Matt and I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!
Archive for the Application Security Category
XAB Presentation @ USF Whitehatters Club
Posted in Application Security, Events on January 27, 2010 by Tony FlickIntroducing AppTrust
Posted in Application Security on November 12, 2009 by Matthew FlickFYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in a timely and cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.
The AppTrust Assessment, Training, and Certification solutions break this mold with a strategy that enables your organization to implement applications that are secure as soon as they enter production.
You can read more about FYRM Associates’ new AppTrust offering at our Web site, http://apptrust.fyrmassociates.com, or contact FYRM Associates at http://scr.im/fyrmsales or (877) 752-7170 for more information.
XAB – Cross Site Scripting Anonymous Browser updated and seeking help
Posted in Application Security on November 10, 2009 by Matthew FlickA new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: xab.sourceforge.net.
We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.
XAB Presentation @ OWASP DC Chapter Meeting on 9/2
Posted in Application Security, Conferences, Events, OWASP with tags DC, OWASP, XAB on August 25, 2009 by Matthew FlickI will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found here. See you there!
OWASP AppSec DC 2009 Sponsor
Posted in Application Security, Conferences on August 20, 2009 by Matthew FlickOWASP just launched the official AppSec DC 2009 site @ http://appsecdc.org. We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!
LAN Party anyone? Let’s volunteer to hack Government websites…
Posted in Application Security, Government, Penetration Testing on June 21, 2009 by Matthew FlickWould I volunteer my time? Sure, why not. Is it really a good or realistic idea to have our Military and Government solicit an army of volunteers to test their web sites? Probably not. Jeremiah Grossman, CTO and founder of WhiteHat Security, this past week voiced his opinion on a topic that isn’t entirely new, but hasn’t been brought up by an industry pundit for a while. He estimates “fewer than ten percent of United Stats .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities” and suggests getting vulnerability researchers to volunteer to test those web sites. I honestly didn’t see his blog entry until late Thursday and up til now sort of waited to see all the comments to his thoughts. It seems feedback is back and forth with the more detailed responses are on the “not so good” idea side of the fence. Jack Mannino had a good response, which Jeremiah is planning to respond to.
Here are my thoughts: Have you ever worked directly for/with the government? Not a rhetorical question or being a smart a$$, but seriously. It’s a given that the US Federal government doesn’t spend enough money or resources on cybersecurity [see previous blogs]. I cannot imagine how difficult it would be to attempt to coordinate these “volunteer tests” with the Federal Agency, the government security teams that protect the site, the network and system folks responsible for the site, and then all the contractors involved in monitoring and supporting the site… that’s just a fraction of the folks on the government site. We’ve done contract work with the Federal Government and doing a simple scan of a small environment from a single source address took a tremendous amount of coordination and planning. It would be insanity to try to coordinate dozens of volunteers. And that is just one of a couple pre-planning obstacles I can see.
What about from a slightly tangent ethics view; is it volunteers or freebies? The Federal Government from what I’ve experienced has pushed procurement and purchasing folks through different types of ethics training to prevent inappropriate kickbacks to individuals and organizations. Could a big corporate entity like “Big Yellow” for example be allowed to volunteer a team of young staffers to “pen-test”? Wouldn’t it then be ironic if that same company down the line got a chance to bid on projects or even technologies to be implemented? You got to expect someone out there to try to take advantage of it.
The one point that Jack made mention that I’m not going to rehash too much but agree with is regarding incident response. Could you imagine being the contractor or GS-10 sitting in the SOC during “volunteer pen-test day”? If the government doesn’t have the tools to assess their own web sites, I wonder if they would have the technologies or resources in place to review the logs generated to figure out what is considered “normal” vs. “bad” traffic.
I’m not entirely sure if Jeremiah really thinks it’s a good idea or is throwing it out there for media fodder (I see SC Magazine already picked it up). It does bring up some interesting early debate but the more I think about it, it just doesn’t seem reasonable.
However one thought I did come up with and please pardon me if there is already an organization like this, is taking a page from the National Guard. It would still require some money, background checks, a tremendous amount of coordination and volunteering. How about a “Cybersecurity National Guard” unit, where people can volunteer X hours a month and have one of the core responsibilities testing government and military web sites. I’m deeply familiar with the military and intelligence community programs and teams that do this, but this “volunteer” group could be staffed with vulnerability researchers who have extra time or want to do something more valuable for ISC^2 CPEs ;)
Cross Site Scripting Anonymous Browser (XAB) Proof-of-Concept Released
Posted in Application Security, Black Hat with tags Application Security, Black Hat, XAB on May 19, 2009 by Matthew FlickToday I finally found the time to release the XAB Proof-of-Concept code. An apology to those of you who have been emailing us wondering when we would publish it.
