tssci-securityhttp://www.tssci-security.com/feed.atom2013-05-30T04:17:52Ztop secret/secure computing informationWerkzeugDecoding and Tampering Protobuf Serialized Messages in Burphttp://www.tssci-security.com/archives/2013/05/30/decoding-and-tampering-protobuf-serialized-messages-in-burp2013-05-30T04:17:52ZMarcin Wielgoszewski<p>If you've ever assessed or poked at an application that uses <a class="reference external" href="https://code.google.com/p/protobuf/">Google
Protocol Buffers</a>, you know how painstaking the whole process can be. When
you're lucky enough to have a corresponding .proto, crafting messages
via <a class="reference external" href="https://developers.google.com/protocol-buffers/docs/reference/overview">generated API's</a> is tedious. When you don't, you have to resort to
<a class="reference external" href="http://www.segmentationfault.fr/publications/reversing-google-play-and-micro-protobuf-applications/">reversing the protocol format</a> by hand and/or <a class="reference external" href="http://www.sysdream.com/reverse-engineering-protobuf-apps">extracting the proto file
descriptor</a> out of the application. Otherwise, you're left dumb-fuzzing the
protocol and never diving into the application itself.</p>
<p>Out of necessity, I wrote a Burp Extension that would decode raw protobuf
messages even when a .proto was not available. After loading a .proto, the
extension features the ability to modify and tamper with protobuf messages.
In my extension, you can also manually specify what message type to
deserialize a given protobuf message as. You can download my extension at</p>
<ul class="simple">
<li><a class="reference external" href="https://github.com/mwielgoszewski/burp-protobuf-decoder">burp-protobuf-decoder</a></li>
</ul>
<p>The following set of screenshots should give you a quick overview of what
it's capable of:</p>
<p>We start off with a view of what a simple, raw protobuf message looks like
in Burp. If you've ever tried to tamper this right here, you'd probably
find yourself reading and re-reading <a class="reference external" href="https://developers.google.com/protocol-buffers/docs/encoding">protocol buffer encoding</a>.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf01.png"><img alt="A raw, serialized protobuf message" class="align-center" src="/static/img/archive/2013/05/30/protobuf01.png" style="width: 400px; height: 268px;" /></a>
<p>Here's what that message looks like when decoded using <tt class="docutils literal">protoc <span class="pre">--decode_raw</span></tt>:</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf02.png"><img alt="Example use of --raw_decode on a protobuf message" class="align-center" src="/static/img/archive/2013/05/30/protobuf02.png" style="width: 400px; height: 268px;" /></a>
<p>Another request that looks to be adding a serialized user object. <em>Note,
the burp-protobuf-decoder extension identifies protobuf messages by an HTTP
Content-Type request or response header equal to</em> <strong>application/x-protobuf</strong> <em>.
If the application you're looking at does things a bit differently, have
a look at modifying</em> <tt class="docutils literal">isEnabled()</tt> <em>,</em> <tt class="docutils literal">getMessage()</tt> <em>and</em>
<tt class="docutils literal">setMessage()</tt> <em>of</em> <a class="reference external" href="https://github.com/mwielgoszewski/burp-protobuf-decoder/blob/master/protoburp.py">protoburp.py</a>.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf03.png"><img alt="Adding a serialized Person protobuf" class="align-center" src="/static/img/archive/2013/05/30/protobuf03.png" style="width: 400px; height: 268px;" /></a>
<p>And again, what it looks like after <tt class="docutils literal">protoc <span class="pre">--decode_raw</span></tt>:</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf04.png"><img alt="Raw decoded Person protobuf" class="align-center" src="/static/img/archive/2013/05/30/protobuf04.png" style="width: 400px; height: 268px;" /></a>
<p>If we're lucky enough to have a .proto that defines what this message looks
like, we can load it from here:</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf05.png"><img alt="Load .proto right-click menu" class="align-center" src="/static/img/archive/2013/05/30/protobuf05.png" style="width: 400px; height: 268px;" /></a>
<p>Find our addressbook.proto (taken from the protobuf example applications):</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf06.png"><img alt="Load .proto file" class="align-center" src="/static/img/archive/2013/05/30/protobuf06.png" style="width: 400px; height: 268px;" /></a>
<p>We can then manually deserialize the message as a <tt class="docutils literal">Person</tt>. Next time a
request comes through, the extension will automatically deserialize the
message. <em>Note, an attempt will be made to deserialize as all types until one
is found to deserialize with all required fields initialized (this could
result in some false positives)</em>.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf07.png"><img alt="Deserialize as Person" class="align-center" src="/static/img/archive/2013/05/30/protobuf07.png" style="width: 400px; height: 268px;" /></a>
<p>That looks much better...</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf08.png"><img alt="Deserialized Person message" class="align-center" src="/static/img/archive/2013/05/30/protobuf08.png" style="width: 400px; height: 268px;" /></a>
<p>But wait, how about we tamper it?</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf09.png"><img alt="Tampered Person message" class="align-center" src="/static/img/archive/2013/05/30/protobuf09.png" style="width: 400px; height: 268px;" /></a>
<p>The extension will reserialize our message and we can send it on its way. If
any errors occur (such as required fields missing), an alert dialog will pop
up letting you know.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf10.png"><img alt="Tamper and reserialize as Person" class="align-center" src="/static/img/archive/2013/05/30/protobuf10.png" style="width: 400px; height: 268px;" /></a>
<p>And the response from the server confirms our message was tampered succesfully.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/05/30/protobuf11.png"><img alt="Confirm our tampered Person was added" class="align-center" src="/static/img/archive/2013/05/30/protobuf11.png" style="width: 400px; height: 268px;" /></a>
