OK...it has been awhile since I've posted...been busy! One good thing out of this time away is my passing the GSSP-.NET certification earlier this week. Yay me! Honestly, though, if you are a .NET developer for Windows or Web you need to take this exam. 100 questions that cover everything from SQLi (SQL Injection) and other web attacks to how to put appropriate Code Access Security (CAS) on your DLLs and EXEs to how .NET security policies are set up for proper permissions to be granted on your apps.
Since I am in test-taker mode, I decided the best things to post right now are some questions based on what you should know. If you get the questions wrong, don't worry but instead dig in a little and learn why. Find out what the hackers already know!
So, quiz #1 will be on SQLi. Feel free to post your answers and I will let you know what the answers are in a few days or so. I will not post your answers until I have enough there to post them. No fair having some smarty pants get the right answer before you've even read the question, and then you see her/his answer in the comments, right?
Q1. Parameterized queries are 100% effective against SQL Injection. True or False. (Nothing like starting off with a holy war sort of question, huh?)
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False. (hee, another holy war sort of question)
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing? (Black-listing is looking for malicious characters/strings and removing them. White-listing is telling the app what you expect and denying everything else.)
Q4. If you thoroughly validate your input then you should be fine. True or False.
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
and last one:
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
Good luck! I am very interested in your answers! Those that answer all six correctly will win a free round of applause from me.
Thursday, August 5, 2010
Friday, July 16, 2010
"Why Can't Johnny Develop Secure Software?"
"Why Can't Johnny Develop Secure Software?"
What a great article from darkreading.com. It points out what I've been saying all along and has some nice insight too. Not that I need or want validation -- I know the truth about developers and the lack of secure programming -- it is just nice to see bigger names and bigger press about the issue. The more we see about this, the more likely things are to change.
Best quote of the article:
What a great article from darkreading.com. It points out what I've been saying all along and has some nice insight too. Not that I need or want validation -- I know the truth about developers and the lack of secure programming -- it is just nice to see bigger names and bigger press about the issue. The more we see about this, the more likely things are to change.
Best quote of the article:
But nearly all experts agree that no matter how strong the training effort, the average developer will never be very security-savvy. "They're always going to be more focused on code quality and trying to meet their deadlines," Sima says. "If I'm a developer, as soon as I've been assigned a project, I'm already behind. If there's a faster way to do something, they're going to take it, because for them speed is more important than security."
Wednesday, June 16, 2010
XSS/CSRF Webcast
Just to help keep you learning about this stuff, here is what sounds to be a really great SANS webcast on XSS and CSRF "taking over the world". Seriously, you have to hear stuff like this one. If it is anything like what it sounds like it will be, it will be worth it to have the pants scared off you. Yeah, sure, watch it nowhere near coworkers then...it is rough to pick up your pants around them and have to explain your being scared.
But seriously, the whole battle is to keep yourself educated and acting on what you learn. I am telling people "CSRF is scary and should be taken seriously". It is #5 on the OWASP Top 10 Risks for 2010, but for me it is #3, behind XSS then SQLi. And I know, I switched XSS to #1. Injection is a huge risk, but XSS is the foundation behind all these crazy attacks. Stop XSS and a boatload of attacks are stopped.
In a New England GiveCamp talk I gave to developers and non-profits over the weekend, one attendee asked about how to stop the attack where they drop off mini VNC on your machine. I have to reiterate here -- I don't care what they drop off and I don't stay on top of what the flavors of attack are. It is irrelevant, frankly. The question was a good one, and I'm not in any way knocking his train of thought. But step back for a sec and see that these dangerous things are being left on our sites through an open door. Stop XSS and they can't do that anymore. We have to stop looking at who is knocking on the door and trying to figure out if they are a good guy or bad guy. Stop XSS and deny whatever isn't whitelisted on your site. Be a good maitre d' and only allow in those folks on the list, whether during input validation or some other function of input.
Speaking of GiveCamp (#negc2010 on Twitter), it was a very rewarding and satisfying experience as a web developer. But I have to admit I was disappointed in the turnout to my talk. Granted, people were cranking on Saturday morning at 9 am...but take 30-40 min to hear about web security, right? Out of the 150 or so people there, I had I think 10. I didn't count but it was around that. Security just isn't given the nod it needs to have, and we will continue to code crappy software. That being said, I know the folks on one team and they are security-conscious and really didn't need to go. But how many others built sites that fall short?
