser there are three main sources of malicious data

Saturday, 25 July 2015

500 USD budget available for Google Cloud use by OWASP Projects

(below is an email I just sent to the owasp-leaders list about the 500 USD budget I requested from the 'OWASP budget available for OWASP projects')

OWASP leaders, FYI we now have a 500 USD budget approved to spend on Google Cloud (some more details on the thread below).

This is basically open to any OWASP leader to use on OWASP projects. 

Part of the idea is to figure out good use cases of using cloud resources (like the ones provided by Google Cloud) on OWASP projects

I've setup an Slack channel to talk about this and to manage its use: https://owasp.slack.com/archives/projects-in-cloud

If you want access to the admin console (for example to setup your linux/docker/windows VM) drop me, Fabio or Matt (ideally via Slack) a simple email and we'll add you to the cloud users ground.

This is early days of this experiment and we still need to create a couple Rules of Engagement and scripts to manage the environment, so if you want to be involved in that part of the action it would help to make this resource available to a wider community.

As a example of the kind of usage that OWASP projects can have of these Google Cloud resources, based on a recent thread on the O2 Platform mailing list (How-To Request: Running Real Time feedback inside Visual Studio with C# REPL) we are setting up a Windows VM with VisualStudio 2010


Wednesday, 1 July 2015

UnitTest to auto reload a compiled jade template (with angularJS written in CoffeeScript)

Here is a jade template that is being autocompiled into html (using gulp) which uses coffee-script to create the AngularJS app/controller.

Monday, 29 June 2015

Some comments on jQuery security and our current development stack (based on Node, CoffeeScript, Jade and AngularJS)

Following from Why we are going to use AngularJs 1.3 on TM ...

On jQuery, my experience (in both developing and reviewing jQuery apps) is that it tends to promote an 'lets just hack it to make it work' kind of development workflow. In jQuert code, there are always tons of DOM manipulations, which will always include (browser specific and other) hacks, and create code with quite a lot of dependencies and lack-of-isolation between components. Basically you shown me an large jQuery app (like the one we developed) and It most likely be an app hard to refactor, hard to maintain and hard to understand what really is going on (ironically the power of jQuery tends to create this stuff, since it is always possible to 'fix something' by adding a bit of jQuery somewhere).

And of course jQuery is also a nightmare from a security point of view, since there are quite a lot of sinks that will transform strings into code.

In order to make TeamMentor secure and easy to code we are using the following stack/technologies:

Sunday, 28 June 2015

Why we are going to use AngularJs 1.3 on TM (vs ReactJs)

(As posted on the  Angular JS vs React in Flare issue)

For reference I just had another look at ReactJS vs AngularJS and here are the reasons why I think we should keep on the current path and use Angular on TM 4.0

  • Angular 1.3 is an MVC framework with really good support for: Controllers, Services and Views (React on its own admission is mainly focused on the 'View' component)
  • Angular 2.0 seems to contain most of the big advantages currently mapped to React, so although the jump from Angular 1.3 to 2.0 seems to be quite steep, it will allow us to have access (if needed) to the current perceived React advantages
  • It seems that one of the big advantages of React is it speed, and I don't think we will need that kind of DOM manipulation speed anytime soon (since we will be using the server-side graphdb for that)
  • Most comparisons on Angular vs React seem to:
    • a) conclude that React is better
    • b) be written by users that did not had a lot of experience with AngularJS, and I would say with a lot of experience of jQuery (note that If I get my way we will NOT be using jQuery on TM 4.0 (i.e. it is a banned API :) ))
    • c) focus on simple scenarios (where Angular might be overkill)
    • d) complain about Angular 'complexity' (which again implies not very deep Angular knowledge)
    • e) don't cover how to test Angular/React
  • There are not a lot of published books about React (with the first ones coming out at the end of 2015). Compare this with the dozen books written about Angular
  • The current TM dev team already has good knowledge of Angular (specially since we use it on TM 3.5)
  • AngularJS security seems more mature than React (note for example the use of CSP) and documentation about it
  • I quite like how AngularJS Javascript looks like (specially when written in CoffeeScript) vs ReactJS Javascript which does seem to contain a lot more DOM manipulation (ie. just like jQuery). Of course that on this one I'm bias for Angular because I know more Angular than React :)

Saturday, 23 May 2015

Looking at ElasticSearch, Kibana and LogStash

Which look like a really powerful way to capture and visualise data. Here are the best links I found on the topic (i.e. tabs that I had open)

Thursday, 21 May 2015

Thoughts on Security Authentication and on adding security into an SDL

Here is an (slightly edited) 'brain dump' I just wrote on the topic of Authorisation and SDL.

Let me know what are your views on the ideas presented below:

---------------------------------------------------------------------

The need for a strong Auth strategy

Knowing 'who is talking to whom' is a key pillar of security. Since there is going to be a number of parties and players involved, it will not be possible to have a one-size-fits-all Authentication technology/workflow (specially when dealing with the partner's systems and existing SSO technology).