<p>Hopefully my extension will make testing protobuf based applications much
easier from now on.</p>
web2py: Key as Initialization Vectorhttp://www.tssci-security.com/archives/2013/02/21/web2py-key-as-initialization-vector2013-02-21T11:00:00ZMarcin Wielgoszewski<p>It's not uncommon for developers to accidentally (or purposefully) commit
passwords or other information supposed to remain secret into revision
control. It's also not uncommon to see <a class="reference external" href="https://www.google.com/search?q=intext:%22-----BEGIN+RSA+PRIVATE+KEY-----%22+filetype%3Apem">RSA private keys indexed by Google</a>,
and GitHub made it even easier to find <a class="reference external" href="https://github.com/blog/1390-secrets-in-the-code">secrets in the code</a> with their new
search features. These same search features make it easy to grep the web
for all kinds of insecure code patterns, especially insecure cryptographic
constructions. For example, a simple search for <tt class="docutils literal">AES.new(</tt> in Python code
repositories revealed to me the <a class="reference external" href="https://github.com/web2py/web2py">web2py</a> project was using the <a class="reference external" href="https://github.com/web2py/web2py/pull/58">encryption key
as the initialization vector (IV)</a>, which is the focus of this blog post.</p>
<p>Why is this bad? Well, in an email to the <a class="reference external" href="http://www.gnu.org/software/shishi/manual/html_node/Key-as-initialization-vector.html">sci.crypt mailing list</a> back
in 1996, David Wagner explains why you should never do this.</p>
<p>Let's take a look at the insecure construction in web2py's <tt class="docutils literal">gluon.utils</tt>
module prior to merging my pull request that fixed this issue.</p>
<div class="highlight"><pre><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
<span class="c">#..snip..</span>
<span class="n">AES_new</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">key</span><span class="p">:</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">IV</span><span class="o">=</span><span class="n">key</span><span class="p">[:</span><span class="mi">16</span><span class="p">])</span>
</pre></div>
<p>From an attacker's perspective (in short), if we can control the ciphertext
being fed to this function, and see the output of this function (the decrypted)
text, we can easily deduce the key used to perform the encryption. The
following code demonstrates this:</p>
<div class="highlight"><pre><span class="n">KEY</span> <span class="o">=</span> <span class="s">'testtesttesttest'</span>
<span class="n">PTEXT</span> <span class="o">=</span> <span class="s">'The quick brown fox jumped over the lazy dog.The quick brown fox'</span>
<span class="k">def</span> <span class="nf">xor</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span>
<span class="k">return</span> <span class="nb">bytearray</span><span class="p">(</span><span class="n">x</span> <span class="o">^</span> <span class="n">y</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">))</span>
<span class="k">def</span> <span class="nf">exploit</span><span class="p">():</span>
<span class="c"># ciphertext produced by web2py</span>
<span class="n">ctext</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="n">AES_new</span><span class="p">(</span><span class="n">KEY</span><span class="p">)</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">PTEXT</span><span class="p">))</span>
<span class="c"># our (malformed) ciphertext we plan to feed to web2py</span>
<span class="n">mtext</span> <span class="o">=</span> <span class="n">ctext</span><span class="p">[:</span><span class="mi">16</span><span class="p">]</span> <span class="o">*</span> <span class="mi">4</span>
<span class="n">mtext</span><span class="p">[</span><span class="mi">16</span><span class="p">:</span><span class="mi">32</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">16</span>
<span class="c"># if at any point we identify what the decrypted data is</span>
<span class="n">ptext</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="n">AES_new</span><span class="p">(</span><span class="n">KEY</span><span class="p">)</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">mtext</span><span class="p">)))</span>
<span class="c"># we can easily recover the secret key used:</span>
<span class="k">print</span><span class="p">(</span><span class="s">'KEY: </span><span class="si">%r</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">xor</span><span class="p">(</span><span class="n">ptext</span><span class="p">[:</span><span class="mi">16</span><span class="p">],</span> <span class="n">ptext</span><span class="p">[</span><span class="mi">32</span><span class="p">:</span><span class="mi">48</span><span class="p">])),</span> <span class="p">))</span>
</pre></div>
<p>Running this exploit returns the following (I've included hexdumps at each
step of the way):</p>
<pre class="literal-block">
>>> exploit()
ctext: b9561dc60a622f09f8cb49f47a30719a19ef66aa2ea6f7772a15e81b722830fbea38af2c1fdbbf6340e9707592aadfd4ce57b982597eb1e93cc311f25ea73b5d
0x00: b9 56 1d c6 0a 62 2f 09 f8 cb 49 f4 7a 30 71 9a .V...b....I.z0q.
0x10: 19 ef 66 aa 2e a6 f7 77 2a 15 e8 1b 72 28 30 fb ..f....w....r.0.
0x20: ea 38 af 2c 1f db bf 63 40 e9 70 75 92 aa df d4 .8.....c..pu....
0x30: ce 57 b9 82 59 7e b1 e9 3c c3 11 f2 5e a7 3b 5d .W..Y...........
mtext: b9561dc60a622f09f8cb49f47a30719a00000000000000000000000000000000b9561dc60a622f09f8cb49f47a30719ab9561dc60a622f09f8cb49f47a30719a
0x00: b9 56 1d c6 0a 62 2f 09 f8 cb 49 f4 7a 30 71 9a .V...b....I.z0q.
0x10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x20: b9 56 1d c6 0a 62 2f 09 f8 cb 49 f4 7a 30 71 9a .V...b....I.z0q.
0x30: b9 56 1d c6 0a 62 2f 09 f8 cb 49 f4 7a 30 71 9a .V...b....I.z0q.
ptext: 54686520717569636b2062726f776e20520b27652be2f4a1c978b57c0967a34c200d165405101a171f4511061b121d54995b0b920f72351ee78e58f261226cce
0x00: 54 68 65 20 71 75 69 63 6b 20 62 72 6f 77 6e 20 The.quick.brown.
0x10: 52 0b 27 65 2b e2 f4 a1 c9 78 b5 7c 09 67 a3 4c R..e.....x...g.L
0x20: 20 0d 16 54 05 10 1a 17 1f 45 11 06 1b 12 1d 54 ...T.....E.....T
0x30: 99 5b 0b 92 0f 72 35 1e e7 8e 58 f2 61 22 6c ce .....r5...X.a.l.
