Author Archives: vanderaj

About vanderaj

Just another security geek

On APT

Posted on by
4

Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs.

These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way.

RSA chose not to discuss the details of the attack, using the old furphy that disclosure will damage their customers (reality: it would damage RSA’s brand). RSA’s silence allowed

Advanced

Persistent

Threats

to execute the boldest cryptographic information warfare attack since Enigma.

RSA’s (IMHO) cowardly silence has actually damaged their customers in highly spectacular fashion. RSA told us nothing, so we couldn’t ask our clients to change vendors in a staged way, or to disable access, or put in other controls. We could guess, but business decisions are not made that way.

Now the brand damage to RSA will truly begin. This is the end of the simple RSA fob. Even if a better algoritm or fob is used, RSA are toast as no one will trust them any more, particularly in the sort of organizations that buy fobs by the palette.

APT boosters have said vociferously – “see, it was APT!”. Yep, I agree. It’s one of the few times that truly worthy attacks are out in the open enough for us to get a small glimpse into what’s really going on.

Unfortunately, due to widespread abuse of the term, APT is the laughing stock of the information security world. The folks who routinely use it with knowledge can’t discuss why APT is any different to the other threats out there today. Everyone else has no clue.

I’ve seen CSOs give up, thinking that since these attackers are so advanced, surely we can’t protect against them, or they buy stuff marked “Solves APT TODAY!1!” when in fact, hard work is required. Nothing very hard, just simple stuff like input validating every field and not tolerating insecure software any more.

But for your average CSO, finding out if an application was developed in a secure fashion and that every parameter is validated is impossible. It shouldn’t be. But that’s not the main point of today’s post.

It’s moderately clear in the fog of active disinformation that the weaknesses used in the RSA, Sony, and PBS hacks are well known and easily exploitable. The solution is like losing weight. There is a simple solution that works – albeit slowly. It’s called eating the right amounts of good food for a year or two and exercising hard every day. Anyone who has tried to lose weight, including myself, knows that we really just want an APT strength diet pill.

I think most of us in our industry will acknowledge that penetration testing has become “different” over the last few years, from literally shooting fish in a barell with the most rudimentary or no tools, to requiring a fair bit of work, and moving up the value chain to find interesting and exploitable issues the business cares about.

In terms of results, I think we’re still finding 10-20 things wrong in every app. Attackers need one. This is the attacker’s advantage. The number of weaknesses, the type of weaknesses, and the severity of the weaknesses are NOT “advanced” in any way shape or form in 95%+ of the code reviews and penetration tests I perform. The other 5% have been working with me for a while, are mature risk managers, and they’re hard to attack as a result.

But because of the hard core mystique surrounding the use of the term “APT”, we’re seeing completely inappropriate uses of the term everywhere from anti-virus scanners through to security appliances that promise data loss protection but forget that the information security triangle is people-process-technology. Putting one in place doesn’t solve the other two, nor negate your responsiblities to put in appropriate controls that PEOPLE can live with to do their JOBS and make the business MONEY.

My twitter icon is the famous drive around control image:

Access controls are only for those with easy access

Access controls are only for those with easy access

This is where folks promoting APT fail. I am not denying that the attackers who have found a end run around a widely known security control are

Advanced

Persistent

Threats

Anyone who targeted a particular firm, and utterly broke a long standing crypto system, and everything else required to obviate hardened controls of at least two military industrial giants are worthy of the term APT.

Unfortunately, APT as a term is so brand damaged in the info sec community (try saying it at a public event without being openly laughed at), that we have to choose a better one, one that marketers would never dream of using inappropriately. I don’t know what it is, but surely

Enemy Combatent

or

Soon To Be A Small Pile Of Glowing Ash (STBASPOGA, or the more friendly sounding Strasbourg)

are right up there.

Worse still, the fact that these Strasbourgs really are APTs doesn’t mean that we should forget to do the hard work, but instead demonstrates the paucity of protective information security research. Some of you might remember me saying a year or two ago that too much attention is paid to those who hack, and not enough on those who defend. Strasbourgs should mean more dollars in pro-active research. We need to make it difficult to develop insecure software. We should make easy to determine if Acme’s latest release of their widgets are insecure. We should have metrics that easily demonstrate insecure software costs more. We should make it legally untenable to ship insecure software, and give redress to consumers when their investments, privacy and intellectual property are violated due to stupid, simple weaknesses that we knew about in 1965.

