cat slave diary

Month: December 2009

  • Howard Schmidt appointed US cyber czar

    Howard Schmidt has been appointed as the US’s cyber czar. The position has been open for months, which is … interesting … considering how vital IT is to the world’s economy and safety.

    Mr Schmidt, if you read this blog entry, please consider the following:

    • Web Application Security is the most pressing need for change. It’s the key to nearly all attacks today, and the least well funded. Help OWASP and others to improve developer education, get the message out to CIOs to apportion their training budgets and remediation efforts accordingly.
    • Be positive not negative. The attackers really don’t care if you “keep your computer up to date”. Let’s work mostly on things that can stop the issue in the first place. The horses have already bolted. Let’s make a better stable and fences so they can’t get out again.
    • Push for real security, not security theatre. Listen to Bruce Schneier, and not the profits of doom that want to sell you useless widgets for billions that do nothing but annoy folks.
    • If you can do any change, the first change has to be removal of indemnity for negligence with software development from licenses and sales. If an ISV doesn’t have a security development lifecycle, doesn’t include secure business requirements, and doesn’t require its developers to be trained in security coding practices, it IS negligent, and must be open to lawsuits. What we have today is not working and must be changed.

  • Web App Sec Predictions for 2010

    Normally at this time of the year, I would talk about the industry’s achievements over the last year.

    None. Zilch. Nada.

    We’re seeing more SQL injection used in real world attacks than ever before. XSS is still with us, and one of the biggest offenders – PHP – has made zero moves to include proper encoding or encoding by default for echo and print, or including a safe by default generic SQL layer that is enabled by default and works with the three or four most common databases (e.g. MySQL). The adoption of PCI seems to have made little difference in the amount or severity of breaches.

    Things like ESAPI, App Sensor and ESAPI WAF are the only true breakthroughs in 2009. But outside of OWASP DC, there’s no love for defences. Hats off to Jeff Williams and the entire ESAPI for * team, Michael Coates, and Arshan for the only true web app security efforts this year.

    So let’s forget about 2009 and move on to 2010.

    • Full disclosure / responsible disclosure / etc has failed (again) to improve security as it always has. We should stop doing it. Nearly every app has at least one or more of the OWASP Top 10 2007 / 2010 issues. It’s like shooting fish in a barrel or using dynamite to fish. Stop wasting time on it and come research how to put in safety by default in every language and framework, starting with woefully insecure frameworks and languages like PHP.
    • Conference presentations about attacks are still getting all the sexy girls and media! Conferences and the media have to stop promoting attacks – it’s irresponsible and wasteful. Let’s start talking about defences instead.
    • No more penetration tests! We have to stop doing penetration tests. They suck at predicting the safety of a system, particularly insider risks. Pen tests have value at mature clients who have done the hard work – an SDLC, secure requirements, secure development, peer reviews, code reviews, and extensive testing. They are a validation of the other security benefits, not as a “my X is bigger than yours” exercise and certainly not absolute proof of security.
    • SDLC’s are still rare in the clients I visit. We need to encourage the adoption of SDLC, and require secure requirements.
    • Agile still needs a lot of security as yet. User Stories still have no space for a security outcome in most environments. It’s hard to code review every milestone let alone every sprint. We as a security community need to do a lot more work here to fit in with the modern development methods in use.
    • Developer training is still in the nascent stage and is the only workable method of producing secure apps by default. I donated my full two day deck to OWASP at the beginning of 2009, but as far as I can tell, it hasn’t been updated or given any love. I hope that can change over the year. Please go here and help make this deck the de facto developer training deck!
    • We have to encourage or even mandate folks who outsource / out task / buy off the shelf software to only allow the acquisition of secure software, with the burden of insecurity firmly on the developer. Laws and licenses that prevent this must be changed as insecure software is not fit for purpose and thus defective. Obviously, there’s a huge difference between accidentally insecure and deliberately insecure software. If you don’t have an SDLC and a security program, an ISV is deliberately insecure and must face the costs of their negligence.
    • Over-reliance on silver bullets (WAFs and so on) is harming the effort to fix the problem. Silver bullets don’t always work, and eventually, you’ll have to do the right thing. I don’t know what we can do here but yell at the sky as the marketing dollars for these things overwhelm that simple message.