KEY: testtesttesttest
</pre>
<div class="section" id="is-web2py-vulnerable">
<h2>Is web2py vulnerable?</h2>
<p>In short, no. The manner in which <tt class="docutils literal">AES_new</tt> was used across web2py's
codebase did not appear to be exploitable. web2py was using this to encrypt
pickled session data in a cookie in <tt class="docutils literal">secure_dumps</tt>, and authenticated with
an HMAC (which coincidentally was also vulnerable to a <a class="reference external" href="http://codahale.com/a-lesson-in-timing-attacks/">timing attack</a>).
However, applications that use <tt class="docutils literal">AES_new</tt> as a convenience function for
decrypting data provided by the user are most likely vulnerable, amongst
other vulnerabilities that tend to crop up when rolling your own crypto.</p>
<p>If you've been keeping up with web2py's master, my <a class="reference external" href="https://github.com/web2py/web2py/pull/58">merged pull request</a>
patches the <tt class="docutils literal">AES_new</tt> function to return a random IV anytime it is invoked
and utilizes the more secure, constant-time <tt class="docutils literal">compare</tt> function to validate
HMAC's.</p>
</div>
Projectshttp://www.tssci-security.com/projects2013-02-18T10:08:00ZMarcin Wielgoszewski<div class="section" id="jython-burp-api">
<h2>Jython Burp API</h2>
<p>Jython Burp API is a framework for developing Burp extensions in Jython.</p>
<ul class="simple">
<li><a class="reference external" href="https://github.com/mwielgoszewski/jython-burp-api">Jython Burp API on GitHub</a></li>
<li><a class="reference external" href="/archives/2013/02/14/extending-burp-with-jython-burp-api/">Extending Burp with Jython Burp API</a></li>
</ul>
</div>
<div class="section" id="python-paddingoracle">
<h2>python-paddingoracle</h2>
<p>python-paddingoracle is an API that provides pentesters an extendable
alternative to other padding oracle exploit tools that can't easily be
applied to more unique, non off the shelf, per-app scenarios (think non-HTTP,
raw sockets, thick clients, unique encodings/compression, etc).</p>
<ul class="simple">
<li><a class="reference external" href="https://github.com/mwielgoszewski/python-paddingoracle">python-paddingoracle on GitHub</a></li>
<li><a class="reference external" href="http://mwielgoszewski.github.com/python-paddingoracle">python-paddingoracle Documentation</a></li>
</ul>
</div>
<div class="section" id="burp-protobuf-decoder">
<h2>burp-protobuf-decoder</h2>
<p>burp-protobuf-decoder is a Burp Extension that supports encoding and
decoding of messages serialized using Google Protocol Buffers.</p>
<ul class="simple">
<li><a class="reference external" href="https://github.com/mwielgoszewski/burp-protobuf-decoder">burp-protobuf-decoder on GitHub</a></li>
<li><a class="reference external" href="/archives/2013/05/30/decoding-and-tampering-protobuf-serialized-messages-in-burp/">Decoding and Tampering Protobuf Serialized Messages in Burp</a></li>
</ul>
</div>
Extending Burp with Jython Burp APIhttp://www.tssci-security.com/archives/2013/02/14/extending-burp-with-jython-burp-api2013-02-14T10:00:00ZMarcin Wielgoszewski<p>Last year, I released the <a class="reference external" href="https://github.com/mwielgoszewski/jython-burp-api">Jython Burp API</a>,
a plugin framework to Burp that allows running multiple plugins simultaneously,
exposes an interactive Jython console, provides <a class="reference external" href="http://www.oracle.com/technetwork/java/filters-137243.html">Filter</a>-like
functionality, and eases developing plugins at runtime by providing more
Pythonic APIs and automatic code reloading for when code or configurations
are updated. I presented an overview of my framework at an <a class="reference external" href="/research/#a-breath-of-fresh-burp-extending-burp-the-python-way">iSec Partners Forum</a>
in NYC last year. Others have released similar frameworks that also provide the
ability to write Burp extensions in Jython.</p>
<p>Since then, PortSwigger released a new <a class="reference external" href="http://portswigger.net/burp/extender/api/index.html">Burp Extender API</a>, allowing users
to develop all sorts of plugins and extend Burp's various tools in a myriad
of ways. Regardless, I still find my framework and others like <a class="reference external" href="https://github.com/tduehr/buby">Buby</a> still
have their place. I'd like to take the next few paragraphs to guide users
on setting up the Jython Burp API in their environment.</p>
<div class="section" id="getting-jython">
<h2>Getting Jython</h2>
<p>First, we'll need to get the latest 2.7+ standalone version of Jython.
At the time of this writing, the latest version is <a class="reference external" href="http://fwierzbicki.blogspot.com/2013/02/jython-27-beta1-released.html">Jython 2.7beta1</a>.
Once you download Jython, configure Burp's <a class="reference external" href="http://portswigger.net/burp/help/extender.html#options_pythonenv">Python Environment</a>.</p>
</div>
<div class="section" id="loading-the-jython-burp-api">
<h2>Loading the Jython Burp API</h2>
<p>If you haven't already done so, download the <a class="reference external" href="https://github.com/mwielgoszewski/jython-burp-api">Jython Burp API</a>. Then, all
you need to do (provided you're running Burp 1.5.04 or later), is add
<tt class="docutils literal"><span class="pre">jython-burp-api/Lib/burp_extender.py</span></tt> as a Python extension to Burp:</p>
<a class="reference external image-reference" href="/static/img/archive/2013/02/14/load_burp_extension.png"><img alt="Load Burp Extension" class="align-center" src="/static/img/archive/2013/02/14/load_burp_extension.png" style="width: 407px; height: 302px;" /></a>
<p>After you've clicked next, you should see the extension among the list of other
currently loaded extensions (if any).</p>
<a class="reference external image-reference" href="/static/img/archive/2013/02/14/burp_extensions.png"><img alt="Burp Extensions" class="align-center" src="/static/img/archive/2013/02/14/burp_extensions.png" style="width: 557px; height: 464px;" /></a>
<p>An additional feature you may find useful is an interactive Jython console
tab, that allows you to interact with the Burp Extender object and any other
variables in the local namespace. I find it useful to iterate over requests in
Burp's Proxy History, collecting various information or highlighting/commenting
requests that may contain a specific header or string in the response body.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/02/14/jython_console.png"><img alt="Jython Console" class="align-center" src="/static/img/archive/2013/02/14/jython_console.png" style="width: 557px; height: 464px;" /></a>
<p>I added a right-click context menu item so you could select specific requests
and send them to the <tt class="docutils literal">items</tt> variable, accessible from the console.</p>
<a class="reference external image-reference" href="/static/img/archive/2013/02/14/console_menu.png"><img alt="assign to local variable `items` in console" class="align-center" src="/static/img/archive/2013/02/14/console_menu.png" style="width: 557px; height: 464px;" /></a>
<a class="reference external image-reference" href="/static/img/archive/2013/02/14/console_items.png"><img alt="working with requests set to the `items` local variable" class="align-center" src="/static/img/archive/2013/02/14/console_items.png" style="width: 557px; height: 464px;" /></a>
<p>In a future blog post, I may dive into using some of the other features of
the framework. In the mean time, please feel free to fork and contribute to
the <a class="reference external" href="https://github.com/mwielgoszewski/jython-burp-api">Jython Burp API</a>!</p>
</div>
Pentesting Flexhttp://www.tssci-security.com/archives/2010/03/18/pentesting-flex2010-03-18T09:57:23ZMarcin Wielgoszewski<p>I've posted an entry over on my employer's blog on <a class="reference external" href="http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/">Penetrating
Intranets through Adobe Flex
Applications</a>.
