mostly useless crap from me

“He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984

Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the future, and in particular controlling the risk from VALUE attacks, such as phishing, crime ware, and process issues (aka business logic issues).

I’ve been interested in process issues for a long time as its the easiest way to get VALUE out of a system. One the earliest web app sec attacks was against CDNOW back in the mid 90’s. They preceded and were bigger than Amazon for a long time. Ultimately, Amazon acquired CDNOW. Why? Apparently, they had a cool front end shopping cart, a payment system and a shipping system. Sure enough, the shipping system took a bunch of hidden fields and accepted a “paid=yes” type of flag. So essentially, you could fill in the hidden fields with the CDs you wanted and skip ahead to the ship bit, and get free stuff. End of story, they’re part of Amazon today instead of the other way around. The opportunity cost of being insecure for CDNOW can be measured in billions and will continue to rise as the years go on. That one attack wasn’t the end of the business, but it set them along the path.

So why in 2009 we do we allow 1995 era attacks to succeed? Why is this stuff not taught at University? Why are the business folks who make really bad decisions allowed to continue on doing the same old, same old, when they should know – do know – that it’s going to cost them a lot more in the long run?

So let’s look at the lows and highs of 2008:

Highlights of 2008:

• PCI compliance starts to hit merchants. They still suck, but they’re unlike before, they’re now going to have to fix their stuff or go out of business
• PCI 1.2 updated to OWASP Top 10 2007. Awesome. 
• OWASP has a huge security summit in Portugal, deciding on future directions, and an awesome set of security conferences around the world. I think we have hit critical mass
• OWASP Application Security Verification Standard Released

Low lights of 2008:

• Phishing and malware links as tracked by APWG rose to its highest level ever. 
• Massive compromise of credit cards continues – vendors continue to flout PCI regulations and common sense.
• SQL injection attacks launch a million malware infestations

This basically means that attackers have been noted by the mainstream media and others as attacking VALUE through web apps, and not assets, like pwnage. They don’t care about the mechanism so much as the money. This has been my view for at least five years. I don’t care about if you control a 100,000 bot fleet – your just desserts are coming soon in your very own dawn raid. I do care if you can steal from 95,000,000 folks or defraud thousands with one e-mail.

“How’s that working out for you?” – Dr Phil McGraw

When we do something that is clearly not working, it is beyond time to do something different.

Back in 2002, I was doing security architecture in web apps for some of my more forward thinking clients. I have a draft book in my OWASP folder on Web App Security Architecture I started in 2003. When I moved to the USA in 2006, security architecture was completely off the average US enterprise architect’s radar. Only today are seeing some traction in this space, and not everywhere. 

Success stories elsewhere

With air safety, various safety bureaus review crashes and make binding resolutions on pilots, manufacturers and airlines to remediate design issues and human factors. For example, in many cultures, a strong hierarchal society is the norm. More than a few co-pilots have sat meekly by, refusing to override their captain as they plowed straight into the ground. So the airlines were forced to change the human element in the cockpit, forcing sub-ordinates to take control when the situation warranted it.

Air safety is a poster child for what can and should be done. From the early days when cowboys ruled the roost and many died, to today when only rail is safer per million passenger miles, air travel is one of the safest transport forms, despite being so inherently dangerous from a physics point of view (speed, height, traffic density, weather conditions, etc). We need to emulate air safety. Web application security is at the point where enforceable regulations are in their early days, like seat belts in cars were 50 years ago. 

We can and must skip 50 years. I’m not a huge fan of heavy handed regulation as I feel it will stifle the next big thing if done wrong, but I think many languages and frameworks are settling around a few major paradigms. We can help them, and they must help their users. 

We KNOW how to secure those meta-issues. We MUST secure those meta-issues. So here’s my 2009 Wish List:

Education

We have to educate those who come after us. This means getting into every CS and Software Engineering course world wide, and ensuring they have at least one mandatory security architecture / software security subject.

All applications share exactly one feature: security. I don’t think you can be a sound practitioner unless you have at least heard about this most fundamental of issues. It’s like graduating accountants who have not completed Audit 101. It’s completely ridiculous that there’s no equivalent in most CS and software engineering degrees today. 

I am also only going to speak at developer and architecture conferences. Speaking at security conferences is awesome and I usually get married or drunk or both, but it really doesn’t advance the state of the art. Architects and developers must get on board, and to do so requires their buy in. 