We’ve decided on Sourceforge and you can download the code from the XAB project page located at:
We’ve submitted talks to Black Hat and Defcon for the updates we’re working on, so hopefully we’ll have the chance to catch everyone up…solicit some more feedback…and grab a brew. Or two…
Black Hat DC 2009 Presentation
Posted in Application Security, Conferences on January 28, 2009 by Matthew FlickMy abstract for this year’s Black Hat DC was picked up. I’ll be presenting the XSS Anonymous Browser tool, or XAB for short. I’m currently hammering out some of the more technical aspects of the tool, but I’ll have a working proof of concept ready for the conference. Plus if there’s time (who am I kidding?), I’ll release a second tool that is a great defense against the attack vectors that XAB utilizes. You can read more about the XAB tool presentation at the Black Hat DC 2009 Speakers Briefings page,
http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Flick
For those of you in the Tampa area, I will be presenting the same tool at the OWASP Tampa meeting on February 18. You can check out the Tampa Chapter’s page here,
https://www.owasp.org/index.php/Tampa
I hope to see you at either or both presentations and SafeSurfing…
The New PCI 6.6
Posted in Application Security, PCI with tags 6.6, Application Security, PCI, risk assessment, waf on November 20, 2008 by Matthew FlickAll Your Public facing Web Apps Are Relevant To Us
I’m going to start off this post with the moral of the story: Good intentions often have bad, unintended consequences. The following is the ‘Testing Procedures’ text of requirement 6.6 from the new PCI DSS v1.2 (source: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html):
For public-facing web applications, ensure that either one of the following methods are in place as follows:
• Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:
– At least annually
– After any changes
– By an organization that specializes in application security
– That all vulnerabilities are corrected
– That the application is re-evaluated after the corrections
• Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.
Note that for ease of reading I’m going to shorten “PCI DSS v1.2 Requirement 6.6” to just “PCI 6.6” since nearly everyone already refers to it as such.
Without further clarification, this requirement now compels an organization that stores, processes, or transmits cardholder data (“CHD”) to apply PCI 6.6 to all of their “web applications” that are publicly accessible, regardless of whether the applications participate in the storage, processing, or transmission of CHD. We must assume also that this requirement will be applicable regardless of other security controls as well, such as network segmentation. Disregarding all other changes to the PCI DSS, this one requirement could significantly increase the level of effort and cost of PCI assessments.
Before I get into advice for dealing with the new requirement, let’s examine the two options in relation to the change. First option is to have an application security organization perform security testing on the applications, correct identified vulnerabilities, re-test and repeat if necessary. Furthermore, such testing must occur “at least annually”, which should not be a huge problem…and “after any changes”, which could very easily force an organization to simply stop making any changes to its web applications. Unintended consequences.
The second option seems rather simple, straightforward, and innocuous unless you have actual experience with web application firewalls (“WAFs”). At a high level, WAFs have two basic modes of defense: 1. Blacklisting attack strings, typically pushed down by the vendor like anti-virus signature updates, and 2. Custom rule checking, which requires training the WAF to understand more of the application it is protecting. Both modes can often lead to false positives; the second and more effective mode requires a lot of human interaction throughout the system’s lifecycle. Add to the mix the large price tag for commercial WAFs and the new requirement that requires protection for all public facing web applications, and what you likely end up with is an organization implementing an easily defeated blacklist of your standard attack strings (XSS, SQL injection, etc). Unintended consequences
I do not want to be accused of PCI hate speech. In fact, I would like to sincerely applaud their efforts in helping to drive application security education and strongly encouraging organizations to address the problems. My concern, though, is that the more stringent the requirements become, the more likely organizations will continue (or begin) to do only the bare minimum in order to “check the box” instead of fixing the root cause of the problem. This is similar to the problem of progressively raising taxes: the higher the tax rate climbs, the more people will invest to identify loopholes, legal or otherwise. Or, in Star Wars terms, “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.” –Princess Leia
With this information in mind, we now come to the issue of how to approach PCI 6.6. I’m going to suggest the most pragmatic approach that should work for most or all organizations, or at least those organizations that must endure PCI DSS assessments. In step-by-step format, naturally:
- Classify applications – Separate all public facing web applications into a grid by user type (e.g. internal users only, external users only, mixed) and data sensitivity (e.g. CHD, public, internal/corporate, internal/sensitive).
- Shorten list – If possible, move all web applications with internal users only to the internal network and provide external access via VPN. This should be an obvious move and something that should have been done well before PCI 6.6, but you might be surprised how often I see this situation.