I've also released a new tool along with it, called Blazentoo. This tool
exploits insecurely configured BlazeDS Proxy Services, potentially
allowing you to browse internal web sites. You can download Blazentoo
from <a class="reference external" href="http://www.gdssecurity.com/l/t.php">GDS' tools page</a>.</p>
<p>Also, be sure to check out my other post from a while back, <a class="reference external" href="http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/">Pentesting
Adobe Flex Applications with a Custom AMF
Client</a>.
This post goes into how to write a client using Python to make remoting
calls with a remote Flex server.</p>
What makes a solid security program?http://www.tssci-security.com/archives/2009/07/28/what-makes-a-solid-security-program2009-07-28T17:26:28ZMarcin Wielgoszewski<p>In my most recent post, I identified the direction and state-of-the-art
in application security. We all know of the importance of application
security in today's environments. However, finding out where to fit
application security policies and programs into an overall security
program (or organizational security plan) is as difficult (or more
difficult) than integrating mandatory regulations, compliance standards,
secure enterprise architectures, and many other risk management
activities.</p>
<p>Building a continually improving security program is an important and
common topic. For many CISOs and other directors of security programs --
this has been their day job since they earned their titles. There still
exists huge gaps between IT/Operations, Application Development, and
Information Security Management organizations and how they work
together. There are gaps in communication between departments, and even
within departments. The challenges of finding and retaining talent are
not unique only to appsec, as suggested in my last post.</p>
<p>I've only spoken about <a class="reference external" href="http://www.tssci-security.com/archives/2007/12/10/building-a-security-plan/">building a security
plan</a>
once before on this blog, but it's a popular conversation making the
rounds. <a class="reference external" href="http://securitymetrics.org">securitymetrics.org</a> (the blog,
mailing-list, Metricon conferences, and book) resurfaced a lot of my
interest, as well as the work that <a class="reference external" href="http://securityincite.com">Mike
Rothman</a> did with the <a class="reference external" href="http://pragmaticcso.com">Pragmatic
CSO</a>, Michael Santarchangelo with <a class="reference external" href="http://www.securitycatalyst.org">his book
and the SecurityCatalyst
blog/podcast/forums</a>, and numerous
others.</p>
<p>Not all security programs and bloggers have picked up on these
resources. Take <a class="reference external" href="http://insight.accuvant.com/strategy/creating-a-solid-security-program/">Creating a Solid Security
Program</a>
from Accuvant's new blog called <a class="reference external" href="http://insight.accuvant.com">Insight</a>
from Kirk Greene. He appears to be familiar with some of the above
resources, but I think there is a lot more out there. After you read my
comment (which never got "approved"), be sure to check out the new
material I've been reading on the state-of-art in information security
management, especially including the human element.</p>
<p><strong>Comment gone wrong #2</strong></p>
<p><em>I think what you wrote here is a great example of a vulnerability
management program, but not a security program. Even then, it's actually
more operational (like a compliance initiative) because it gives little
strategic or tactical advice.</em></p>
<p><em>Starting with awareness is probably the worst way to build a
vulnerability management or security program. Maybe we just disagree,
but I'd like to see some evidence or metrics demonstrating that this
technique has any value, if you can point me to the literature.</em></p>
<p><em>Capital planning based on current or mock Strategy Maps and
Scorecards/Dashboards is really the first step for building a security
program. It is often best to first work with risk management (an
operational activity) that can feed metrics up to the strategy, although
this should be done along with compliance, regulatory requirements, and
potential liability factors. Risk assessments, especially ones done with
data classifications, can be the tactical metrics to pull into a risk
management report. Simple risk assessments can be done using business
tools such as 5 Forces, PESTEL, and/or SWOT anlaysis -- although in
security we have various others including FAIR, FMEA, and PRA.</em></p>
<p><em>I also like the concept of drilling down another strategic metric
platform via Enterprise Architecture, in particular an Enterprise
Architecture Blueprint (such as the one from Gunnar Peterson).
Enterprise Architecture can bring metrics down to the operational level
with security policy and certification standards. These can be turned
into server and application hardening standards at the tactical level.</em></p>
<p><em>Finally, asset/inventory management is another strategic activity that
can be conducted to build a proper security program. When combined with
the risk analysis data, asset management will provide guidance on where
to scan & patch, pen-test, and perform exploit development activities at
the tactical level. These tactical procedures can then provide more
metrics up to risk management, and back again up to more strategic
activities.</em></p>
<p><em>On second or further iteration, a balanced scorecard can easily be
created to include compliance metrics (operational) along with a
strategic direction (suggested as a strategy map). The balanced
scorecard could then include metrics from incident management, which in
turn could feed back into risk management and liability factors. SABSA
could be used to build a governance program to keep the capital planning
and security program alive and running with the rest of the business.
