manico9780071835886.jpgAbout a year ago I helped some friends on a security book project, Iron-Clad Java: Building Security Web Applications (Amazon).  As we were winding down the project we received some early printed copies of the book from the publisher.  I remembered the feeling of seeing the project in printed form.  However, when I began flipping through the pages I noticed the Foreword was missing.  A missing foreword is not a big deal.  Still security is a really tough job for many of us.  I thought the foreword helped to call out some of the industry challenges while still keeping an encouraging message.  Following is the missing book foreword and our blooper.

***

The greatest challenge in product security today is the fact that security quality is difficult for consumers to evaluate.  A product with little security design consideration and a weak security posture discloses few, if any, outward signs of being insecure.  Software security, like performance and scalability, cannot be effectively evaluated visually and requires specialized tools and training.  In a vacuum, consumers often mistakenly assume strong positive product safety unless news surfaces to shake that confidence.  As a result, with ever increasing pressure on business leaders to be more competitive, deliver more value to customers, security is frequently marginalized in favor of delivering more direct features with tangible business value.  There’s little incentive to pursue security excellence when consumers assume it already exists.  All too often, businesses roll the dice and short product security, explaining away incidents when they occur with excuses like: “hackers are becoming more sophisticated”, “security is too difficult a problem to solve”, or “everyone has bugs”.  As the number and severity of security incidents increases, the public’s patience for excuses grows weary.   Consumers are demanding more secure information systems and more accountability from business leaders and governments.  Product security claims are no longer accepted at face value.  As we transition from an era of plausible deniability to accountability, leaders are increasingly motivated to deepen their security investments.  In the end, strong security is a choice, and it always has been.  Security excellence is no accident.  It’s purposeful, requires dedication, and role appropriate education is essential to success.

In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers.  A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications.  This is not a book about security theories, it’s the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print.

One of the best things I enjoy about the field of security is that it’s small and still possible to reach out and touch your heroes.  Jim and August are my heroes and it’s an honor and privilege to be their technical editor on this project.  The hallmarks of true experts and expert teams are: confident but soft-spoken, good listeners, secure in their abilities and not afraid to explore the ideas of others.   Teams imbuing such qualities produce results like no other and working in this environment is educational for everyone.  Working on this project with Jim and August was a tremendous privilege.  It’s my sincerest hope you enjoy this book as much as we enjoyed bringing it to you. 

Milton Smith

***
I happened to think of posting the book blooper since I noticed the Kindle Edition of the book includes the foreword and it’s the books one year anniversary – Happy Birthday!  Congratulations Jim, August, Kevin, and crew.
LinkedIn-Share-Obfuscated.pngI think it’s great that LinkedIn prompts members using LinkedIn API enabled applications about the type of information requested.  This is the minimum amount of transparency all cloud applications should present to their users but what information is included in a connection?  Sure, “1st and 2nd degree connections”  but what does that mean?  Only a members relationship to another member?  Or the connection relationship along with other profile information?  Asking a LinkedIn member to share profile information for another is like asking my Mom if it’s ok for me to come out and play.  It should be each members choice what they want to share about their profile.  I’m open with my information but some are very private and connect only to their closest colleagues.  An easy area of future improvement is to clean up the connection sharing description to users.  A future suggestion, if the type of information can’t be clearly communicated to members don’t do it.
Another area of improvement in this message dialog is provide members some options about the type of information they are willing to share.  Today the choice is all or nothing.  Members can choose to “Allow access” or not use the application.  Essentially many applications hold you hostage on this screen.  You either hand over all your member data or you don’t get access the application.  My concern is that often applications request much more information than the application requires.  I’m not against software developers asking but the user should have some choices.  If LinkedIn is concerned about their members privacy they should provide a checkbox next to each type of information requested.  This allows members to turn off information they don’t want to share (like personal connections) while sharing other types of information.
Today Tom Brennan (Twitter: @brennantom), Tobias Gondrum (Twitter: @tgondrom), and I (Twitter: @spoofzu) were all interviewed as candidates for OWASP’s Global Board of Directors.  I’m not planning to write an interview spoiler before the podcast is published but I want to follow-up with the points I introduced in the interview that make me unique as an OWASP board candidate.

