Updated on July 4, 2016

For a copy of the slide deck for this presentation see my follow-up post, OWASP Security Logging Project Presentation – Slide Deck.

Thursday June 30, 2016 4:15pm I am presenting a Lightning Training Session, How to Use OWASP Security Logging with August Detlefsen, Sytze van Koningsveld.  The training session will be a mixed format of presentation with hands-on lab exercises.

Attendees will learn about the OWASP Security Logging Project, background and why we need security logging, it’s benefits, how to include it in new projects, upgrading your legacy projects, and much more.  In the session we cover each feature and answer audience questions.  Bring your laptop and participate in our exercises.  Learn first-hand how apply security logging to your projects.

So why would you be interested in our logging project?  A brief rundown on the benefits,

Diagnostics/Forensics, for problem determination is often useful to have a history of system state recorded in logs that you can refer to when their problems.  Security logging provides some features that log command line arguments, system environment variables, and Java system properties on startup.  Security logging also provides an interval logging feature to log key system and user specified metrics every 15-secs.  SIEM tools can be integrated to alert on memory problems, etc

Security Focus, door open/closed, user logged in/out, resource allocation, information classification of log messages, a desirable feature for government agencies or government contractors

Compliance, sign log messages, log messages remotely, discourage tampering

Automation Across Several Use-Cases,  the project provides automation benefits for standalone or desktop applications as well as up the application stack like Servlets/J2EE.  For example, in the application layer provide facilities to pull user id from the HTTPSession and insert it into log4j/logback Mapped Diagnostic Context(MDC) so that users can easily correlate ever log message with the current user that’s logged into the system.

Support for Popular Platforms,  are you using Java logging, log4j, logj4 2, or logback?  If so, your ready to go since security logging is written to the SLF4J logging interface.

Large Base of Developer Knowledge,  security logging is compatible with populator loggers so you can get running quickly.

Legacy Support, security logging includes support to capture streams from your old console logging applications (e.g., System.out/System.err).  Alternatively, you may have old commercial code that logs to consoles where you don’t have the source code.  In these use cases there are some benefits for intercepting these streams and redirecting them to security logging.  You will not realize the full benefits of native logging (e.g., logger inheritance); however, you still receive some ancillary benefits like remote logging, ability to mark messages with an information classification, etc.

There is a lot of cover with the platform.  Hope to see you in Rome at our session, seats are filling up fast, register quickly.  Usually OWASP provides the session content after the conference so if you can’t attend you still have an opportunity to learn more about the platform.

Additional Resources
Wiki, OWASP Security Logging Project
Lightning Training Presentation, How to Use Security Logging Presentation
GitHub Project Site, OWASP Security Logging code

UPDATE, March 10, 2018: computing technology update, Google’s Bristlecone Quantum Processor.

Throughout the week of April 11th, 2016 Stanford held is annual affiliates Computer Forum on the campus.  Participation in the forum is available to affiliate members.  If your interested to be an affiliate send a note to me, see About page.   Stanford security forum is a great place to unplug from the day-to-day business and consider broader security challenges.  The campus is beautiful and the projects are interesting.  Attending the forum is always uplifting, I usually meet leaders from industry I know, university staff, and I always learn something new from their research.

The forum is a week long but attendees can sign up for individual days depending up interests.  I attended 2 days of the week long forum.  Monday was dedicated to security.  Thursday was dedicated to IoT.  Research projects and themes change from year to year.  This year cryptography and IoT where the broad themes.  Full media from the week long forum trails the post.

A Few Thoughts or Impressions
Following are some of the more important points I learned or points that captured my interests, not in any particular order of importance.

Why are quantum computers fast?
Traditional computers process information in bits.  A bit is either “on” or “off”, a 1 or a 0 respectively but quantum computers also provide an Amplitude property associated with each quantum bit.  Remember Schrödinger’s Cat?  The cat was in a Superposition of States where the cat is both alive and dead.  Amplitude is the measurement of the superposition which is the probability the cat is in one state or the other.  A point of some utility is that amplitude is not a simple percentage but instead is a complex number.  The the value combined with the amplitude of the bit form a quantum computational unit known as the Qubit.  In a traditional computer, increasing the number of bits increases the computers word size and address space which increases the processing power in polynomial time.  Increasing the number of qubits in a quantum computer increases processing power in exponential time.  Unlike a traditional computer, doubling the size of a quantum more than doubles computational power.  The increase in computational power is due to two major factors, 1) unique superposition properties of the qubit, 2) higher dimensional algorithms applicable specific problem spaces.  Quantum computers provide a different operational computing model when compared to a traditional computer.  Rather than serialized approach to computing using logic gates, lasers and radio waves interfere with each other and operate across many qubits simultaneously.  In some qubits, interference is constructive and in others interference is destructive.  The design of the quantum computer and algorithms seek to reinforce constructive interference patterns that produce the desired results.  I realize this answer is not satisfactory for everyone.  Take a look at the presentation materials in the links at the of the post.  Also take a look at, The Limits of Quantum article.