Additional qualitative metrics based on organizational development and
organizational behavior could be included in a hybrid platform such as
business scorecards very easily, including Six Sigma metrics such as
Voice of the Customer, et al. Simple, isn't it?</em></p>
<p><em>Your notion of using Application Security Scanners in a vulnerability
management program disturbs me -- especially in the way you have
suggested it. Maybe you're not familiar with these tools or how an
application assessment is best performed to today's standards.</em></p>
<p><em>First of all, the surface coverage for even the best app scanners is
94%, with many getting less than 1% surface coverage. Even IBM/Rational
AppScan was only showing 74% surface coverage using modern link
extraction application drivers.</em></p>
<p><em>Secondly, the false negative rate of app scanners is approaching 92%,
often more. The false positive rate varies between tools, testers and
apps, but I've seen figures as high as 40%. App scanners must be
properly configured and utilized by an expert in order to be effective
at all. Even then, black-box app scanners need to be combined with
static analysis and manual expert review for a significant majority of
applications falling under "most-risky" data classifications such as PII
(PCI-DSS, HIPAA, state performance auditing, etc) or financial data
(SOX, GLB, et al). Even middle-of-the-road risky data classifications
(e.g. proprietary information that has yet to be patented) should
probably have more done to them than a simple black-box app scanner.</em></p>
<p><em>When I say manual review + static analysis, I really mean it. The
automated tools pay for themselves by the amount of time saved -- but
can never be used alone. Security review tools that implement static
analysis techniques, such as Fortify, Ounce, Checkmarx, Parasoft,
Grammatech, DevInspect, AppScan DE, Coverity, Klocwork, and SciTools
have better false negative rates than black-box scanners, but much worse
false positive error rates. FN is usually between 65-85% (the tool FAILS
to find vulnerabilities this often); FP is 85-99%, you'll often see more
"vulnerabilities found" than lines of code averaged across apps. This is
why manual expert review with full-knowledge remains the best
application assessment technique.</em></p>
<p><em>I don't mean to harsh on you too hard, but it does appear that you need
to do more homework before making prescriptions for building a security
program -- let alone a vulnerability management program. You seem to be
capable of providing this information accurately (based on your last
blog post and the great blogroll you've setup so far), so I expect
better out of future blog posts.</em></p>
<p><strong>Aftermath and reasoning</strong></p>
<p>The consulting companies that I work with (and other colleagues, often
consultants from other consulting companies that have been on the same
or similar engagements with me) have all taken a strong interest in
building trusted advisory adjuncts to the "too busy IT manager" or
Mascot CISO/CSO. We have to in order to remain relevant and respected.
However, I've always viewed consultants as "the colostomy bag of a very
ill organization". Fix the organization and the technology advancements
(or whatever else is needed) become agile and sustainable.</p>
<p>Rafal Los recently had me on his <a class="reference external" href="http://preachsecurity.blogspot.com/2009/07/31337-spotlight-andre-gironda.html">31337 Spotlight: Andre
Gironda</a>
for his <a class="reference external" href="http://preachsecurity.blogspot.com/">Digital Soapbox blog</a>.
BTW - Thanks Rafal -- hope you and nearly everyone else are having fun
in Vegas right now! There are a few links which may have got lost in my
nonsensical chatter, so I wanted to specifically point them out. I said:</p>
<blockquote>
<em>I like the idea that I can use my hacking skills for good and cause
organizational change through discovery of `organizational
management and
behavior <http://en.wikipedia.org/wiki/Category:Organizational_theory>`_.
A real "hack" to me is to take a `disfunctional
organization <http://blogs.bnet.com/ceo/?p=1462>`_ and turn it into
something awesome.</em></blockquote>
<p>There are very few state-of-the-art resources on organizational theory
combined with information security management. Allow me to point you to
the few that I'm familiar with and highly recommend. After you check
them out, you may find yourself coming to similar or related conclusions
as I did with the above comment.</p>
<ul class="simple">
<li>David Lacey, author of <a class="reference external" href="http://isbn.nu/9780470721995/">Managing the Human Factor in Information
Security: How to Win over Staff and Influence Business
Managers</a></li>
<li>Krag Brotby, author of <a class="reference external" href="http://isbn.nu/9781420052855/">Information Security Metrics: A Definitive
Guide to Effective Security Monitoring and
Measurement</a> and <a class="reference external" href="http://isbn.nu/9780470131183/">Information
Security Governance</a></li>
<li>Ron Person, author of <a class="reference external" href="http://isbn.nu/9780470386811/">Balanced Scorecards & Operational Dashboards
With Microsoft Excel</a> -- one of many
books on Balanced Scorecards, but very recently written and caught my
attention.</li>
<li>Ian Gorrie, blogger of Bad Penny, with posts such as the most recent
<a class="reference external" href="http://gorrie.org/2009/07/16/toorcamp/#more-509">The Trials of
Toorcamp</a> where he
kindly provided the slides to his talk entitled "Hacking HR". He has
even posted earlier on information security management (or as he
calls it <a class="reference external" href="http://gorrie.org/tag/sim/">security information
management</a>, an interesting but perhaps
confusing twist there). My favorite was a presentation he did at
<a class="reference external" href="http://gorrie.org/2007/11/12/itci-2007/">ITCi 2007</a> that is a must
read.</li>
<li>Kevin Nassery, (<a class="reference external" href="http://twitter.com/knassery">@knassery</a>, who spoke
at LayerOne 2009 on <a class="reference external" href="http://layerone.info/?page_id=27#knassery">Diplomatic Security
Consulting</a>, with
<a class="reference external" href="http://www.youtube.com/watch?v=Q3YdY0qYEuk">video</a> and
<a class="reference external" href="http://www.layerone.info/archives/2009/Kevin%20Nassery%20-%20Diplomatic%20Consulting%20-%20L1%202009.pdf">slides</a>
available.</li>
</ul>
