Security has to be a intrinsic element of every system, or else it will be insecure. Penetration testing as a sole activity and piece of assurance evidence makes security appear on the fringes of the development, something that you pass or fail, something to be commodotized, a box to be ticked, and ultimately ignored. Penetration testing as is done by most in our industry is incredibly harmful. It’s a waste of investment to most organizations, and they know it so they try to minimize wastage by minimizing the scope, the time, and poo-pooing the outcomes.

Penetration testing should be a part of a wider set of security activities, a verification of all that came before. All too often, we come across clients who want to do a one or two day test the day before go-live. They’ve done nothing else, and when you completely pwn them, they’re terribly surprised and upset.

We need to move on to make penetration testing the same as unit testing – a core part of the overall software engineering of every application.

Penetration testing should never be ill informed (zero knowledge tests are harmful and a WAFTAM for all concerned), and it should have access to source, the project, and all documentation. Otherwise, you’re wasting the client’s money up against the wall and acting unethically in my view.

Tests should come from the risk register maintained by the project (you do have one of those, right?), as well as the use cases (the little cards on the wall) as well as from the OWASP ASVS / Testing Guides. More focus must be made on access control testing and business logic testing.

Penetration testing has become vulnerability assessment – run a tool, drool, re-write the tool’s results into a report, deliver. No! Write selenium tasks and automate it. If you’re not automating your pentests, how can your customers repeat your work? Test for it? They should be taught how to do it.

Folks at consultancies will shriek away in horror at my suggestion, but getting embedded is actually a good thing. Instead of hearing from a client once in a blue moon, you’re integrated into the birth and growth of software. This is a huge win for our clients and the overall security of software.

As much as I want to be comprehensive, there is a real risk that a 800 page book would never be read. There ARE easter eggs in the Guide that no one has found or bothered to e-mail me about yet, so I know it’s not being read widely.

I want to ensure the Guide is used, in a way that the OWASP Top 10 and ESAPI are used daily throughout our industry.

• What would you like to see IN the Guide? Why?
• What would you like to see OUT of the Guide? Why?

Let me know by June. I’ll be sure to share your thoughts with the Developer Guide mail list.

I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website. I was rush packing for BlackHat as my plane was due to depart at 11 am. I checked my mail as I was shutting down my home lab, and got a last minute set of edits from Michael Howard on the crypto chapter (which is definitely not my strong suit). So I fired up Word again, made the changes, and issued 2.0.1 in Word and PDF format pretty much just as I had to walk out the door to catch the plane.

That was the last time the Guide was formally issued.

It’s time to pick up the whip, and dip the pen in the inkwell (well, TextMate this time – we are working in Wiki format at Google Code).

I plan to write at least one blog entry a week to describe how we are going. I am determined this time to not write > 80% of the content. I simply don’t have the time, and honestly, if we’re going to do this before 2.0 can vote, I really need helpers.

The first steps have been put into place:

• Put out a mail to the Guide mail list asking if I can take over
• Got a bunch of public and private e-mails saying yes, plus most pleasing to me of all – offers of help!
• Got an e-mail from Vishal Garg, the previous leader – 1, saying that he had actually stood down last year (!)
• Got an e-mail from Abraham Kang, the previous leader, saying that he would be happy to co-lead with me (awesome!)
• Asked the Global Projects Committee to assign the project to me, along with a PM. I’ve not heard back from them, but at this stage, I’m happy to do first, apologise later.

Current status

I’ve been reading the current materials out of the SVN repo. Oh wow. So much work to do. My plan is to use a few hours each day to write a precis of what I have in mind for each section, and then farm out the work to all those who volunteered.

I have to make a few basic executive decisions. These help get the project re-oriented in the right way, so as to encourage lateral thinking about some of the hardest topics in our industry. I need the Guide to lead the charge against group think that XSS or SQL injection is insolvable, or that (weak) passwords will be with us forever. Other decisions are just necessary for logistical reasons. I will try to make as few unilateral decisions as possible.

First executive decision: We cannot possibly know what will be the new hotness.

Developers are a creative and fickle bunch. Business would love us to code everything in COBOL or VB … or Java, but that’s not how the game is played. Freaking awesome developers (the taste makers) choose new and interesting things to them at least once or twice a year or more. A pool of talent builds behind the cooler / better marketed languages / frameworks. Not knowing what will be the next new hotness is my only real assumption whilst we develop the new version of the Guide. 

During Guide 2.0 development, classic ASP was winning the battle over ASP.NET, PHP was very popular and very insecure, and J2EE was just starting the process of moving from Struts 1.x to Spring, modulo a dead end or two (JSR-168 comes to mind). Ruby on Rails was a brand new plaything with a few fervent supporters. How times have changed.

What hasn’t changed are the underlying principles of web application security. I don’t care if you are writing in technologies like Ajax, GWT, Ruby on Rails, Haskell, or you’ve moved to a web flow type model – we know what works and what doesn’t, and to a large extent, it’s in the existing Guide 2.0.