All I know is I better not hear excuses...
But seriously, the whole battle is to keep yourself educated and acting on what you learn. I am telling people "CSRF is scary and should be taken seriously". It is #5 on the OWASP Top 10 Risks for 2010, but for me it is #3, behind XSS then SQLi. And I know, I switched XSS to #1. Injection is a huge risk, but XSS is the foundation behind all these crazy attacks. Stop XSS and a boatload of attacks are stopped.
In a New England GiveCamp talk I gave to developers and non-profits over the weekend, one attendee asked about how to stop the attack where they drop off mini VNC on your machine. I have to reiterate here -- I don't care what they drop off and I don't stay on top of what the flavors of attack are. It is irrelevant, frankly. The question was a good one, and I'm not in any way knocking his train of thought. But step back for a sec and see that these dangerous things are being left on our sites through an open door. Stop XSS and they can't do that anymore. We have to stop looking at who is knocking on the door and trying to figure out if they are a good guy or bad guy. Stop XSS and deny whatever isn't whitelisted on your site. Be a good maitre d' and only allow in those folks on the list, whether during input validation or some other function of input.
Speaking of GiveCamp (#negc2010 on Twitter), it was a very rewarding and satisfying experience as a web developer. But I have to admit I was disappointed in the turnout to my talk. Granted, people were cranking on Saturday morning at 9 am...but take 30-40 min to hear about web security, right? Out of the 150 or so people there, I had I think 10. I didn't count but it was around that. Security just isn't given the nod it needs to have, and we will continue to code crappy software. That being said, I know the folks on one team and they are security-conscious and really didn't need to go. But how many others built sites that fall short?
All I know is I better not hear excuses...
Saturday, June 5, 2010
Devs Should Be Primary Security Contact
Great article on DarkReading.com -- http://bit.ly/90vL9Y
The core of it is to have devs be in charge of security for a web app. Horrors!! Well, given today's developers, that is one scary and risky thing. But I am all for it. Find the right person, full of energy and willingness to stay on top of web app security trends and you have probably the BEST ally for your security conscious needs.
Here's why -- a) no one knows application development like a dev. Your security analyst can't read all your code and know where a hole might be. b) A good dev can talk to security guys and find a way to meet their needs from a development perspective. c) A dev will always get an ear of the other devs. It might take pulling teeth to get the other devs to code securely but it is sure a better chance than some security analyst or CISO coming in and dictating how they should code! (It's bad enough our project mgt, marketing and PR folks already think they can dictate site design and code to us, as well as the deadlines to meet their needs)
Companies serious about web application security need to train their developers, pick the best of the bunch and make them security analysts for web projects. It is one of the best ways to ensure secure apps.
The core of it is to have devs be in charge of security for a web app. Horrors!! Well, given today's developers, that is one scary and risky thing. But I am all for it. Find the right person, full of energy and willingness to stay on top of web app security trends and you have probably the BEST ally for your security conscious needs.
Here's why -- a) no one knows application development like a dev. Your security analyst can't read all your code and know where a hole might be. b) A good dev can talk to security guys and find a way to meet their needs from a development perspective. c) A dev will always get an ear of the other devs. It might take pulling teeth to get the other devs to code securely but it is sure a better chance than some security analyst or CISO coming in and dictating how they should code! (It's bad enough our project mgt, marketing and PR folks already think they can dictate site design and code to us, as well as the deadlines to meet their needs)
Companies serious about web application security need to train their developers, pick the best of the bunch and make them security analysts for web projects. It is one of the best ways to ensure secure apps.
Wednesday, June 2, 2010
Lightning in Your Cloud Tag Widget
There is a crafty little XSS hole in the cloud widgets of several big name content management systems. It takes advantage of Flash files that allow arbitrary HTML tags to be injected...sigh.
WordPress, Joomulus, JVClouds3D, Joomla and Blogumus as well as BlogEngine.NET and Kasseler CMS.
Read the article on it
So be careful what you put out there...encode it before you just slap it into your handy-dandy cool cloud tag thingy.
WordPress, Joomulus, JVClouds3D, Joomla and Blogumus as well as BlogEngine.NET and Kasseler CMS.
Read the article on it
So be careful what you put out there...encode it before you just slap it into your handy-dandy cool cloud tag thingy.
Subscribe to:
Posts (Atom)