<p>I have at least one more of these "comments gone X" posts, but the next
ones should both begin and end on more positive notes. If you have any
suggestions of comments you've seen from me that you would like to see
turned into a blog post, let me know!</p>
Blackhat USA 2009 / Defcon 17http://www.tssci-security.com/archives/2009/07/27/blackhat-usa-2009-defcon-172009-07-27T23:26:28ZMarcin Wielgoszewski<p>It's that time of year again, where we all come out of hiding and meet
in Sin City to cause nothing but trouble. The brave venture out into the
scorching hot sun during the day and some even dare tempt the waters at
Rehab. The rest of us wait until dark, with the neon lights flickering
in our eyes, with nothing on our mind but money and skin. As we wander
like zombies from club to club, night becomes day and day becomes night,
we keep going -- amazingly, ready, for the next round of mental
exploitation. Now... where did these baseball cards come from?</p>
<p>See you all in Vegas!</p>
Appsec industry trends - looking forwardhttp://www.tssci-security.com/archives/2009/07/25/appsec-industry-trends-looking-forward2009-07-25T20:18:16ZMarcin Wielgoszewski<p>Recently, it has come to my attention that industry people I respect
(and vice versa) have desired me to re-post some comments I've made on
other blogs.</p>
<p>It's also high-time that we at TS-SCI/Security begin writing again. I
can tell you that since March (our last post), Marcin and I have been
involved heavily in our day-to-day work at client-sites and other
community efforts/projects.</p>
<p>A lot of new research is going to begin to become available from
BlackHat/Defcon. It's just that time of year where everyone starts to
share their work with others. While we can't exactly reveal everything
that we're working on quite yet, be sure to check in for updates. I have
been begging Marcin to post something on an HTTP-related argument we got
into about the Post/Redirect/Get pattern, as one example.</p>
<p><strong>Comment gone wrong #1</strong></p>
<p>There was some interesting discussion lately on the <a class="reference external" href="http://www.owasp.org/index.php/OWASP_Podcast">OWASP News
Podcast</a>, in particular,
<a class="reference external" href="http://www.owasp.org/index.php/Podcast_32">Podcast 32</a>. This is the
first News Podcast that I missed (I was on a plane at the time we
recorded), and having just listened to it -- I certainly think it's
worth your time to listen to.</p>
<p>This particular News Podcast set off a blog post from Jeremiah Grossman
where he says <a class="reference external" href="http://jeremiahgrossman.blogspot.com/2009/07/owasp-podcast-32-pulls-no-punches.html">OWASP Podcast #32 pulls no
punches</a>.
I attempted to comment, but the comment eventually disappeared --
perhaps Jeremiah didn't appreciate my insights. Others did, so here it
is:</p>
<p><em>on the appsec market maturity and potentiality prediction -- i rate
[discount black-box appsec SaaS] as low-value, and in the future, will
continue to be low-value.</em></p>
<p><em>selling discount app pen-tests hurts infosec management as a whole
because you're trying to tell ciso's that they can buy some freedom for
$25k/yr (or whatever it is). in reality, they need to spend millions of
dollars over several years.</em></p>
<p><em>discount app pen-tests need to go out of style. here's why: because the
middle-ground and potential high-value comes from partnering with a
trusted adviser (i.e. an appsec consulting company), or attempting to
retain this talent in-house (which most companies -- including Microsoft
who built lists of individual talent to target -- have pretty much
failed).</em></p>
<p><em>every BPO (business process outsourcing) expert knows that the ideal is
to avoid "discount" shops and focus on real partnerships, but don't give
any single one partnership everything.</em></p>
<p><em>for example, attempt to retain 20% of your appsec program internally
ASAP (this does take time -- don't expect it to happen overnight), while
outsourcing initially 20% to one minor company (e.g. Gotham Digital
Science, Aspect Security, Denim Group, Matasano, Independent Security
Evaluators), then adding a bigger company (e.g.
Accenture/McAfee/Verisign) for another 20% to take over the smaller
company's 20% if [expectations are not met -- or major changes occur,
such as buyouts]. The next step is to figure out a balance of adding
more consulting companies somewhere in the 40-80% range, while growing
your internal talent.</em></p>
<p><em>investing in this model is extremely expensive and extremely difficult
to manage. ciso's are having problems finding/retaining talent, drafting
RFI's, reading RFP's, following up on references, and deciding who is
really talented and how that talent applies to the applications in their
appsec programs. most can't or won't even draft an appsec policy.</em></p>
<p><em>[low-bid/low-value app pen-test houses, especially SaaS-based ones]
convolute and diminish the returns that are necessary to build or even
start an efficient appsec program. that's EXACTLY what Andrew van der
Stock was trying to say.</em></p>
<p><em>if you want software security ROI, go read Sadbury, Soo Hoo, and
Jacquith's "Tangible ROI through secure software engineering" or follow
any of the work that Steve McConnell has done, which this referenced
paper was based on.</em></p>
<p><em>if you want to keep selling the idea that your McDonalds solution is
the bread-and-butter of modern appsec innovation... best of luck to you.
there's plenty of analysts, whole appsec consulting businesses,
bloggers, and podcasters that are all saying that a) you're wrong, b)
you sell a one-size-fits-all solution to companies that "don't get it"
which almost forces them to stay in the "don't get it" mode
near-permanently, and c) the jury is out and the case is closed: appsec
consulting is the correct path and one-stop-shops that do one-off, cheap
app pen-tests are so 2008.</em></p>
<p><strong>Aftermath and reasoning</strong></p>
<p>My comments were due in part to actual recent industry analyst research,
so they were not unfounded or inappropriate. More to the point, they
were factual and unbiased.</p>
<p>Chenxi Wang, Ph.D., Robert Whiteley, and Margaret Ryan of Forrester
Research published a report entitled <a class="reference external" href="http://www.forrester.com/Research/Document/Excerpt/0,7211,48394,00.html">TechRadar For SRM Professionals:
Application Security, Q3 2009 Application
Security Comes Of Age Despite A Slowdown In Security
Spend</a>.