Time for something new

Posted on by
Reply

As many of you have probably noticed by now, my larger than life frame is not at AusCERT 2011. This is a shame as it sounding like one of the best AusCERTs in the history of AusCERT. There’s a couple of reasons for my absence - flu and the strange case of the disappearing job.

My services at Pure Hacking are no longer required, and so I need to get on with the job of getting on with the next phase of my life – and that means finding a great job that allows everyone to win.

There are a couple of options on the table as I write this. But the most intriguing to me right now is to be the advanced gun for hire for consultancies with schedule overload. If you think your consultancy could use me in that fashion even a few times a year, I definitely want to hear from you. If I can make alliances with even a few of you, this could work for us all. This would allow me to work for anyone in the world from my lab here, and would allow consultancies all over the world to plug their scheduling nightmare with one of the best web app sec minds* out there period.

I have a strong preference for remote telecommuting jobs as I live in a regional city. This doesn’t mean that a full time job in Melbourne is out of the question, but I will be upfront about my need for flexibility (i.e. allow me to work on the train and a day a week at home), or full time remote working from Geelong. Being 2011, full time or partial telecommuting should not be a difficult decision today.

I know I have a small but loyal readership in this blog, so if you know someone who knows someone, I’m available. I only have a short window before I have to make a decision, so if you’re able to pick me up, I definitely want to hear from you – vanderaj @ greebo . net.

* Just in case you didn’t know, I was the Project Leader and primary author of the OWASP Developer Guide 2.0, OWASP Top 10 2007 (the one in PCI DSS), and ESAPI for PHP, and I helped set the exam for the SANS GSSP (Java).

Upcoming speaking engagements – AusCERT and iTSMF

Posted on by
Reply

I am scheduled to talk or give tutorials at a couple of places so far this year.

AusCERT

I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard.

This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design and code in a positive fashion. You’ll learn of about 80 controls over the two days, and complete four hands on labs and a bunch of demos. Of course, you’ll see me demonstrate ninja levels of breaking crappy applications, but my primary goal is for you to build secure software.

Now that you want to come, you should bring your laptop with the ability to run a 64 bit VMware VM. As the VM is Linux, it could be converted to KVM, Xen, Parallels, or Virtual Box. You can take the VM home along with the slides and learn even more later.

This is the cheapest method of getting instructor led training by me. Registration here. There’s about 10 spots left as far as I’m aware.

itSMF

Later in the year, I am giving my well received talk at itSMF, an ITIL aligned operations conference, on how to make your security dollars work harder for you. This talk is aimed at CIO, CISO’s, and those who are tasked at securing their stuff with ever less budget, or ever more capability (or both).

OWASP Podcast 82 – Authorship of OWASP Top 10 2007

Posted on by
Reply

Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be a far poorer place.

But…. the problem starts when he goes through attribution for the OWASP Top 10, starting around the 17 minute mark. Dave says “Jeff Williams and I basically wrote it” (17:10 onwards), and had various people in OWASP review it such as Dinis Cruz and myself. This is exactly what happened for the 2004 version. But the way it was said implies that the OWASP Top 10 2007 was Dave and Jeff’s and I reviewed that too. I’m sure Dave didn’t mean to miss out on appropriate attributions (he’s a straight up and down sort of guy), but just in case anyone thinks like I did when listening to the podcast, I’d like to set the story straight:

The OWASP Top 10 2004 was Jeff and Dave’s. Absolutely agree with this. I’m pretty sure I reviewed it as I was working on the Developer Guide 2.0 at the time.

The OWASP Top 2010 is primarily Jeff and Dave’s efforts. No problems. I gave up leadership in the project sometime in 2008 when I had to concentrate on personal matters. At that time, I had no draft or made any effort to update the text. Dave’s effort to restart the project didn’t start until after I’d left Aspect. After the draft PPTX was complete, I reviewed drafts of the release candidates, along with about another 30 or so folks.

The OWASP Top 10 2007 is primarily mine in methodology (strict adherence to MITRE statistics in 2006), research and development, authorship, editing and leadership. For example, I sat down with Raoul Endres in a pho restaurant in a wintery day Melbourne, Australia well before I moved to the USA and worked out the methodology. I delivered a draft to about 30 folks in early January of 2007. Jeff Williams and Dave re-wrote and included a few items that I disagreed with (effectively two crypto sections that were not representative in the statistics), and dropped important issues that I felt strongly about. You don’t win them all, but I would have loved for these findings to have made it.