Reduce gap between security practitioners and developers

For the past 3 years I have been leading security for the Java platform at Oracle.  Like many security leadership positions, my role was one of influence.  One of the improvements I made was to include a full security track at Oracle’s JavaOne conference.  Today security and development are largely considered two different disciplines and each with it’s own type of conference.  The challenge with the approach is that developers with limited budgets are not likely to attend a security conference.  After some thought, I considered the best way to close the gap was to bring the security conference to the developers – the security track at JavaOne was born.  The first year of the security track I asked OWASP leaders Jim Manico (Twitter: @manicode) and Michael Coates (Twitter: @_mwc) for assistance which they graciously provided.  I didn’t have high expectations for the first year since it takes time to build some momentum.  To my surprise, the security track did reasonably well in it’s 1st year with attendees and today it’s the 3rd most popular track at the conference.  According to Frank Kim (Twitter: @thinksec) at SANS Institute JavaOne is the first software developers conference to have a full security track.  I’m proud of the security focus at JavaOne but it’s my strongest desire we start a trend and continue across industry.  I’m not so sure moving a security track into every developer conference is the right way to go but I would like to explore different ideas to bring security closer to developers.  For instance, today B-Sides hosts smaller security conferences in the vicinity of larger security conferences.  Attendees at flagship security conferences can take in a B-Side conference by extending their stay slightly.  Fitting two conferences into one is a lot easier on the budget.  Based upon the reception of security within the development community at JavaOne, OWASP can host smaller conferences along side key developer events like JavaOne USBrazil, JavaZone, Devoxx, FOSDEM, and perhaps other venues where .NET folks hang.   These are the types of ideas I would like to explore with the board.
New directions for OWASP
OWASP must evolve in new directions.  I contend that if we educated all developers on security, provided many more helpful projects, it would not be enough to impact the quality of security throughout industry many of us desire.  Security is a business quality problem and it can’t be solved with more code or even better code.  At the moment, industry is positioned at a fragile juncture in it’s security journey.  Many security experts see increased government regulations on the horizon.  Others think cyber insurance will increase in popularity and the desire for the lowest rates will drive security improvements.  Still others anticipate future legislative changes imposing product liability on the technology industry.  One thing is certain, if industry fails to take action on security then they will also loose some control over their destiny.  As a trusted partner, OWASP is in a unique position to assist by forging new alliances with industry and governments.  OWASP will leverage it’s expertise to develop a voluntary industry wide security program.  The program will have means to encourage systemic improvement while remaining sensitive to industry concerns.  My initial plan is a security program emphasizing a practical amount of transparency with a focus on security quality or results.  Transparency is important to ensure industry maintains confident in it’s software supply chain risk profiles.  Next, a results based approach to security provides OWASP the opportunity to influence industry while providing member companies business agility and flexibility to achieve their security objectives.  Throughout the course of the program OWASP will measure the effectiveness of this new security program against progress of it’s members on security.  Based on the program effectiveness and industry security trends, the program will be improved as necessary.  Why will industry submit to a voluntary security program?  Industry must demonstrate leadership in security with remarkable improvements or industry will be lead.  Every day the cadence around exploitation increases.  Customers are demanding more visibility into development and delivery of software products and services.  In response, businesses are demanding more insight to their supply chain security.  “Trust us it’s secure”, is no longer acceptable.  There are also significant benefits for OWASP individual members like improved emphasis on security throughout member companies, more visibility in the board room, etc.  At first, the notion of any transparency seems unnatural but I have been working on this for 3 years with the Java platform team.  Java is largely open source we provide the public with a significant amount of information around the platforms vulnerability management.  The program fits well with OWASP’s approach for transparency in all it does but can be applied to industries benefit more broadly.  I shared some of my thoughts but I welcome your ideas as well. 
If you vote for me in the OWASP global board elections this fall you will be voting for someone who wants to bring security closer to developers and who desires to take OWASP in some new directions. It’s an ambitious effort for both myself and OWASP, certainly I will need some assistance, but the potential benefits for members and industry are large.

IMG_2442.JPGDEFCON 23 was an outstanding event this year.  I was not originally planning to attend Black Hat or DEFCON this year.  As it usually happens, the event begins to draw near, I start receiving the vendor invites.  Then my friends start making arrangements to meet.  At the last minute, I cave in, make reservations, book a flight, and I’m on my way.  I should know better by now and plan on attending Black HatDEFCON and RSA every year.

This is the first time I purchased tickets directly at DEFCON as opposed to purchasing them at Black Hat electronically.  When you purchase tickets at the event you must wait in line and it’s cash only.  The line took me about 1.5 hours or so.  I was surprised the line went so efficiently since there were about 14,000 attendees.  I also made a few friends in line.  Always love to talk to people and learn what interests them, listen to their security war stories.

IMG_2409.JPG

Photo 1: DEFCON Mosh Pit

The start of the conference was chaotic.  The halls were super crowed.  Goons (crowd control) were screaming at the top of their lungs to establish rules of the road for the hall ways, stay to the right, pass to the left.  Although within a short amount of time order was established and the crowds moved efficiently between sessions.  In previous years the event was held at the Rio.  This year DEFCON was held at Bally’s and Paris.  I expected some confusion but the event was very efficient given the changes and number of people.   The Caesars venue would be better but it would be tough to keep the prices of the tickets down.  A DEFCON 23 ticket this year sets you back $230 US, a bargain for a technology conference these days.

Most of the value of the conference to me is spending time with my friends.  I follow the news and current events pretty closely so there’s not a lot that surprises me at conferences these days.  However, I’m always learning new things from my colleagues.  If you ever think your an expert, and you may be, you will be humbled when you meet other experts in their field at these events.  This was the case for me when I got to meet Renderman this year.  Renderman presented on ADS-B, an air traffic telemetry protocol, in a DEFCON 20 session entitled, “DEFCON 20: Hacker + Airplanes = No Good Can Come Of This”.  His work was particularly interesting to me since I did a similar project on the Raspberry PI platform, “Tracking Aircraft on the Raspberry PI”.  At the time I did my project I didn’t know about Renderman’s project.  Anyway, I got to meet Renderman and he introduced me to his friends.  I was shit tons of fun to hang at his table for a few mins and meet his friends.  That’s what DEFCON’s all about to me.  Meeting old friends, making new friends, and learning some new stuff.  I made another new friend purely by chance, Adam Shostack, Photo 2.