The date on the report was July 18th, 2009.</p>
<p>In the report, several technologies were evaluated, including:</p>
<ol class="arabic simple">
<li><strong>Application scanning</strong></li>
<li><strong>Application security consulting</strong></li>
<li><strong>Application security SaaS</strong></li>
<li><strong>Penetration testing</strong></li>
<li><strong>Protocol testing</strong></li>
<li><strong>Software protection</strong></li>
<li><strong>Source code analysis</strong></li>
<li><strong>Web application firewall</strong></li>
</ol>
<p>These topics and research are not new to our blog, where we have
discussed many of them. Take these examples:</p>
<ul class="simple">
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/05/29/software-security-a-retrospective/">Software Security: a
retrospective</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/03/24/security-in-the-sdlc-is-not-just-code-review/">Security in the SDLC is not just code
review</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/02/28/owasp-hartford-tomorrow/">OWASP Hartford
tomorrow</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2007/12/02/why-pen-testing-doesnt-matter/">Why pen-testing doesn't
matter</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2007/12/02/why-crawling-doesnt-matter/">Why crawling doesn't
matter</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/01/21/baby-steps-with-web-application-security-scanners/">Baby steps with web application security
scanners</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2009/02/12/post-to-webappsec-mailing-list-on-waf-and-pen-test-dead-again/">Post to webappsec mailing-list on WAF and pen-test: dead
again</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2009/02/05/guests-on-owasp-podcast-6/">Guests on OWASP Podcast
#6</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/09/11/web-application-security-tomorrow/">Web Application Security
Tomorrow</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is/">What web application security really
is</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/">Week of War on WAF's: Day 1 -- Top ten reasons to wait on
WAF's</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/25/week-of-war-on-wafs-day-2-a-look-at-the-past/">Week of War on WAF's: Day 2 -- A look at the
past</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-3-language-specific/">Week of War on WAF's: Day 3 -- Language
specific</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-4-closer-to-the-code/">Week of War on WAF's: Day 4 -- Closer to the
code</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/">Week of War on WAF's: Day 5 -- Final
thoughts</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/06/23/web-application-firewalls-a-slight-change-of-heart/">Web application firewalls: A slight change of
heart</a></li>
<li><a class="reference external" href="http://www.tssci-security.com/archives/2008/03/11/short-term-defenses-for-web-applications/">Short-term defenses for web
applications</a></li>
</ul>
Virtual appliances for the security professionalhttp://www.tssci-security.com/archives/2009/03/18/virtual-appliances-for-the-security-professional2009-03-18T18:35:56ZMarcin Wielgoszewski<p><strong>Virtual Infrastructure Security Facts</strong></p>
<ul class="simple">
<li>The number of virtual servers will rise to more than 1.7 million
physical servers by 2010, resulting in 7.9 million logical servers.
Virtualized servers will represent 14.6% of all physical servers in
2010 compared to just 4.5% in 2005 (IDC)</li>
<li><strong>60% of production virtual machines will be less secure</strong> than their
physical counterparts through to 2009 (Gartner)</li>
<li>More than 75% of respondents cited reducing infrastructure hardware
and software costs as the critical driver in data center planning
(Ziff Davis)</li>
<li>Overall virtualization market has grown from approximately $560
million in 2005 to a forecasted $2.7 billion in 2009 (IDC)</li>
<li>10% of servers will be virtual by 2009, 60% by 2013 (Gartner)</li>
<li><strong>Fewer than 10%</strong> of organizations <strong>are doing anything</strong> special
<strong>for virtualization security</strong> (Ziff Davis)</li>
</ul>
<p>Virtual Appliances (VAs) have several advantages over Live CD
distributions. They are easier to enable persistence and customize
(especially for real performance in a VM, instead of via a bootable
ISO). It's easier to take snapshots that represent a "point-in-time" to
rollback configurations -- or prevent security scanners from running
into loop or crash conditions. Cloning and templating can have
significant advantages in terms of agility for testing and scaling
architectures, in addition to aiding changes and repair processes.</p>
<p>Microsoft (including the <strong>free</strong>Hyper-V Server) and VMware (including
the <strong>free</strong> ESXi) are the major players for hardware-VMM server
virtualization, with the FOSS project, Xen, being prominent in some
other product implementations.</p>
<p>Both VMware and Microsoft have their own disk formats for importing VMs
(aka "Guests") on to their Hosts (aka Hypervisor or Virtual Machine
Monitor -- VMM). There is also a third, open format called OVF (or <a class="reference external" href="http://en.wikipedia.org/wiki/Open_Virtualization_Format">Open
Virtualization
Format</a>).</p>
<ol class="arabic simple">
<li>Microsoft: VHD (Virtual Hard Disk)</li>
<li>VMware: vmdk (virtual machine disk)</li>
<li>Open Virtualization Format: ovf</li>
</ol>
<p>Sometimes, one-off scenarios will utilize tar, zip, or rar files to
distribute VMs or encapsulated VMs, but this is becoming more and more
rare.</p>
<p><strong>Virtual Appliances</strong></p>
<p>A Virtual Appliances is a pre-packaged VM. Normally, a VM is just like a
new machine -- no OS, no nothing. Virtual Appliances come with stuff,
and usually only require booting into a DHCP-enabled network, where they
self-configure themselves and become available via a web interface for
further interaction.</p>
<p>You can find VAs at the following sources:</p>
<ul class="simple">
<li>VMware --
<a class="reference external" href="http://www.vmware.com/appliances/">http://www.vmware.com/appliances/</a>
<a class="reference external" href="http://www.vmware.com/appliances/partner/">http://www.vmware.com/appliances/partner/</a></li>
<li>Microsoft -- <a class="reference external" href="http://technet.microsoft.com/en-us/bb738373.aspx">VHD Test Drive
Program</a>, <a class="reference external" href="http://www.microsoft.com/windowsserversystem/virtualserver/partners/vhdpartners.mspx">VHD
Partners</a>,