Some of the sections I wrote up in the draft that missed out in the final version:

  • A7 – Malformed input (dropped – a bad call in my opinion as nearly all flaws are due to insufficient input validation and output encoding)
  • A8 – Broken authorization (dropped – a bad call in my opinion, as most of the easily discovered business logic flaws are authorization related)
  • A9 – Insecure cryptography and communications (became A8 – A9 in the final version)
  • A10 – Privilege escalation (dropped – a bad call in my opinion, as attackers try to do this all the time)

You can see an early draft here. DO NOT USE THIS VERSION – IT’S NOT OFFICIAL!

I strongly disagreed with the dropping of RFI as it’s one of the biggest reasons that PHP sites are taken over, and PHP is by far the most prevalent server platform. RFI belongs in the OWASP Top 10 probably as the #1 item in the Security Configuration section. There are still millions of sites with this particular flaw.

Call me hypersensitive to the way Dave phrased just one sentence in 45 minutes, but I want folks to realize that I didn’t dedicate many nights and weekends to the OWASP Top 10 2007 to have that taken away from me in glossing over of efforts. I also want to make sure that folks understand that I consider Jeff and Dave friends and utterly respect their long time efforts with OWASP.

* Full disclosure – I worked for Aspect Security between December 2006 and January 2009. Dave and Jeff are founders of Aspect Security and thus my employer during the latter stages of Top 10 2007 gestation. I had a great time at Aspect, worked with amazing customers on cool projects, and have very fond memories of the USA.

Need a secure code review? We have slots available

Posted on by
Reply

I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. :-)

We have open slots in our schedule for secure code reviews starting from mid March 2011.

We perform our code reviews against the OWASP Application Security Verification Standard

  • Level 2B – Automated Review using Fortify 360 coupled with a manual verification of 83 items (Architecture, Authentication, Authorization, Session Management, Data Protection, Cryptography, etc)
  • Level 3 – Includes all of the above, but 110 inspection points. The sweet spot of our reviews in my personal opinion.
  • Level 4 – Includes all of the above, plus manual inspection for trojans, backdoors, etc.

These reviews help folks wishing to comply with PCI DSS or PCI PA DSS, or just wish to know that their websites are safe and secure.

If you’d like to discuss things further, please e-mail avanderstock (at) purehacking.com.

Take Two on Top 10 2010 Security Defenses

Posted on by
6

A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses.

Epic fail.

Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting out a fire that costs a million bucks to put right than to be the materials engineer who designs cheap fireproof cladding. I’m burying the hatchet as I burnt a fair bit of goodwill in my original announcement, which not my intention at all. We still need folks to break stuff and disprove snake oil, so there’s a place for the dark side whether I agree with the focus on the dark side or not.

Just two nominations made Andrew sad despite the worthiness of the submissions.

  1. Rob Lewis nominated Trustifier http://trustifier.com/ryu/features.html
  2. I nominated Josh Zlatin, a colleague for the work he has done on PureWAF, extensions for the OWASP Core Rule Set + Mod Security. You can see the results of PureWAF on Pure Hacking’s website, which is behind our WAF in the cloud service. That’s not an invitation to attack us, just sayin’

Please discuss or vote in the comments section for who you think should get the non-existant gong.

The Sorta Inaugural 2011 Pure Hacking Top Web App Sec Defenses Competition

There’s a couple of changes. Pure Hacking will be sponsoring the competition in 2011. There will be categories, such as Life Time Achievement, Best Security Architecture, Best Left Field Idea, Best Secure Business Idea, Best Quick and Dirty Defense, Best Educator, and of course Best Defense. I will detail more about the categories as time goes on. I will be getting inappropriate statuettes made with engraving and everything. If you feel like you can donate something to boost the booty, contact me.

As for nominations, I will keep a running tally of awesomeness from my RSS feeds and other sources. You can nominate your favorite folks and defenses by e-mailing me – vanderaj ( at ) owasp.org. Come December 1, 2011, I’ll put them up for voting at which time I will disclose the prizes.

