Friday, 26 February 2010

Security Digest #6

February Rollup

Finally, some late breaking items of News...

USA To Lose War

Mike McConnell, from 2007 to 2009 the (Bush Administration) USA's national intelligence director, claimed on Tuesday that if the US got involved in a cyber war at this moment, they could not win. Testifying before the US Senate Commerce, Science, and Transportation Committee, he stated "We're the most vulnerable. We're the most connected. We have the most to lose."

According to a report from InfoWorld, he thinks that nothing will spur the government into action short of an attack with catastrophic consequences. "We will not mitigate this risk," he says. "We will talk about it, we will wave our hands, we'll have a bill, but we will not mitigate this risk."

McConnell was speaking five days after a simulated cyber attack, an extensive scenario designed by Former CIA Director Michael Hayden, was staged with the ballroom of Washington's Mandarin Oriental Hotel in the role of Situation Room. The attack started with a free March Madness smartphone app, activating malware to incapacitate cell networks, landlines, and the Internet, finally bringing down the entire East Coast electrical power grid. Commerce ground to a halt. Air traffic was thrown into chaos.

The verdict, when the dust cleared: the attack was "...neither deflected, nor mitigated to an extent that would avoid considerable impact on the everyday life of citizens."

Meanwhile, Ryan Singel at Wired has, unsurprisingly, a rather different viewpoint from McConnell; in the interests of balance, be sure to read his "Cyberwar Hype Intended to Destroy the Open Internet" here.

SDL Coverage Note

A cool footnote to the list of 25 most wanted coding errors: one of Microsoft's principal security program managers on the Trustworthy Computing (TwC) team, Michael Howard, reports here on the extents of mappings between these errors, and the processes and tasks prescribed in the SDL.

Just as it was last year, once again the coverage is exemplary:
  • Every error on the list is covered by at least one SDL requirement.
  • Almost every error is also covered by either (1) an automated SDL verification tool, or (2) a secure coding library.
This evaluation exercise is becoming a tradition both at Microsoft and elsewhere, and security professionals have certainly begun to treat this list as one de facto standard for comparison of vulnerabilities and mitigations, though neither unanimously nor exclusively.

For Microsoft, Bryan Sullivan in May 2008 analysed the OSWAP top 10 most important web application security issues, finding the SDL already equipped with: XSS detection and prevention tools; guidance for preventing SQL Injection attacks; cryptography requirements, including mandated cryptographic algorithms and key sizes; and other resources directly addressing these issues. Then last year he did the same for the SDL and the CWE/SANS Top 25, that time finding all 25 "Most Dangerous Programming Errors" covered by SDL requirements in the areas of education, threat modelling, tools and/or manual processes - and all but two covered by multiple areas.

Michael's 2010 update contains the interesting observation that even such a programming error as CWE 98, "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')", receives SDL coverage " our required security training classes, which is especially remarkable when you consider that virtually no PHP code is written at Microsoft!"

That's what you get for structuring the SDL to provide basically sound, secure programming practices, rather than just adding rushed mitigations to security processes when a new vulnerability taxonomy appears. You get protection against vulnerabilities not yet on the list.

Watcher Of The Web

IE8 Security Program Manager Eric Lawrence’s Fiddler is an increasingly popular, freeware, and extensible (via any .NET language) Web Debugging Proxy. It allows logging, inspection, and breakpoint-assisted debugging of all HTTP/S traffic, via its event-based scripting subsystem.

Within its community of support tools, Casaba Security's Watcher plugin, a passive vulnerability scanner, is perhaps unique in the extent to which it integrates and keeps pace with the SDL. In fact at the time of writing, there are still multiple SDL requirements and recommendations for which Watcher provides the only automated tool support available (link goes to an SDL guest article about Watcher's features - by Casaba's Chris Weber).

Well, Watcher has just been improved again. Version 1.3.0 adds integration with the SDL and MSF-A+SDL templates, optionally including result exports to TFS, and can show you which of its tests map to which SDL requirements and/or recommendations. Several new XSS tampering checks have been incorporated. Cross-domain analysis is also improved by facilitating every response domain's treatment as an origin.

Most impressive is the early inclusion of new checks identifying insecure ViewState issues recently reported by Trustwave’s SpiderLabs, including JavaServer MyFaces ViewState, and even the latest .NET 4.0 MAC implementation changes.

Watcher is available as a free download at Codeplex. Meanwhile SDL's Katie Moussouris, MSVR founder, will demonstrate Watcher during an RSA co-presentation with Bryan Sullivan next week (AND-202: Microsoft SDL Tools: Automating the Security Development Lifecycle). Update: podcast preview available here.

Are All Bugs Shallow?

Linus's Law, formulated by Eric Steven Raymond, states that given enough eyeballs, all bugs are shallow. An odd formulation certainly, and subject to at least one deliberate comedic misconstruction!

An unusual article by Microsoft's Shawn Hernan (highly commented on Slashdot) begins by accepting the validity of this law, but attacking one of its minor premises, the supposed platitude that open source software is reviewed more than proprietary software. This he finds to be false, based on available data. Read his succinct coverage of the DARPA-sponsored Sardoniox project and its outcome, the insights into Microsoft's Shared Source Initiatives, the success of Coverity, and inevitably his support of the SDL, here:

And that's where I hand you back over to the Faculty of Mathematics, for the latest Weather Report. Good night.

No comments:

Post a Comment