Eliminate XSS and SQL injection

We really need to get some basic technical things off the radar, so in 2010 and beyond we can deal with VALUE attacks. To that end, 2009 should be spent encouraging open source and vendors to fix XSS and SQL injection. We know how to fix these things. OWASP’s ESAPI has the canonicalization, input validation, and output encoding features that every application can use. Every modern framework has prepared statements or a safe(r) mechanism than dynamic statements.

I encourage the OWASP leadership and those in leadership positions to take a stand on these two items. I call on all framework providers to make the simplest possible output mechanism XSS safe. I call on framework providers to deprecate and eliminate dynamic SQL queries, or at least make serious warnings pop up so that folks know that they should not be using those interfaces. I call on open software reporsitories to stop downloads of packages that have open CVE entries. It’s important to bubble up the importance of safe software, and we can’t do this by wishful thinking.  

We can do this. It’s not a pipe dream. 

Security Architecture Is a First Class Citizen

It’s important to start putting security architecture in its place – which is every bit as important as the shiny buttons folks click or the processes businesses use to get stuff done. We cannot hope to eliminate design issues that allow VALUE attacks unless security architecture fu is strong within every organization writing software today. 

Although history is written by the victors, we’re a long way from victory. Let’s get cracking!

Well, that was a blast. 

On Wednesday afternoon, I took Baby Girl to see Santy Paws (Satan Claws or Santa Claus, depending on if you believe in Ceiling Cat, Basement Cat, or are just a plain pagan). We stood in line for close to three hours. There was one Santa’s helper on duty, and for obvious reasons (being ridiculously old), he kept on taking breaks. You’d think Columbia Mall would  work out… 

Thousands of parents  x $13.95 (at least) per sitting == they can afford more than one Santa, and possibly a few hundred Santa’s. 

But no. Oh well.

Baby Girl was awesome. She hung out in line with me even though she had little to do, and couldn’t go crawling or exploring – which as every parent knows is a recipe for Total Munchkiness. However, she was happy for the most part – including the first bit when we shuffled past Santa’s Grotto on the way to the entrance some hour or so ahead. She liked what she saw – kids sitting on this old man’s knee and stuff going on. However, looking back now, I think it may have been the computer and the cameras. She’s an awesome geek grrl and loves her gadgets.

The line went on and on. When she got too antsy, I gave her some puffs and water. After about two hours, she started getting really antsy, trying to stand up and get out of the stroller. So I fed her one of the last pre-made bottles. Awesome baby girl returned. I didn’t know how much longer she’d last as it was well past nap time, but I persevered. She let the slightly older girls just in front of us touch her face and play with her toys on the front of the stroller. Things were looking good, even though I really wished she had taken a nap.

She was ultra good right until the end. Santa took a break just before me, and as he walked past, Baby Girl started to show the five early signs of being tired, which is being a bit crotchety and rubbing her eyes and being a bit of a munchkin. Oh well, only a few more minutes. 

So Santa came back, and I quickly put her on his lap thinking this could be a one shot deal, all the while making sure she could see me. I didn’t even let go of her hand before…

WAAAAAAAAAAHHHHHH!

Tears started flowing, tears of real fear. She stared at Santa, pulled away towards me, and started gulping air. Not good. Although I secretly (okay, not so secretly) wanted a photo of her crying as that makes an awesome 21st birthday picture, I didn’t want what came next…

BAAAAAAAAAAARRRRRRRRF!  WAAAAAAAH!

Santa got it good, and so did baby girl’s costume and the floor. Suffice to say, as she’s growing up fast she doesn’t do inoffensive and small up chucks any more. She did a veritable projectile exorcism of toddler barf. It stunk of mostly digested puffs, milk, lunch and formula. Poor baby girl!

I took her to the men’s bathroom, which thankfully had a change area, and got her cleaned up and changed into emergency  civilian clothes.

She looked at me so sadly that I couldn’t take her back to go sit on the old man’ s lap again. I’m reasonably certain Santa was relieved as well.

So no Christmas photo with Santa this year. Of course, from the Silver Lining in Every Bad Cloud Situation Department: I have an awesome story for her 21st birthday! Yay!

Last year, I made the following observations / resolutions. Let’s check out how well I did:

• Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. 

I think I succeeded at this one

• Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?