So I want to move the Guide up a level to be a hybrid architecture / detailed design guide, rather than an implementation guide, a set of repeatable architectural / design patterns that are easily adaptable and applicable cross-language, cross-framework, and be aware of new fads that come and go without knowing exactly what they are.

Second Executive Decision: Diagrams must not suck

The Guide has always needed a lot more diagrams than it has. The diagrams I drew back in 2004 and 2005 … suck. I have the originals here, but honestly, I don’t feel we should re-use them.

I will be approaching the Projects committee to find us a good graphic designer to give a cohesive design language for us to do the diagrams in, or simply farm out our hand drawn diagrams to someone who can do them all in the one style in a way that looks good in the Wiki, Word, iPad and PDF versions of the Guide.

In the meantime, I will hand draw and photograph the diagrams I have in mind and include them in the wiki as markup. That way, we’re not spending hours in a diagramming tool when we really need to be writing at this stage.

Third executive decision: Distributed computing

In 2005, the problem of race conditions in web apps was only really in J2EE web apps that did the very wrong but very arcane things. I had planned for 2.0 (and then 2.1) to include a distributed computing chapter that discussed race conditions, but it’s time to include a detailed discussion on asynchronous, distributed computing: i.e. cloud computing.

Not only do we need to take into account the many threads / cores of a typical processor today, thus meaning that any server worth its salt will have multi-threading issues, there are parallel languages (F# with the parallel extensions to .NET, and Go for two), and there is Ajax and all the multitude of frameworks that support asynchrony. I don’t want to forget the oldest of them all – batch and background processes that can still produce surprising results.

So its time to bring this bunch of issues to the forefront, because the cloud genie is out of the bottle, Ajax is well and truly plastered all over the Internet, and if there’s ever a new single core CPU running a new single threaded OS ever again, I’d be immensely surprised.

Where to from here?

It’s time to gather the offers for support and start to build a road map, and build consensus on where we should be going. In my view, we need to and indeed must lead the industry by at least two-three years to be relevant on day one of our launch. 2.0 was ahead of its time, but only just, and in the last seven years, my lack of foresight / bravery in targeting the absolutely crazy bleeding edge meant irrelevance by 2008 at the latest.

If you want to help, please join the mail list and please offer your services. It’s time to get OWASP Developer Guide 2013 going again.

• Eliminate the risk. In this case, if you see a risk and it has a known solution, that should be done. For example, with SQL injection and XSS, we know the solution. There simply is no excuse. If you don’t know about SQL injection, XSS, or even input validation, then you shouldn’t be writing software. It really is that simple.
• Engineer the risk. If the risk is too hard to eliminate, then workarounds should be created to reduce the risk to acceptable levels. To do this means you are aware of the risk, and that you know how to address the risks in at least one way. If you cannot do this, you should not be in our industry.
• Operating procedures. Systems languages do useful things, and useful things include shooting yourself in the foot with the safety off. Learning how to write safe useful code is vital (i.e. don’t create a system that has “Okay” for “Destroy data”. All useful systems must be operated safely, and this means skilled and trained system administrators and highly practiced procedures. You cannot legally outsource responsibility for your risk (otherwise contract killings would be acceptable), and thus you cannot expect low skill, low cost operators to do manage something that is vital to your business.
• Involve the everyone in safety. If it’s going to happen to you, at least let folks participate in the process. In this case, consider a security@example.com, risk register, and so on
• Wear protective equipment (hard hats, etc). All I know is that we let folks with no experience use computers. If we want to continue doing this, then …

The problem isn’t the little flutters that most of us have from time to time, it’s the problem gamblers who form much of the industry’s profits. The for-profit firms have shown no mercy in their campaign to get rid of gambling reform. They succeeded.

The problem is the ALP now sways in the wind to the tune of vested interests rather than the public good. Whitlam didn’t give up on creating Medicare just because the AMA was against it. Hawke and Keating didn’t give up on monetary reform, such as floating the dollar or removing trade barriers that have made us far richer, just because the unions were against it.

The ALP will be in the wilderness for a very long time after the next election. They can’t rule by themselves for many years because they have given up on traditional ALP values, and abandoned and cast off a good percentage of their party support base to the Greens.

If the ALP wants to govern again, it needs to get some vision aligned with its core values, and do it. Kicking refugees, dropping gambling reform, and working against gay marriage are none of these things. Once Craig Thompson has gone (and although I reckon he will hang on until convicted, he surely will be forced to go), the ALP will feel the full wrath of its core voters.

