Wednesday, May 11, 2011

Protecting Web.config Files

Just a heads up that you want to be careful when changing web.config files around. Like you, I like to put .old or .bak or something on the end of files sometimes so it won’t be used by the system and so I have a backup in case I want to revert back to that version. One nice thing ASP.NET does for you is not allow .config files to be pulled up directly in a browser. It blocks requests for files ending in ".config". However, IIS/ASP.NET does not protect .old and .bak the same way. It will be served up unless you turn that extension off in other config files and IIS. There are your sql connection strings in plain sight (most of us don’t encrypt the connection string section in all cases like we should). Better to just make a local copy and make sure you don’t have any remnants, test files or backups in Production.

The first step in hacking a site is getting the layout and landscape. They will find your .txt files with code segments, your .old and .bak files, etc. Don't make it easy for them...keep that stuff off of your production servers, internet and intranet.

Thursday, February 17, 2011

BBC Sites Injected with Nasty IFRAME

An article in Dark Reading today tells about a nasty attack on two BBC sites that has an IFRAME injected onto the site that downloads nastiness to your computer, and only 20% of the anti-virus software packages catch it. OW!

Read the article

Key thing is injected. It almost makes it sound like BBC is a victim, doesn't it? "Hey did you read how the bad guys injected this nasty code into two BBC sites?" Folks, in a sense they ARE a victim, with an unwanted set of code put there by some 3rd party. But um, hello??!! YOU LEFT THE DOOR OPEN!!

When you read the word "injected", think "unwitting developer leaving a wide open door for hacker to put stuff on their site". BBC...surely lots of developers, a few development managers, must have some infosec and compliance people. And a hole like that is left open?

Maybe it was a tricky hole or something really brilliant that got around the standard defenses. But I have a hard time thinking that is the case.

In any case, the developers left a hole open.

So my question to you is:

How many headlines will it take before you change your code?

Don't wait until you ARE the headline...

Sunday, February 13, 2011

Developers don't know $#!t about security

"'Developers don't know shit about security'. That may very well have been the most retweeted quote from the 2011 #OWASP Summit." That is a quote from a blog from a big name at the OWASP Summit.

It is an interesting read for sure. I am not sure how to take it. I guess at first I was a little shocked and humbled that InfoSec folks make fun of devs like me. I do realize we know so little about security and they know so much. And I appreciate the blog's point that InfoSec folks should learn more about software development and our unique challenges to get product out the door. But to hear that I am part of a running joke (outside of the ones I know about in my own office)...that stung. And it reminds me how much work we have to do.

I still insist it is all about educating the developers. I didn't know what I didn't know, until I decided to study up on it. 95% of the devs won't study up on security when LINQ, HTML 5.0, and lots of new and sexy technologies are there to learn. We are good at learning the tools of our trade. Security? Isn't that what InfoSec is FOR?

We aren't bad people, or lazy...well for the most part. We put our best foot forward and want to make a good, sellable product. We want the glory. Show me a negative headline with my name in it and suddenly I will pay attention. Show us how the dev down the street, from our own user group, got bitten and now their company is under fire in the press and by customers or shareholders. Whoops! Wake-up call!

It is going to have to come from the developers since we won't listen to InfoSec folks (they don't get us, they just want to box us in, etc). I can't do this alone. Are you willing to step into the gap and point out the elephant in the room?