Remember Goofus and Gallant, the kids in the Highlights magazine, that dentist's office staple? Goofus always made the mistakes, Gallant was always perfect. Teaching kids right from wrong.
While trying to explain a simple security problem in a web application, I realized a picture book approach might help get the point across.
This diagram demonstrates "right way" and a "wrong way" to identify users in a web application.
Sometimes we get caught up in details – it's nice to turn a thousand words into a picture.
I'm going to be presenting at SD Best Practices 2007 in Boston in September.
I will be expanding upon the talk I gave at SD West 2007, "Securing the MVC Architecture". This time, I'll dive into some code and show some examples from the Hacme series of applications.
The gist of the talk is to address application security as an architecture issue. The Model-View-Controller architecture shows up in a lot of web frameworks, and in the talk I discuss common security patterns that make sense, both for people who develop MVC frameworks and people who develop applications using MVC frameworks.
This diagram, which I thought of over breakfast one morning, was the "A-Ha!" moment for this topic. I wondered, what are the ideal places to fit security code into MVC? In my presentation, I talk about why each piece goes where it does. I also dig into some real world examples (Ruby on Rails, Struts, ASP.NET) that do and don't implement these security patterns.
My colleague from Foundstone, Rudolph Araujo, is also presenting there. I have no doubt that his talk on Security Code Reviews will be filled with insight and real-world experience.
Send me an email if you're going to be at the show or at TechMash and want to meet up.
Welcome to KeepItLocked.net, where you'll find my writing on application security, my solutions to tricky tech problems, and general news about me.
To start off this blog, I thought in the name of "reusability" I'd put a short essay/abstract/piece that I wrote in 2004 here that I was proud of, but never went anywhere (I think it got lost in the marketing department somewhere).
Anyways, without further ado...
Bacteria Versus Viruses
by Alex Smolen
The human body is extraordinarily capable of defending itself from the antagonistic micro-organisms that permeate our environment. With viruses and bacteria covering every surface, hidden in every crevice, waiting for the opportunity to use our body as their own personal recreation area, we rely on our natural defenses and the medical community to protect us from this unseen but well-known threat.
Software applications must defend themselves as well; they too are subjected to a hostile environment of wide-ranging threats from invisible sources. Indeed, a computer "virus" closely parallels its organic namesake in the way it infects and replicates, causing destruction and leaving weakness in its wake.
Recently, I reflected on the observation that computer viruses attacks occur less frequently and cause less damage today than in the past. There could be several reasons for this, including more common and stringent anti-virus protection, and more user awareness. However, what is becoming more common, and often more destructive, are the increasing number of software "errors" which allow attackers to conquer servers using well-known techniques that exploit these "unsanitary" conditions. The day of the computer "virus" may be fading, but we are beginning to see the rise of computer "bacteria".
Every year, the common cold causes millions, if not billions, of dollars in terms of lost productivity. What mighty force behind this phenomenon has led science on a wild goose chase for decades? The cold virus is able to mutate to fool our immune system. It is the best hacker in the ecosystem – it can r00t us year after year. Computer virus writers keep anti-virus vendors in business through the subscription model. Vendors take every new, bizarre mutation of code that shows up on the networks of the world and analyze it into submission.
However, the majority of security problems we hear about these days are the application-level exploits: the buffer overflows, the browser vulnerabilities, the SQL injection in web applications. These problems, for the most part, are well understood. There are applications which are immune to these problems, and most application-level vulnerabilities are found in a few "dirty" lines of code. This is the perfect environment for a computer bacterial infection.
When Penicillin was discovered, the deaths caused from bacterial diseases dropped sharply. Bacteria don't evolve and mutate like viruses; they can in almost all cases be defeated with reusable techniques (antibiotics, sterilization, etc). Likewise, application security is a fairly well understood process. Validate inputs, check credentials, don't give up to much information, load resources sparingly, and a few more strategies can, when followed consistently, significantly reduce the attack surface. Yet we consistently see people make the same mistake, time and time again, and the infection spreads from a SQL injection to a remote arbitrary code execution to a full-blown case of an owned server.
It seems like in this day and age, some vendors are only worried about threats from old attack vectors, when systems are highly susceptible to a nasty case of SQL Infection or a Buffer overflu. Can we stay healthy?