- Create assessment plan – First determine the budget for performing automated runtime vulnerability scans (the “cheap” option) against all remaining public facing web applications. Then the remaining budget—if any—can be reserved to add more effective assessment tasks to the most relevant applications, obviously starting with those that store, process, or transmit CHD.
As a general rule, I suggest using the results of a vulnerability scan/assessment against one application to identify and remediate potential weaknesses in other applications that either use the same codebase or were developed in similar fashion. This approach should lessen the number of findings in subsequent tests.
If all the advice in this post seemed familiar or common sense, then congratulations…you’ve been paying attention! The security industry has been evangelizing a risk-based approach for a long time now. Or at least some of us in the industry have been.
Application Security Industry: 2008 Report Card
Posted in Application Security with tags Application Security, vendors on November 6, 2008 by Matthew FlickI have had many discussions this year regarding the future of the application security industry and even more about its current state. It’s interesting how people of such varying backgrounds will have similarly varying views; this short article is designed to capture those views and hopefully drive some productive discussion as a result.
Where are we now? Should be a simple question, right? Let me summarize in three main categories:
Maturity – Purists aside, “Application Security” today means the security of web applications and related things, such as web services. Application Security started to grow up as older information security areas–like network security and vulnerability management–matured quite well. I am quite sure it seemed at the time a great idea to port the mature security ideas and technologies over to the application security world. However, as usual we have learned the hard way that the proverbial square peg does not fit into a round hole. Result? Application Security is in the early stages of being adopted into organization’s information security programs. **Golf Clap**
Technology – I remember from childhood riding long distances (>1000 miles) with my family of five in a compact car to visit the in-laws. Of the many shortcuts we tried using our trusted 10-year old map, I remember one that ended with a missing bridge over the Mississippi River. The recent development of app sec tools eerily reminds me of this trip: choosing the wrong path and driving insistently down that path until you end up with very wet socks. Luckily for my family the car brakes worked…unfortunately I don’t see anyone trying to even find the app sec technology brakes.
So who is driving us down the wrong path, and why is it the wrong path? The typical response would be the vendors, but I disagree. Runtime scanners, source code scanners, application layer firewalls–they all perform as designed (in most circumstances). The problem lies in how these tools are sold and used as a method to secure the vulnerable applications. To a slightly lesser degree is the nearly insurmountable problem of these security tools keeping pace with the fast growing arena of application technology and subsequent vulnerabilities. Both of these problems illustrate why organizations needs to focus more on the root cause of the vulnerabilities rather than on the detection and prevention of attack vectors. The unfortunate fact is that application security technologies can not—and may never be able to—keep pace with vulnerability and attack research. This is the wrong path. This is why we need to hit the brakes and find a better route.
Approach – Is that light? Are we in a tunnel? Yes and no. The application security world has witnessed several of its citizens make wonderful presentations on why we need to…**drumroll**…incorporate security into the SDLC! Or at least it was witnessed by the five of us not watching the more exciting and entertaining presentations on the latest and greatest XSS and CSRF attacks. Whereas this statement of incorporating security into the world of development is theoretically valid, when put into practice the wheels tend to fall off (or in worse cases, explode). After assessing so many different environments and working with clients to build practical and effective application security programs, I’ve all but killed the nerdy theorist inside of me. The old “one size fits all” adage really starts to become annoying!
I am not arguing the approach nor will I espouse a new theory of my own–remember I said it is valid. Instead I will just note that we are, as an industry, still at the theoretical stage. At least I can cross off “job security” from my list of worries.
Where are we going? If the first half of this post was not depressing enough for you, go back and read it again more thoroughly. Then read on. Here is a sampling of quotes I collected this past year on the question of where the application security industry will be in 3-5 years:
“More of the same. New technology maybe, same attacks against both the new and old technology.” –security consultant
“I don’t think much will change. With Flash and AJAX growing there will be new opportunities there, but not much else will be different.” –application security manager
“SaaS is the future of app sec. The tools are quickly getting smart enough to attack application business logic and will revolutionize the industry.” –vendor marketing guru (shocker)
“More companies will realize application security is something they have to deal with.” –security guy
Job security…oh right, I already crossed that off. Is this the best we can do? Inch our way further down the wrong path? Marginally better tools, more of the same attacks against current technology, and bigger budgets for the same insufficient solutions? I cannot be the only one thinking that this is a problem. Sadly, I have to somewhat agree with the comments above. In dealing with people from all sides of the aisle, it does appear that the application security community is settled comfortably with the status quo. With the massive increase in application security spending over the last few years, can anyone blame them? That being said, maybe I am the only one plotting and scheming of a better way…and maybe that’s not such a bad thing.