So far -

1. OWASP’s XSS roundtable at the OWASP Summit in Portugal is a worthy nominee. Let’s stamp out XSS.

2. I think Gunnar Peterson should get a Lifetime Prize just for being Gunnar. If more of us thought like Gunnar, the world would be a safer place and folks would be making a LOT more money than they do today.

Please keep this competition in mind throughout 2011.

Security checklists are not bad, it’s how they’re used

Posted on by
2

There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks:

  • (Paraphrasing) Checklists don’t work

Actually, PCI DSS is making in-roads in containing data breaches. See for yourself.

So what’s the big deal?

Those who know me, know several things:

  • I wrote the OWASP Developer Guide 2.0, the grand daddy of security advice.
  • I was primary author of OWASP Top 10 2007, which is in PCI DSS 1.1 and later.

Thus you’d expect me to defend checklists. And I will, but not in the way you’d expect.

I rail against checkbox / “pass a test” thinking. If you’ve taken a training course by me, you’ll know that I’ll tell you don’t collect ANY logs unless you’re going to do something useful with them. I tell you to use security as a competitive advantage – e.g. raise transaction limits by reducing your risk exposure. I tell you to align application security with enabling secure business. Security is not a speed hump. Security is not brakes on a car. Security is the mind set, knowledge and activities that allows you to do things you can NEVER do without security.

So where do I think checkboxes have a place? For trained professionals. Pilots have extensive checklists. They work – flying is THE safest form of transport, despite working against a few very ouchy laws of physics.

We (and in particular, I) have created checklists that work. We know that SQL injection is a problem. Don’t include it – it’s negligence to do so. It’s #1 job in the Top 10 2010. We know that XSS and input validation / output encoding is a problem. Don’t include it – it’s negligence. It’s #2 on the Top 10 2010.

My mind was made up a few years ago, shortly after I finished the Developer Guide that it’s insufficient to engage with info sec teams. We must fix the frameworks. Make it hard to do SQL injection or XSS by default.

We must engage with the business and raise their expectations from “okay, I gotta set fire to $10k for a review, where do I sign?” to being a trusted business partner, enabling them to do amazing things that are simply unimaginable a few years ago, but safely. Security enables secure business. Any consultant, any info sec person who forgets this, forgets who pays their bills.

This is not to say that I want you to do ONLY the things in whatever checklist you decide on. I included this text in the Top 10 2007, and it stands true today:

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.
Security is not a one-time event. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in Where to go from here for more information.
A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the OWASP Guide, which is essential reading for anyone developing web applications today.
This document is first and foremost an education piece, not a standard. Please do not adopt this document as a policy or standard without talking to us first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress. Please consider joining or financially assisting with these efforts.

Think outside of the box. Create high technology business enablers that your competitors think are indistinguishable from magic. But whatever you do, don’t give the checklist to an unqualified person. That’s simply not their point.

p.s Stop bitching about PCI DSS. It’s an unqualified success at what it set out to do.

Passwords are neither free nor cheap

Posted on by
Reply

I don’t know how many clients over the last decade I’ve been trying to get this basic fact through their very thick business skulls, but here goes again:

PASSWORDS ARE NOT FREE
PASSWORDS ARE NOT CHEAP
PASSWORDS ARE NOT SAFE
PASSWORDS ARE NOT ACCEPTABLE FOR HIGH VALUE DATA / APPLICATIONS. EVER.

Vodaphone has found this out to their immense cost and on going public relations disaster.

By changing the faulty business decision (passwords) every 24 hours, VHA are sticking their finger in the leaky dyke. They sell mobile phones. They could step up to two factor / transaction signing with mobiles for CHEAPER than passwords. Especially for them. This is an opportunity for VHA to say – look we’re leveraging our unique selling point (mobile phone operator) to provide world class security. Instead, they choose passwords.

Stop using passwords. Their time was done more than 10 years ago, if ever.

New laptop – Asus K52DR-EX143V

Posted on by
6

Much earlier this year, the Minister of War and Finance’s (hi Tanya!) old Dell augured in and bought the farm. First, Tanya spilt Milo (granulated malt) grains on the keyboard and this got under the key caps, causing the keys to stick. I tried cleaning it a couple of times, but many keys were never very good after even a solid cleaning. Then I spilt soup into the keyboard. In trying to take it apart and wash off the soup, I managed to break the little ribbon connector holder to the trackpad, and the keyboard didn’t appreciate being taken apart again, and I couldn’t get about six or so keys back on. Despite this, the laptop “worked” with an external keyboard for months. Finally, Mackenzie stomped all over our bed and the laptop, breaking the power cord connector near the screen. This last one did it – couldn’t get any more charge into it.

