Security in Apps Becoming Mainstream

Interesting article in DarkReading the other day about app security becoming part of the enterprise for software development.

It appears that folks are getting the first part of the solution, which is a nice start. Well, ok, we'll say the second part. The first part is really listening. Many of us aren't even there yet. The next step is to realize it needs to be part of your development process.

So here is what happens: you are in the dark, you hear about the issues for the first time and think "oh crap", you then panic and make all your developers get trained and stop 100 different things, they burn out and argue with you and it falls apart a bit. Take a quote from the article:

Sima also argues that too many firms ramp up their secure development programs too quickly. While training developers to write more secure code is a good thing, project managers should not go overboard, he says. Rather than try to tackle the top 10 or top 25 software issues, companies should instead take a small bite.

This is GREAT advice. As I have mentioned in previous posts, just learn about XSS and SQL Injection. Learn about them -- what they are, how they work, how to stop them. And then act on what you know. Taking care of those two alone will stop about 70% of all web attacks on your site.

Don't even tackle the top 10. Read up on them. Then tackle XSS and SQL Injection. Get your feet wet while you stop 70% of the attacks. Then move from there to CSRF, Authentication issues, Session issues and lots and lots of other things.

---

Just so you know, I can help you too. I am happy to work with you to train your .NET developers, or do code reviews or just consult with you on next steps. Drop me a note at greg@bangordevelopers.com and I will be happy to show you how easy it can all be.

Lots Going On

I'm back after a month hiatus or so. Figures I'd get too busy to blog right as so many juicy "write about me" sort of things happen. To be honest, I hope you've wondered what my take is. Not that I'm some security guru, or the man in the know, but because it means you are interested in this stuff and realize I am too, wanting to hear more about what I am seeing from the trenches.

Either way, here is my take on the last month, plus a peek at what is coming down the pike/pipe.

ASP.NET Oracle Thingy

So this was a biggie for .NET developers, ASP.NET developers in particular. As you likely know by now, it had nothing to do with Oracle Corporation or any of their technology. I won't explain what it was, since others have done better than I ever could. The vulnerability hit the internet blog posts mid-September and a fix was in place soon after. Microsoft ranked it as a big deal, though my first glance at it was no big deal. I still think they made it a bigger deal than it needed to be, but honestly it was refreshing to see such movement and activity on it. So why didn't I think it was a big deal? It was something that would take some time to exploit. Sure, the payloads of web.config files and all that would be worth it, but it takes quite a bit of exploit attempts to get the thing to work.

Now, to play the other side of things, which I enjoy doing as well, I REALLY hope you have applied the patch Microsoft gave you for your servers! My lack of whizbang about the issue doesn't mean I find it something to ignore. In fact in this case it is the opposite. The noise and commotion over this vulnerability makes hackers go "ooooh, pretty lights..." and head TOWARDS the issue. If they weren't trying it before, they sure are now. I have no formal study-borne proof of my assertion, but I know human nature. Didn't it cross your mind just a little as to whether YOU could execute it? I did mine. I thought it would be cool to write a routine that ran through some stuff and tried it over and over, even if only on my localhost. The truly bad guys/gals are too. And for some reason this exploit seems accessible to novices...it isn't all complicated I guess.

Anyway, PATCH YOUR SERVERS if you haven't already.

Lots Of Us In The News

Ok. So not me and likely not you. But we have to understand that though it was "them", "thems is us". How close are you or me from being a negative headline? In the last month news broke about healthcare data compromised, bank accounts broken into, Twitter hacked using onMouseOver javascript to send you to your favorite porn site faster, Twitter had a password-stealing phishing scam hit many people including CNN anchor Rick Sanchez (though it was a rather amusing hack), Facebook had at least one notable issue, and the SCADA attack showed us how subtle, intense and intelligent pockets of the hacker community are. The SCADA one in particular causes me anxiety. Facebook, Twitter, etc...close your holes already and adjust with the zillions of people who are on your systems. Not that these were avoidable in every case, but keep being diligent on closing holes. If you are popular then you are a huge target.

The SCADA one, however is different. Getting people to download a piece of software silently by just visiting a website, having your machine attack a single system in a concentrated effort, knocking that system down and still not being sure who attacked it...that to me is scary. Now, granted, where did it all start? Getting people to download software. They can either be silly enough to just surf to random sites where the software sits, or it is a good site that they go to that is silly enough to not close its holes. Again, Cross-Site Scripting and SQL Injection can really put the hurt on and allow lots of other attacks get the foothold they need to go forward.

Looking Forward

I don't like to look too far forward in this field. It is a lot harder to predict than general technology or programming. But this is so clear and getting clearer every day. What is happening is that hackers are looking more at the application layer and developers are lagging more than ever. As we educate the good guys, we point out our flaws to the bad guys. And frankly, they have more to gain in attacking than we do in defending. Defense costs money and if you do it right you have nothing to show for it. "Hey boss! I need a raise! Nothing has hit us for a year!" Uh, yeah. Unfortunately, if nothing has hit you, it could be you are really good at defending or that hackers just haven't given you the time of day yet.