Although I am lighter (149 kg down from probably ~ 155 to 160 kg), I’m not significantly lighter. I could have been close to 100 kg if I had stuck to an appropriate diabetic friendly diet and exercised more. I blame baby girl. JOKING. I’m a member of the cult again, and I have diary entries for walks and gym, so hopefully this time next year, may be I could be closer to 100 kg than I am today. 

• Finish at least one piece of first class research in the web app sec field

Nope. Not even close. Started a few though. And that’s the subject of my next post – what to look forward to in 2009.

It’s no news that the latest 0day for IE is spreading via SQL injection attacks. What is news is why are we still suffering from SQL injection? We’ve known for over eight years how to utterly end SQL injection. I’m sick of writing about it. We should not be talking about SQL injection any more. 

This is a call to arms – SQL injection is a done deal. It stops today!

I call on:

• Acquirers of software to inspect nvd.nist.gov and determine if the software your about to acquire has ever had SQL injection. If so, make sure it does not use dynamic queries today. If it does, do not acquire or use it. 
• Managers of software libraries to investigate all software in their possession in the same way. If it has had SQL injection in the past, it’s likely that it still has dynamic queries today. Write to the project and demand a version that has no dynamic queries. Make transition plans to get off faulty software if they do not respond or cannot respond in a reasonable time frame. We did this for the Y2K effort, it’s not that hard
• Open source project houses such as Google Code, Microsoft’s CodePlex and SourceForge should put projects on notice that have dynamic queries that their downloads page will be disabled by Dec 31, 2009 if they have any dynamic SQL queries in them. I know this is a lot of work, but I can’t think an easier way to provide outreach to so many projects simultaneously.
• CISO and CIOs and lead architects to outlaw the use of dynamic and concatenated queries in your policies and coding standards and to mandate the use of un-injectable alternatives
• Developers to stop using dynamic queries and concatenated strings in prepared statements. With all haste, migrate all your code to prepared statements, stored procedures (noting that these still may have issues), or an alternative data storage mechanism, such as Hibernate or Active Record 
• Frameworks to deprecate and eliminate dynamic SQL query interfaces (Java’s Statement, PHP’s mysql interface, etc) with extreme urgency. Today, they should emit warnings in DEBUG mode, and in six months to a year, they should cease to exist
• Frameworks should inspect prepared queries in DEBUG mode, and if there’s a WHERE clause without a placeholder, the query should raise a warning during compilation or runtime depending on how your language operates. Of course, there are SQL queries that have where clauses that are static, but these are the exception not the rule. We need to help developers pin point weak statements, so a pragma or comment mechanism to shut the warning down would be helpful too
• If you audit or review source code, you should mark all dynamic SQL queries critical. Because they are critical risks. Without understatement or hyperbole, dynamic queries are an obvious clear and present danger to the world’s IT infrastructure and they simply do not need to exist.  

SQL injection stops today! There’s an awful lot of code that needs fixing, so let’s get cracking.

As I noted a few weeks ago, WordPress has had an obfuscated easter egg in it for some time.

Despite reporting this security defect / software engineering malpractice to two different WordPress folks (the author of the excellent WP development blog, and the security team’s e-mail), 2.7 was released with the easter egg. 

Hopefully, this will be resolved in a future release.

I was having lunch today at a nearby Chinese restaurant. I was seated next to some young folks who were loudly having a biology discussion. I tuned in because I’m a geek, but I kept my mouth shut after I heard one bad science moment after another.

Unfortunately, the discussion quite quickly changed from being a biology discussion to a metaphysical discussion about whether mitochondria see us as the parasite or vice versa. Whilst I am not a biologist, I do receive “Nature” and therefore have the right to blog mindlessly on this topic and any other science related topic.

From what limited understanding I scraped from the Wikipedia article, mitochondria and us are at best symbiotes, but the reality is that without mitochondria we would be nothing and without us, our specific types of mitochondria would not exist. Therefore, I doubt the mitochondria fear me any more than I fear the trillions of them running around my body right now.

In the next few minutes, the discussion on the next table did not get any closer to making any sense. In the end, I realized that they were design students (I am lunching near Madison Ave). Nothing wrong with design and fashion per se beyond its obvious superficiality and banality, but it’s obvious that science is not a part of their education.

I wonder about this country’s long term future. The USA needs folks who at the very least understand science and do not fear it.