So I gave Tanya my maxxed out late 2006 17″ MacBook Pro. We were free of the evil, monstrous Windows beast and I was happy even though I was down a computer. Unfortunately, Tanya doesn’t like MacOS, not even after six months. Color me shocked, but there you go.

So for Christmas, I bought her a new Asus K52DR-EX143V from MSY. This unit has a 4 core AMD processor, 4 GB of RAM, 1 GB of dedicated VRAM and ATI HD5470M display chipset, 500 GB of disk, and BluRay / DVD-RW combo drive. Sounds sweet.

Opening the packaging wasn’t too bad (there are videos all over YouTube if you’re an unboxing freak), but then the stark differences between Mac and PC packaging starts to set in.

  • There’s quite a lot of papers and odds and ends in the box. With the Mac, you get a simple, small Getting Started booklet and a sticker.
  • The Asus power brick is fairly large, but the cables are pretty short – about 1 m in total length. The end is a traditional plug that is of similar design that caused the demise of the previous Dell. You may need to take an extension cord with you on site if you travel with this model as the cable is pretty short. The Mac has a small power brick with integrated cable organizer, with long cords (about 2 m total) with a MagSafe connector. There’s no doubt in my mind that Tanya’s Dell would have survived if it had a Magsafe connector.
  • However, there’s no recovery DVD (urgh) or installation media. With the Mac, you get a single MacOS X DVD that allows you unlimited re-installs.
  • Stickers randomly cover about 45% of the Asus palm rest. Luckily, they came off fairly easily in about five minutes and a sharp knife. There was some residual stickiness from one of the stickers which I’m still yet to get completely off. There’s no stickers on a Mac.
  • There are a lot of shipping protective stickers on the Asus, such as around the bezel, on the web cam,and so on. Some of it is actually quite hard to remove such as on the hinges. There’s only a small piece of soft foam between the keyboard and the keyboard in the last two Macs I had.

Turning on the Asus requires installing the battery, and plugging the power cord in. Immediately, differences between Windows 7 OEM and MacOS X start to stand out. For a start, the Asus is by any standards a fast computer, but it took over a minute to get to the first registration screen asking for personalization and registration details. I was working and online in two minutes out of the box on my Macbook Pro 13″ in 2009.

Windows 7 starts in about a minute, but there’s so much circusware and trial software installed that I spent the next fourteen hours:

  • Decoding and removing all unnecessary crap off the machine. This is still not complete, but I’m much happier now. The Asus now boots in about 45 seconds
  • Removing the stupid “data” disk partition – for some reason there’s a 116 GB system partition (far too big), and a 329 GB data partition (far too small). Removing the data partition solves both issues. To fix it on yours, assuming there’s no data on the data partition, start the disk partitioner (diskpart.exe):
select disk 0
list partition
select partition 3 < -- see note below
delete
select partition 2
extend
exit

* the data partition was 3 on my system - YMMV and do not delete your system partition!

  • Upgrading Adobe Reader 9 to X
  • Upgrading Flash to be as secure as it'll ever be (which is not very)
  • Installing the 78 patches for Windows, requiring just over a gigabyte of bandwidth, several attempts and reboots
  • Installing decent firewall, anti-virus and anti-spyware - not needed on a Mac (yet)
  • Installing Microsoft Office 2010. There's a trial copy of Office 2010 Starter edition already installed, but that also has all the installation bits for all editions. So I bought the Product Key Card of Home and Business edition and chose "Activate key" to turn Starter edition into Home and Business. However, it failed to install the first time, so I tried again after a reboot and that worked. On the Mac, you just drag MS Office from the install DVD to your Applications folder. The Mac install is far faster and just works. Of course, once installed, there were Office 2010 patches to install.
  • There's no installation media or recovery DVDs, so I broke out my DVD-R supply, and after 2.5 hours (seriously!) it burnt five recovery DVDs with hilarious Chinglish prompts such as "Predictably, burning will take five DVDs to create a recovery DVD". You can't make that crap up. Of course, using the recovery DVDs will blow away all Tanya's data and return the circus ware, but ... it had to be done. The Mac has a full OS DVD and thus doesn't lose any user data, and in many cases keeps your applications and settings working too.
  • I'm currently installing iTunes and migrating data across. This would take time no matter if it's a PC or a Mac, so I'm going to give it a free pass at the moment.
  • I'm still trying to set up Outlook 2010 and her Windows Mobile 6.1 phone. This should be a no brainer, but ... Windows 7 doesn't seem to like Windows Mobile 6.1.
  • I still don't have a Time Machine work-a-like that can back up Tanya's data. This is a serious issue as hers is the most likely computer to die. Suggestions welcome.