I am predicting a higher use of CSRF and that is coming to pass. I am also predicting that we are just seeing the tip of the iceberg on successful, intelligent attacks. SCADA, though somewhat complicated and highly organized, wasn't all that difficult. We still have the easy holes to plug. Once we plug those, and I don't know that we ever will completely, they will be a few steps ahead of us, ready and waiting with more complex attacks. I'm a glass half full guy, really I am, but the state of software security has me wondering WHEN not IF a large full-scale attack will wipe out the internet for an extended period. The bad guys are already taking our money from our accounts, stealing data from our companies, attacking our systems and they already are doing it rather silently. They are growing in understanding and savvy. We aren't. We aren't. We aren't.

Our bosses still expect us to make our sites 100% secure (impossible), and they are not training the rank and file developer on security. "You are the security folks. I count on YOU." But we can't follow every developer and do code reviews...it isn't feasible. We are still building crappy software and sites full of holes. And if you aren't even sure what the holes are in your code, shame on you but you aren't alone. Let me know if I can help. I am willing to educate you, point you to awesome training materials and sites, look at your code, build something for you. It really is time to get off the sidelines.

CSRF On The Rise

If you have heard any of my talks in 2010 you know how scary CSRF (Cross-Site Request Forgery) is and how I think it will be taking off and going from #5 in the OWASP Top 10 to #3 (hard to top SQL Injection and XSS at #1 and #2). It hasn't gotten a lot of press, and there hasn't been a ton of action on that front by the bad guys...yet.

But this week an article in DarkReading about CSRF came out that shows it is starting to increase. My comment at the bottom of the article should sound familiar to those of you watching this blog (I think there are 4 or 5 of you out there, right? ) -- the press and the noise is still about patching and server-side, network-facing solutions. They are band-aids and stitches fixing holes that will continue and continue until developers learn to code more securely.

"Blah blah blah" some of you may be saying. "Same old same old. Show us something more, Greg." Well, if you thought that, or said it out loud, I have to ask "Are you actively coding against SQL Injection and Cross-site Scripting?" If you are, and my spiel sounds old, then it is time to move on away from here. And CONGRATULATIONS, Grasshopper! You have become a better developer and that is a success for us both in my book!

For the rest of you, please dig in. Read my previous posts and go to sites like OWASP and ha.ckers.org and see how to code against SQL Injection and Cross-site scripting. These two things alone will help us all.

So what about CSRF? What can I do about it? The short answer is that the hole is plugged at the destination of the attack, and that is by validating all actionable requests thoroughly. Huh? I will do more posts about CSRF, what it is, how it works, but in general it is that you have to make sure requests come from someone you know already, that has logged in and has a specific signature or footprint so you know every request that comes from that person. Analogy time -- if someone came to your door, 6 ft and blonde, and hands you their username and password, then you can generate a ticket and session for them. If someone 5' and brunette comes to the door with the first person's ticket, is it the first person? Obviously not, but our web servers only look at the ticket! If you have the ticket you MUST be the right person. Ouch! This is what makes CSRF work, executing an action on someone else's behalf. So the solution is to look for the 6ft blonde on each request using that ticket. For you .NET folks that solution is via the ViewStateUserKey. ViewStateUserKey can be set to the session id of the current user and that will be enough to show the server it really is the right person. The hacker won't have viewstate in a link, and if they try to create a whole form to do the work it won't have the current session in it. Ahhh...much better! (Side note about it not being perfect found in this article.)

So now maybe I will have to harp on proper CSRF coding as well as SQLi and XSS...

XSS/CSRF Webcast

Just to help keep you learning about this stuff, here is what sounds to be a really great SANS webcast on XSS and CSRF "taking over the world". Seriously, you have to hear stuff like this one. If it is anything like what it sounds like it will be, it will be worth it to have the pants scared off you. Yeah, sure, watch it nowhere near coworkers then...it is rough to pick up your pants around them and have to explain your being scared.

But seriously, the whole battle is to keep yourself educated and acting on what you learn. I am telling people "CSRF is scary and should be taken seriously". It is #5 on the OWASP Top 10 Risks for 2010, but for me it is #3, behind XSS then SQLi. And I know, I switched XSS to #1. Injection is a huge risk, but XSS is the foundation behind all these crazy attacks. Stop XSS and a boatload of attacks are stopped.

In a New England GiveCamp talk I gave to developers and non-profits over the weekend, one attendee asked about how to stop the attack where they drop off mini VNC on your machine. I have to reiterate here -- I don't care what they drop off and I don't stay on top of what the flavors of attack are. It is irrelevant, frankly. The question was a good one, and I'm not in any way knocking his train of thought. But step back for a sec and see that these dangerous things are being left on our sites through an open door. Stop XSS and they can't do that anymore. We have to stop looking at who is knocking on the door and trying to figure out if they are a good guy or bad guy. Stop XSS and deny whatever isn't whitelisted on your site. Be a good maitre d' and only allow in those folks on the list, whether during input validation or some other function of input.