Quantum computers not likely to replace traditional computer
Quantum computers are fast at solving specific problems where an algorithm exists.  Quantum computers are not necessarily fast at solving all problems.  It’s unlikely a quantum computer will replace your desktop; however, if a quantum computer could be made small enough it could make an addition to your desktop for specialized functions (e.g., 3D graphics).

Implications for web browser security
A quantum algorithm exists for finding large prime numbers, Shore’s Algorithm.  Web browser security is predicated on the fact that large prime numbers are difficult to factor.  A quantum computer along with Shore’s Algorithm can factor primes fast.  However, the state of the art in quantum computers today is about 9-qubits.  According to Professor Dan Boneh, we don’t need to be concerned about quantum computers cracking browser security until quantum computers reach around 100-qubits.

Browser security in a post-quantum computing world
Professor Boneh elaborated, post-quantum computing encryption algorithms remain an area of interest.  Algorithms that are useful in a post-quantum world favor smaller primes within higher dimensional number spaces(>1024).  A research paper, Post-Quantum Key Exchange – A New Hope provides details.

TLS-RAR for auditing/monitoring SSL/TLS connections
A new protocol has been developed to monitor SSL/TLS.  TLS-RAR does not require terminating the SSL/TLS connection and establishing a new connection to the end-point.  Instead TLS-RAR works by dividing TLS connections into multiple epochs.  As a new epoch is established, between client and server, a new TLS session key is negotiated.  Meanwhile, the TLS session key for old epochs is provided to the observer which may be an auditor or monitoring tool.  In this way the observer has access to view old TLS epoch information.  The observer cannot view or alter information from the current epoch.  Data integrity and confidentiality between client and server is maintained.  Some of the advantages, no changes to the client are required(no new roots to add), and support for current TLS/SSL libraries.  This means TLS-RAR is compatible with a host of IoT technologies and components already deployed.

Session Media from the Forum
The following links provide access to session materials throughout the form.

 


Rob Joyce, Chief, Tailored Access Operations, National Security Agency(NSA) presents on defending against nation states and criminals.  Joyce provides a number of tips useful for defending against advisories.  Some points from his presentation enumerated.

  • “0-days not necessary”, persistence and exploration will get you in,  continuous defensive work required
  • Top intrusion vectors: email, web site, removable media 
  • Use software improvements, automatic/rapid patching and anti-exploitation features
  • Use secure host [and software] baselines
  • Training, NSA trains and teaches exploitation.  Are you actively teaching defense?
  • Monitoring, if you were hacked how would you know?  You can’t fix a problem you don’t know exists.  Incident response plans necessary.
  • Trust, don’t allow untrusted devices within the trusted perimeter.  Home computer with Steam installed brought into the corporate[trusted] environment.
  • Discriminate between nation state and criminal intruders.  Nation states select targets and persistent in their efforts.  Criminals are opportunistic, catch the weak gazelle.
  • Specific tips: 2FA makes stealing credentials challenging, limited account privileges and super user access, dynamic privileges based on location, network segmentation, no passwords in scripts, defend pass the hash, block sites on neutral or bad reputation.

The talk provided few surprises and was more of a reaffirmation for keeping tidy systems – an incredible challenge in practical application.  While simple, Joyce’s advice is difficult to apply at scale.  Other advice, creates a computing environment some users consider unfriendly.  In the end there are no silver bullets or quick fixes.  Be vigilant, keep tidy systems, and invest in your staff through education.

javaone.pngDid you know Oracle’s JavaOne Java developers conference has a full security track?  In “JavaOne Track Highlights: Java and Security” Yolande Poirier and David Lopez describe some of the track sessions and various links.  Disclosure, I lead the security track.  If you see any links on the track feel free to share and I will post.  See you at JavaOne.