Using the laptop

As it's only the second day of having the laptop, I've not done any real work on it yet. PCs are unproductive like that. I'm still yet to find out if it can run videos in iTunes full screen on our TVs, which the Macs do in their sleep. Tanya's previous Dell used to have serious lag time between video and sound and the fans were on full time, requiring extra volume. I'm hoping that this computer is at least as able as a four year old Macbook Pro.

Problems so far

I don't know if this is just me, or known problems with Asus laptops, but I've found that connecting the VGA adapter to a 24" screen at 1920x1080 @ 32 bpp produces a wobbily and shimmering display that flickers a great deal. I would get eye strain after a few minutes if I had to use this as my primary display. So I tried a HDMI cable, but that produced a pink / purple display centered in the middle of the screen. I don't know if this means I have a broken laptop yet, or if this is how crappy all PCs are. I hope it's not broken, as I've invested so much time in getting to where I am at the moment.

Conclusion

In short, the machine is very fast at some things. Except for booting and running Office seems a bit tardy. The external display connectors don't seem to be working properly. At least, it found my Bluetooth mouse and used it without any additional issues.

As a Mac user, I cannot understand why PC manufacturers don't take that little bit of extra time and make sure their product works out of the box with minimal fussing. The circusware was very annoying. That should go, as should the sticker vandalism. The patching was annoying but necessary. It shouldn't require multiple reboots. Someone should test the installation of Office 2010 with a product key card before creating the image. A slightly longer power cable would really help and is not that expensive. And supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although in terms of raw speed, the equivalent Mac is about twice as expensive as what I've spent on the Asus, the reality is that my two year old Mac boots up faster, starts Office 2010 faster in emulation than this thing, and has a better screen and a longer battery life. The price of a Mac with my Mac's performance is $1499, only a few hundred more. If the display ports are broken, I'll have to do all of this again with a replacement unit next week. Argh!

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don't get it.

Top 2010 Defenses

Posted on by
Reply

I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me)

Defenses change the world. Defenses make software more secure – permanently, and not just for the week or two until the latest sexy attack is patched. But defenses aren’t sexy and don’t get invites to all the cool conferences, so there’s no prizes beyond a grateful planet.

Yet.

I’m not very surprised to see that attacks are getting all the pretty girls and invites to sexy parties.

Researching attacks as a priority MUST stop. It’s wasting incredible talent. We KNOW that input validation and output encoding is the answer to nearly all the attacks in this year’s Top 2010 attacks (seriously – go look). Input validation and output encoding is unfortunately not sexy. It’s hard work.

Building is far, far, far harder than breaking. If you have elite security researcher skills, you should show your stuff by putting your research time and resources into making the planet safer for everyone. Not everyone can do it. Building a solid defense is at least two to three orders of magnitude harder than finding a new form of XSS or a defect in some poor Gawker PHP script. Just one novel concept can take thousands of hours of hard graft. You still need to know how to break – a defense is useless unless you’ve tested it. But on top of that, you need to know how to code and know HTML/JavaScript backwards. Building defenses takes a lot of effort and in my view is why we have so few serious defence researchers.

Nominations

As I’m starting so late, let’s make it serious to allowing all of 2010 to pass. Nominations can be sent in until Australia Day (January 26, 2011). I’ll put up a vote for folks to say which is their favorite. The winner of our eternal gratitude will be announced on Valentine’s Day.

Please e-mail me – vanderaj (a.t.) owasp.org with your nominations. I’ll update this post continuously until the cut off date.

I’d like to start with:

I know it’s heresy in some ivory tower circles that I nominated WAF modules written by a colleague, but honestly, we need defense in depth measures until coders and frameworks make WAFs somewhat obsolete.

Please send ‘em in.