    Let’s not waste another year. Let’s get moving on secure defenses, SDLC, R&D in agile technologies, and developer education.

  • Inbox Zero

    It’s Inbox Zero time again. Every year, I do the Inbox Zero thing and archive all my mail (read and unread) on January 1 from the year just gone. I also tell myself it’s time to start following the IZ rules, but … they somehow always fall to the wayside.

    I get a lot more personally addressed e-mail than most folks do, and I don’t have a chance to action every item that needs it. I know I have missed replying to at least 20% of my mail – my bad. To make amends, I will work on replying to the last three months of outstanding mail by the end of the year. But I bet there will be mail that still needs actioning that will be archived.

    Action Required: If you e-mailed me, and not had a reply from me by January 1, please re-send your mail to me after January 1, and mark it REPLY NEEDED in the subject. I have an e-mail rule that flags such messages and I will reply to you.

  • Black Day For Australia

    Today, the Labor Government, pandering to a tiny minority of voters who will NEVER vote for them, will proceed with censoring our Internet.

    Many of these hard right wing “Christian” (who obviously missed the entire point of the New Testament) “voters” (Exclusive Bretheren, etc) do not have computers let alone TV’s or newspapers to be offended by the Internet. Worse still the Bretheren are some of the only people in Australia who are allowed not to vote. And for their vital electoral “support”, we all get censored. WTF!?!

    FUCK NO!

    Today, I start censoring the Internet for Australian Government departments. If your DNS name ends in “.gov.au”, there’s a pretty good chance you’ll not be able to see this site and the other sites I run. E-Mail from .gov.au sites will be delivered to /dev/null. In future works I create, I will make an explicit disallowance preventing Australian Government public servants and contractors from using my materials until the censorship mechanism comes down. I will encourage everyone I know to put up mandatory “.gov.au” filtering. See how you like it when the Internet is useless to you and you have to use personal Internet connections to get anything done.

    I will fight this censorship scheme in every way I can. I will publish mechanisms on how to bypass it. I will encourage people to defeat it, even if they don’t have to. I will campaign against my local ALP member. You’ve made a political activist out of someone who used to just rant about politics around the water cooler. I am not the only one. Labor is doomed for a generation or more by this one heinous act.

    Labor – shame shame shame. I’ve voted for you – stupidly it turns out – for my entire adult life. I’m sorry, but I’ll vote for Donald Duck before I grace your lice ridden corpse with the “1” mark ever again.

    Conroy – he who shall not be named from here on – you have are the Internet’s Public Enemy #1. You have cost Labor the next election, even with the Liberals in complete disarray. Labor cannot ever trusted to govern ever again.

  • Be careful for what you wish for

    Well, the Emissions Trading Scheme is dead – for now. Yay! I do a little dance on its grave. We’ll have to fight it when the double dissolution election comes up sooner than later.

    However, I wasn’t expecting the mad monk, Tony Abbot, to gain the Liberal leadership. That was a surprise, as I bet it was to the majority of the Liberal party MPs.

    With such a right wing, homophobic, anti-abortion, anti-pretty much anything we’ve achieved over the last forty years to several centuries, and top of that a truly hard core Catholic elected leader by the thinnest of margins (1 vote – a donkey vote *), the Libs will be in electoral wasteland for at least one and probably two more elections. Either the Libs will have to split into the electable bit and the unelectable’s, or they will have to try again in a few years after they get rid of Abbot.

    Abbot is simply unelectable – even my wife who leans in the Libs direction doesn’t like him. Sure, Abbot will make the hard core religious and climate deniers happy, but they’re a tiny minority here – and they already vote Liberal. All the moderate swinging voters – they who elect our governments – will abandon ship once they realize just how backward Abbot is on so many things.

    With Abbot being the mental giant that he is, he’s going to oppose pretty much all Government bills. I bet he opposes a really stupid little bill and that’ll be the trigger. KRudd could phone it in and win.

    Bring it on – maybe enough of the disaffected voters will move to the Greens and we can get some real carbon reduction instead of the reward-the-polluters ETS.

    * I bet the idiot ^H^H^H^H^H Member of Parliament who cast the deciding donkey vote (‘no’) is regretting their ineptitude tonight. The silly thing is that the vote was almost certainly cast by a moderate Liberal. That moron has ensured they stay unelected for at least another four and most likely seven years.