If anyone knows of any open source projects to process ASN.1 data types send me a note. I rolled my own code to process the common object types I encountered mostly from reverse engineering and scarce documentation I could find.
A quick check to Lenovo’s management page reveals the company has no top security executive. Consider this a subtle warning sign. Security at Lenovo is one of the many responsibilities assigned to Chief Information Officer (CIO), Xiaoyan WANG. We can learn much about a company’s emphasis on security by reviewing it’s leadership structure on it’s web site or financial reports. If you review Lenovo’s management page one of the things you will notice is, 1) security is not the primary roles but instead one of many CIO responsibilities, 2) other responsibilities of the CIO present a direct conflict of interest to security.
First, let’s look at security as a primary responsibility. Security is like other areas of an organization, the more resources you invest the better results you can expect. I don’t mean to imply blindly pumping cash into your security program is helpful but understanding how to apply resources to the problem is where partnership between business and security executives is important. A poor security leader or no leader at all is the surest way to kill a security effort before it even begins. To be clear, no company says do a bad job on security. The problem is without proper security leadership and resource allocation – a good job is next to impossible. Company’s with the best chance of success in their security programs place security on at least equal footing with other top business priorities. In a security conscious company I expect to see at least one top security executive like Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Ideally, I want to see others like a Chief Privacy Officer (CPO) as well. This tells me this company really understands the impact of digital age on our products and services. Of course, Lenovo may have a CSO that reports to the CIO, or to a leader that reports to the CIO, and many companies do, but in the the end this is a conflict of interest because CIOs are focused on delivery. Ultimately, product delivery may trump security but without an independent advocate to argue on the side of product quality productivity will win every time and this may not be best the organization.
Next, the conflict of interest issue. It may not be obvious but WANG’s many responsibilities include, “information service delivery and security”. For years, IT organizations and software developers are accustomed to the idea of a Test group that performs independent quality assessments of products and services before customer delivery. Independent assessment is an essential quality control measure for producing consistent high quality products and services. All too often security lump into the same bucket as other technical product quality review. I believe this is a mistake. Placing application security responsibility into the same group responsible for product delivery is like placing the fox in charge of the hen house. Security product quality is a business concern not a concern for a technology group. Few CEO’s were ever fired over a software bug but many more CEO’s will be fired in the future over software vulnerabilities. Additionally, vulnerabilities are unique among bugs since they can shake the very foundations of your organizations credibility with customers which may take years to reestablish. In today’s highly optimized world of software development, leaders often don’t have the necessary resources to deliver products on time and schedule. In such a climate, it’s too tempting to focus limited resources on tangible features customers to can see. However, with security it’s far to easy to make bold claims of a strong security posture. Without specialized tools and testing security posture claims must be accepted at face value. I see security differently, security is a top business concern not a technology concern. As a top business concern, security must answer through it’s own leadership which ideally terminates at the security executive that answers with accountability to the board. This will allow security to be considered on equal footing with other business priorities and risks.
A final note on security responsibility for C-level readers. The days of blaming breaches on the ingenuity of hackers is coming to an end. Overesteeming hacker abilities to infiltrate systems is a convenient way of shifting public scrutiny away from poor leadership and security practices back to attackers. Increasingly the broader public and regulatory agencies are becoming less accepting of such excuses. If you don’t make security a top priority in your board room, with all due proper funding, with security leaders leveled like other leaders – you will be accountable on breach day. Leaders of America’s largest corporations are learning painful lessons security responsibility can be delegated but blame cannot see, Target CEO Fired – Can You Be Fired If Your Company Is Hacked?
For those interested in a previous post, So You Want to be a Security Professional, I cover some background on security positions and ways to organize security duties. For full background on the Lenovo’s incident, I refer readers to Bruce Schneier’s article, Man-in-the-Middle Attacks on Lenovo Computers.
 Superfish cover by Anelis, DeviantArt
The following URLs are security content from Oracle’s JavaOne 2014 software developers conference in San Francisco California. My list is not entirely comprehensive and more sessions become available, I will update the list.
Security Testing for Developers using OWASP ZAP, Simon Bennetts
Put a “Firewall in Your JVM Securing Java Applications, Debbie Fuller
Understanding the New JDK 8 Security Features, Sean Mullan
Securing Against Cross-Site Request Forgery, Aaron Hurst
Java Secure Coding Guidelines, Andrew Gross
Building Secure Applications with Java EE, Patrycia Wegrzynowicz
Security Starts in the Head(er), Dominik Schadow
RESTing on Your Laurels Will Get You Pwned, Abraham Kang, Dinis Cruz, Alvaro Munoz Sanchez
Security with Java Deployment, Chris Bensen
Code-Level Security Games And Puzzles in Java, Brenton Phillips
Seven Security Tools and Libraries Every Developer Should Know About, Dominik Schadow
Applying Java’s Cryptography, Erik Costlow
High Security for the Internet of Things with Java and a Secure Element, Anne-Laure Sixou, Thierry Bousquet, Frederic Vaute
Retrofitting OAuth 2.0 Security into Existing REST Services, Irena Shaigorodsky
Anatomy of Another Java Zero-Day Exploit, David Svoboda, Yozo Toda
Securing JAX-RS Services with OAuth 2, Miroslav Fuksa
Securing RESTful Resources with OAuth2, Rodrigo Condido da Silva
Five Keys for Securing Java Web Apps, Frank Kim
The Anatomy of a Secure Web Application Using Java, John Field, Shawn McKinney
Securing Java: Track Opening Presentation, Milton Smith