IMG_2419.JPG

Photo 2: Adam Shostack

Adam was meeting one my friends from Oracle’s Java Platform team I happen to be having lunch with, Eric Costlow.  Adam has an incredible book on threat modeling, “Threat Modeling, Designing for Security”.  This is the go-to resource for threat modeling and reference.  I have a copy on my shelf.  Adam was working for Microsoft at the time when he wrote his book but he’s now striking off on his own business venture.
IMG_2402.JPG

Photo 3: Robert Hansen

I also meet several vendors like Whitehat, Denim, and Cigital, and more.  Robert HansenPhoto 3, works for Whitehat these days but I’ve know him for years.  Interesting to learn about the projects and challenges everyone’s working on.  In a conversation with another unnamed researcher, I mentioned how I didn’t appreciate the US government using security conferences as a platform to push their political security agendas.  The researcher mentioned that he understood but said that many of the researchers are working or have worked for the government.  In fact, darktangent, the conference founder works for DARPA a government group.  Also that the government is comprised of many different agencies, each with different viewpoints and moral compasses.  There really is no single point of view.  He makes a good point but I’m not sure I subscribe.  Still we can’t give up on our government and we can’t acquiesce.  Security and privacy is one of the largest unrecognized social concerns of today.

As I mentioned I did not attend Black Hat this year but I did find the keynote online.  Interesting listening to darktangent and Jennifer Granick talk about the larger social issues around security and privacy.

There also a DEFCON documentary you may want to see.  Next, is probably the worlds shittest horror movie ever.  After returning from the conference I turned on the TV.  Purely by chance my TV was tuned to Chiller Tv and Feast 3: The Happy Finish (jump to 26:00mins) was playing.  How do you unwatch something?  Please tell me.  ;o)

DEFCON 23 Online Receipts

I end this post with a few funny or interesting photos from the event.  Incidentally, an artist by the name of Mar Willams does most of the art work for DEFCON.  Check out his web site, sudux.com.

Photo 1: exploded thumbnail

Today I was using LinkedIn and noticed a message was posted about the upcoming Black Hat and DEFCON security conferences in Las Vegas.  At the bottom of the persons post there are a bunch of thumbnail images of contacts we both have in common.  If you have browsed a few articles on LinkedIn you probably have seen these thumbnails before.

Photo 1 is the result of hovering my mouse over one of the contacts at the bottom of the authors post.  These are the contacts we have in common.  Again, nothing new here, you have probably seen this before.  I noticed in the exploded view, the HTML entity tag for ampersand, circled in red, looked out of place.  At first, I was thinking perhaps this person entered the entity tag directly.  Some people online enter some strange stuff to get your attention, especially security people.

When I opened the persons profile, Photo 2, I noticed the ampersand was shown not the entity tag.  What can we do with this knowledge?  Well probably not much, at least just yet.  The point is there is a bug in LinkedIn application code that is screwing up escaping of entity references.  The code is getting confused between HTML code and characters the user types from the keyboard.

Photo 2: profile view

Why is the confusion between the characters we type and HTML code important?  It’s precisely in the area of escaping and character encoding where we find Cross-site Script Injection (XSS) vulnerabilities.  XSS is not anything new and it’s listed on the OWASP Top 10 (A1) but it’s listed as A1 on the OWASP Top 10 for good reason, it’s pervasive.

In this LinkedIn example, the ampersand is likely a programming bug and nothing more.  We can’t do much with an ampersand that’s changed to an entity reference.  However, if it were possible to include code within our tag lines it may not be properly escaped or improperly rendered.  Of course, the code would have to be short since there are limitations to the number of characters that can be stored in a tag line.  If a vulnerability could be found here, the benefit to an attacker is that they can hijack LinkedIn user browsers who view the exploded thumbnails, Photo 1.  On a site like LinkedIn this is probably a lot of users.

In closing, I am not showing you LinkedIn vulnerabilities.  I have no idea if there is a vulnerability in this code.  In fact, I don’t want to know.  I have conducted no testing against these interfaces or used any tools.  All I have proven is that there’s a program bug and we can write blog posts about bugs safely online.  Security begins by noticing what’s around you.

See you at DEFCON next week!

First things first, what hell is Internet of Things (IoT)?  Very simply, the IoT movement intends to connect a wide
variety of electronics, embedded devices, and sensors to the Internet.  As practical example, some makers of city street lights have Internet enabled their bulbs.  On the surface, Internet lightbulbs appear as useful as Internet connected refrigerators but a distinct advantage is that these bulbs will alert a central office when replacement is necessary.  In a city with hundreds, or thousands of street lights, a proactive message of an inoperable light eliminates significant effort driving around to check bulbs.  Even in the mundane case of the refrigerator, if Internet enabled, new water filters could be ordered before needed saving homeowners some trouble.