Speaking of GiveCamp (#negc2010 on Twitter), it was a very rewarding and satisfying experience as a web developer. But I have to admit I was disappointed in the turnout to my talk. Granted, people were cranking on Saturday morning at 9 am...but take 30-40 min to hear about web security, right? Out of the 150 or so people there, I had I think 10. I didn't count but it was around that. Security just isn't given the nod it needs to have, and we will continue to code crappy software. That being said, I know the folks on one team and they are security-conscious and really didn't need to go. But how many others built sites that fall short?

All I know is I better not hear excuses...

Facebook (in)security, Heartland settlement with MC, more SQLi woes

Ok ok...facebook and privacy are not related words these days, except in headlines. I feel bad for facebook as they have a good service that truly is connecting people together. But come on. You are this hot service, you gotta have an idea that the target on your back is pretty freaking huge. Every big name gets a big target...it's a law somewhere I think. Yeah, you snicker, but when you get big I hope your doors are locked too ;-).

So a CSRF flaw in facebook is allowing hackers to delete your friends. (Cool if they could silently delete those we hid for being annoying, overwhelming or just plain whacked.) They knew this flaw existed. It took them a while to fix I guess. The same flaw exposes user's birthdays and other private data...even if marked as private. Oh joy! As if their own exposing of your info to third parties by default wasn't bad enough. I'm going to add a poll to see if anyone of you is going to leave facebook for privacy reasons. Note, though, that they came out this week with news about a slew of new privacy options to make it easier to do big ticket privacy items. Now if they close the security holes to make sure what they intend is actually what happens...

Heartland, having already been whacked with over $60 million in settlement fees (that is just the fees to Visa and Amex...never mind lawyers fees from lawsuits, PR fees, etc etc etc) was just hit with the Mastercard settlement...another $41.4 mill. So over $100 million in settlement fees. Anyone want to figure out if you have that in your bank accounts just waiting to be thrown away? Gone. $100 MILLION. Due to mistakes in coding. Due to devs LIKE YOU AND ME not closing XSS and SQL Injection holes. Do you really want to be part of the team causing a headline like that? Close the holes! Need help? Send me an email (greg@bangordevelopers.com) and I will help you get to where you need to be.

Need more web security problems in the headlines? profiles.fring.com has some CSRF holes. Some SQL injection: "A Dutch transit website has been shut down after authorities were presented with evidence of a demonstration that allowed an attacker access to the personal information of 168,000 passengers." read the article

Shoddy passwords, data stolen, sites wiped out, hacking is becoming child's play. This is no one's fault but us as developers. There is no excuse for leaving a site open to XSS, SQL Injection or CSRF.

Not sure how to plug those holes in ASP.NET? See previous posts about it or read up on it at http://www.owasp.org or call me and I'll be happy to come in to do a training or have informal brown bag discussions with your developers to get them on the right track. We have to be in this together! Close those holes and make no more excuses!!

OWASP Top10 Final Copy Released

OWASP (www.owasp.org) just released the final version of their Top Ten Risks for 2010 document. For those of you that have seen my talks on web app security, I was working off the Release Candidate so you will want to read up on this final version.

http://www.owasp.org/index.php/Top_10

CSRF Big Deal or Not?

Great blog post about CSRF and whether it is a big deal or not.

http://ha.ckers.org/blog/20100414/csrf-isnt-a-big-deal-duh/

You have to read this and then read all the comments. Great feedback plus back and forth by folks in the field. The important thing is to keep this topic and others in our minds, and share the knowledge with other developers. Only you can prevent forest fires...wait, I mean, web attacks.

About eBay Vulnerabilities

So mid-February it was announced that eBay had some exploitable parts. Not cool! Guess what they involved? One had cross-site scripting (XSS) and another had SQL Injection. A third, that may still be unpatched, is a cross-site request forgery (CSRF) hole. Huh. Surprise surprise! These are the top holes, and have been railed about for years, literally. And here is another example of a big company with lots of developers with those old holes in place. Granted CSRF is tricky and sorta new, at least newly being exploited. But XSS and SQL Injection? Wow. The holes were in rather non-standard pages, but doesn't the mini basement window at the back of your house still get you in, where you can unlock the front door from the inside?

No more excuses! Patch those holes BEFORE you become a news headline! Oh, speaking of which: http://www.esecurityplanet.com/headlines/article.php/3866011/eBay-Vulnerabilities-Found.htm

Here is a good paper on what the top holes are and how to fix 'em: http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf. And in the coming weeks I'll give a full explanation of SQL Injection and CSRF to help you if you need it.