Today Tom Brennan (Twitter: @brennantom), Tobias Gondrum (Twitter: @tgondrom), and I (Twitter: @spoofzu) were all interviewed as candidates for OWASP’s Global Board of Directors.  I’m not planning to write an interview spoiler before the podcast is published but I want to follow-up with the points I introduced in the interview that make me unique as an OWASP board candidate.

Reduce gap between security practitioners and developers

For the past 3 years I have been leading security for the Java platform at Oracle.  Like many security leadership positions, my role was one of influence.  One of the improvements I made was to include a full security track at Oracle’s JavaOne conference.  Today security and development are largely considered two different disciplines and each with it’s own type of conference.  The challenge with the approach is that developers with limited budgets are not likely to attend a security conference.  After some thought, I considered the best way to close the gap was to bring the security conference to the developers – the security track at JavaOne was born.  The first year of the security track I asked OWASP leaders Jim Manico (Twitter: @manicode) and Michael Coates (Twitter: @_mwc) for assistance which they graciously provided.  I didn’t have high expectations for the first year since it takes time to build some momentum.  To my surprise, the security track did reasonably well in it’s 1st year with attendees and today it’s the 3rd most popular track at the conference.  According to Frank Kim (Twitter: @thinksec) at SANS Institute JavaOne is the first software developers conference to have a full security track.  I’m proud of the security focus at JavaOne but it’s my strongest desire we start a trend and continue across industry.  I’m not so sure moving a security track into every developer conference is the right way to go but I would like to explore different ideas to bring security closer to developers.  For instance, today B-Sides hosts smaller security conferences in the vicinity of larger security conferences.  Attendees at flagship security conferences can take in a B-Side conference by extending their stay slightly.  Fitting two conferences into one is a lot easier on the budget.  Based upon the reception of security within the development community at JavaOne, OWASP can host smaller conferences along side key developer events like JavaOne USBrazil, JavaZone, Devoxx, FOSDEM, and perhaps other venues where .NET folks hang.   These are the types of ideas I would like to explore with the board.
New directions for OWASP
OWASP must evolve in new directions.  I contend that if we educated all developers on security, provided many more helpful projects, it would not be enough to impact the quality of security throughout industry many of us desire.  Security is a business quality problem and it can’t be solved with more code or even better code.  At the moment, industry is positioned at a fragile juncture in it’s security journey.  Many security experts see increased government regulations on the horizon.  Others think cyber insurance will increase in popularity and the desire for the lowest rates will drive security improvements.  Still others anticipate future legislative changes imposing product liability on the technology industry.  One thing is certain, if industry fails to take action on security then they will also loose some control over their destiny.  As a trusted partner, OWASP is in a unique position to assist by forging new alliances with industry and governments.  OWASP will leverage it’s expertise to develop a voluntary industry wide security program.  The program will have means to encourage systemic improvement while remaining sensitive to industry concerns.  My initial plan is a security program emphasizing a practical amount of transparency with a focus on security quality or results.  Transparency is important to ensure industry maintains confident in it’s software supply chain risk profiles.  Next, a results based approach to security provides OWASP the opportunity to influence industry while providing member companies business agility and flexibility to achieve their security objectives.  Throughout the course of the program OWASP will measure the effectiveness of this new security program against progress of it’s members on security.  Based on the program effectiveness and industry security trends, the program will be improved as necessary.  Why will industry submit to a voluntary security program?  Industry must demonstrate leadership in security with remarkable improvements or industry will be lead.  Every day the cadence around exploitation increases.  Customers are demanding more visibility into development and delivery of software products and services.  In response, businesses are demanding more insight to their supply chain security.  “Trust us it’s secure”, is no longer acceptable.  There are also significant benefits for OWASP individual members like improved emphasis on security throughout member companies, more visibility in the board room, etc.  At first, the notion of any transparency seems unnatural but I have been working on this for 3 years with the Java platform team.  Java is largely open source we provide the public with a significant amount of information around the platforms vulnerability management.  The program fits well with OWASP’s approach for transparency in all it does but can be applied to industries benefit more broadly.  I shared some of my thoughts but I welcome your ideas as well. 
If you vote for me in the OWASP global board elections this fall you will be voting for someone who wants to bring security closer to developers and who desires to take OWASP in some new directions. It’s an ambitious effort for both myself and OWASP, certainly I will need some assistance, but the potential benefits for members and industry are large.