  [14:41] <@rkl> shit.
  [14:41] <@rkl> whoever broke into blackops.org
  [14:41] <@rkl> when we caught them
  [14:41] <@rkl> they began rm filesystems
  [14:41] <@rkl> and removed my only copy of some photos i had of me and my
          fiance'
  [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS
  [14:42] <@rkl> she's going to be sad about that
  [14:44] <@nobody> ur shitting me
  [14:44] <@nobody> who broke in?
  [14:44] <@rkl> we know.
  [14:44] <@rkl> luckily they were incompetent
  [14:44] <@rkl> however
  [14:44] <@nobody> bunch of savages in this town
  [14:44] <@rkl> because they tried to use blackops as a platform to launch
          attacks against a few corporations
  [14:44] <@rkl> now the FBI is involved
  [14:45] <@nobody> wonderful
  [14:45] <@rkl> me and murray couldnt' give a rat's ass
  [14:45] <@rkl> we back up blackops 1 time a month
  [14:45] <@rkl> to cd, now dvd
  [14:45] <@rkl> they got in through a weak user passwd
  [14:45] <@rkl> cause there were near 100 users
  [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds
  [14:45] <@nobody> typical
  [14:46] <@rkl> we've had to turn over everything to the FBI
  [14:46] <@nobody> a system is only as secure as its users

In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.

Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.

I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.

Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.

Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.

CALL TO ACTION!

If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.

If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”

Just Do it. Do It Now. I’m deadly serious.

[...Asus should...] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although I stand behind every word I said above, I’m begrudgingly glad I spent the extra 2.5 hours creating those DVDs as I’m restoring her computer to factory default after she killed the previous HD by cooking it in the bedding. Obviously, not Asus’ fault, but what happens after replacing the HD is most certainly Asus’ fault. This Asus will be our last PC – my life is just too precious to donate to absurd and evil corporate practices.

When I bought the Asus, it took me about three days to get the PC to a default-ish Windows installation, Office 2010, and iTunes with just enough drivers to run “advanced” technical devices like the display or the wireless network. Don’t get me started on the number of reboots or gigabytes of patches required. Copying Tanya’s data, migrating her PST and recovering her calendar was simple by comparison.

I am dreading wasting yet another two to most likely three days of my personal life YET AGAIN to weed out all the circusware from the factory default build. Asus must start providing a fast circusware free method of complete restoration like Apple do. The time I’m going to spend over the next few nights, and probably the next weekend, is like a working week away from my family. Completely unacceptable.

I tried restoring the repair partition I dd’d off, but due to the new 750 GB drive having different sized clusters and alignment than the old 500 GB drive, I struggled to create a bootable recovery partition without spending yet more time than it would take to restore using the DVDs. So I’m using the restore DVDs.

I still don’t have a Time Machine work-a-like that can back up Tanya’s data. This is a serious issue as hers is the most likely computer to die. [...]

And die it did. I tried Windows 7 Backup for months on and off after buying a new 2TB external HD, but as per usual being a Microsoft product, it doesn’t actually work. So too late, I found Rebit, which is just like Time Machine … but expensive. I’ll be trying that after restoring Tanya’s data. Luckily, I was able to get her most if not all of her data off under Linux all the while the HD was making very high pitched death screams. It’s dead now – all the sparing sectors are spared and the computer wedges hard if you try to do anything with it in read / write mode.

My newish MacBook Air 11.6″ is significantly faster and cheaper than this Asus, and more so every time I have to fix it up. Once I had recovered Tanya’s data to my 2TB dumping ground on my Mac, she was up and running with one of our AppleTV’s in about two minutes.

Tanya’s next computer will be a Mac when this one dies. I will not tolerate the loss of any more of my life to Asus insistence on circusware in the default build, and cheapening out by not providing real installation media, or Microsoft’s insistence on a recovery CD and crappy end user experience.

I stand by my recommendation:

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don’t get it.

 

I’m going to reduce the rating to 1/5, and the 1 is only due to the surprisingly resilient Seagate 500 GB drive that survived just long enough to get nearly all of Tanya’s data off it.

A few weeks back, one of the panelists revealed that there are two fundamental ways to sell things – fear, as in:

Late 1980\’s Anti-AIDS advert 

and hope, as in:

Durex condom ad

The panellist’s comments are revealing – fear sells well for a short while and then stops working. This is true of the AIDS campaign. The campaign reduced HIV / AIDS infection rates to a low that hasn’t been repeated anywhere else on the planet since that time. Then the ad stopped, and there’s been no replacement campaign for nigh on 25 years. You can guess that the HIV / AIDS infection rates are back up.

We need to change the security industry from selling fear to selling (and delivering) hope. The results will last longer, and have better long term outcomes.

Meebles is no more. In the end, it was peaceful, but his last days must have been hell. At least he had chicken (and lots of it) last night.

I first met Meebles in early 1998 when I was looking for a companion to Greebo. I went to the Lost Dog’s Home, and picked the most feisty cat there. After 14 years, I know now why his original slaves put him up for adoption again, but I didn’t mind the random attacks, the aloof distance he preferred, and his general bat craziness. It was part of his charm, and it’s the reason I picked him. He had 3 days to go before what I had to do today would have been done to a six month young cat back then.

All in all, I got the best of the bargain for all 14 years. He was steadfast in his loyalty. You had to earn that loyalty, something dog owners will never and don’t understand, but once you had it, he was a part of your life.

I miss him already. Catchya round buddy.