<a class="reference external" href="http://technet.microsoft.com/en-us/bb738372.aspx">VHDs by Product</a></li>
</ul>
<p>For those of you still using the outdated OSI model (i.e. you stupid
network security geeks, j/k ;> ), here is a general layout of what is
available for you:</p>
<ul class="simple">
<li>Layer 7 --<a class="reference external" href="http://www.vmware.com/appliances/directory/1320">Stonegate Virtual
IPS</a></li>
<li>Layers 5&6 -- <a class="reference external" href="http://www.checkpoint.com/products/vpn-1_ve/index.html">Checkpoint VPN-1 Virtual
Edition</a></li>
<li>Layer 4 --
<a class="reference external" href="http://www.vmware.com/appliances/directory/150">X-m0n0wall</a></li>
<li>Layer 3 -- <a class="reference external" href="http://www.vyatta.org/documentation/">Vyatta Community Edition
5</a></li>
<li>Layer 2 --
<a class="reference external" href="http://www.honeynet.org.pt/index.php/HoneyMole">HoneyMole</a></li>
</ul>
<p>Certainly, if you haven't read or seen Chris Hoff's various recent
presentations, then you're going to screw this up. However, anyone with
even a few weeks of virtual infrastructure experience will understand
the application of the above VAs in a virtual infrastructure
environment.</p>
<p>VMware is very useful for fuzz testing (as seen with
<a class="reference external" href="http://www.fuzzing.org/category/sulley/">Sulley</a> and other frameworks
which include interfaces to VMware monitors), and full-state or kernel
debugging (as seen with <a class="reference external" href="http://www.sysersoft.com">Syser</a>, the
replacement to the classic SoftICE), but this is more often for the
VMware Server/Workstation products, not their Virtual Infrastructure
products (i.e. ESX, ESXi, Virtual Center, <a class="reference external" href="http://www.vmware.com/download/download.do?downloadGroup=VCVA-BETA">vCenter
Server</a>,
and vSphere).</p>
<p>Many ISOs are moving to VAs.</p>
<p>Many demo-ware and software evaluations are moving from standalone
installs directly to VAs (i.e. demo the new app on the new OS at the
same time!).</p>
<p>Take these examples outlined in the next sections for a test drive.</p>
<p><strong>Pen-test VAs</strong></p>
<p>Would it be nice if you could setup a perfect pen-test environment, save
it, and then clone it a bunch of times in order to tweak one specific
thing and then run all your tests in parallel (say, with different
credentials). Well this is exactly what Pen-test VAs are going to allow
you to do. One machine: 4 web application security scanners.</p>
<p>Or better -- run DRS (VMware's Distributed Resource Schedule), which
will automatically move VMs around contended Host resources. Say you
have four physical machines, all with a dual-core 2.2GHz proc and 3GB of
memory. Now say that you're scanning some client machines in far away
places (with constant ISP bandwidth churn on both ends -- and in
between). Let's pretend you have this setup:</p>
<ul class="simple">
<li>IBM AppScan running default-mode with regular user credentials</li>
<li>Acunetix WVS with AcuSensor tweaked specifically to the app using (at
the very least) the web configuration files and structural layout.
One of your co-workers is changing the configuration as he/she learns
more about the app from the client and working with the Acunetix
support team</li>
<li>WebInspect running in four more VMs, two with admin rights -- two
others with user rights. They're setup to do parameter tampering and
see if they can pollute access controls from admin to admin, user to
user, or any combination</li>
</ul>
<p>If any of you know what CloudAV is... think what CloudWASS would look
like. I call it "WhiteRockSec", which is... "like WhiteHatSec, but on
Crack".</p>
<p>Of course nobody has built these VAs yet. In the meantime, you can use
these two VAs to accomplish something similar:</p>
<ol class="arabic simple">
<li><a class="reference external" href="http://www.vmware.com/appliances/directory/73789/">OWASP Live CD</a>
VA</li>
<li>InGuardians <a class="reference external" href="http://www.vmware.com/appliances/directory/node/73043/">Samurai Web Testing
Framework</a></li>
</ol>
<p><strong>WAF VAs or as I like to call them: VA+WAF</strong></p>
<p>VA+WAF is a Virtual Appliance that includes a WAF. To those of you who
don't love my humor, you're bound to definitely hate me for flipping the
script on this marketing terminology.</p>
<p>Because network vendors (F5, Citrix, Breach, Cisco, Barracuda, Imperva,
et al) really like to sell expensive appliances, it's likely that they
aren't too keen on the idea of selling a software-based VA that is
equivalent to their mind like an ISO (anyone remember the presentation
on how to reverse-ISO a Netscreen IDP onto cheap PC hardware?). So you
don't see too many of these around yet.</p>
<p>I did happen to find these two though:</p>
<ol class="arabic simple">
<li>Microsoft <a class="reference external" href="http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=558b262b-f953-435c-a255-53e9d450527d">IAG 2007 Virtual Machine
Trial</a></li>
<li><a class="reference external" href="http://www.vmware.com/appliances/directory/393/">Security Enhanced Web Application
Server</a> with
mod-security</li>
</ol>
<p><strong>AppDev/AppSec VAs</strong></p>
<p>Again, there really isn't much here yet.</p>
<p>Microsoft has:</p>
<ol class="arabic simple">
<li><a class="reference external" href="http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9eb65c97-29c9-4d05-ae45-73d22ad4b86e">Visual Studio Team System 2008 VSTS Hyper-V Image
(Trial)</a></li>
<li><a class="reference external" href="http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=39644cdd-db4d-445e-b087-dd3e3cdf03fb">Visual Studio Team System 2008 TFS Hyper-V Image
(Trial)</a></li>
<li><a class="reference external" href="http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=922b4655-93d0-4476-bda4-94cf5f8d4814&displaylang=en">Microsoft Pre-release Software Visual Studio 2010 and .NET Framework
4.0 Community Technology Preview
(CTP)</a></li>
</ol>
<p>Note well that the last link above, for the VSTS 2010 pre-release, has
the VA in "vmc" format. "vmc format" was from Microsoft's older product.
Searching the Microsoft Download Center for vmc or vhd both have great
results, but hopefully Microsoft will standardize on VHD or OVF. For
now, you can convert in many ways -- including the latest tool from
Microsoft, the <a class="reference external" href="http://technet.microsoft.com/en-us/magazine/2009.03.utilityspotlight.aspx">VMC to Hyper-V Import
Tool</a>.</p>
<p>Integrating AppSec with the above VSTS and TFS tools is relatively easy.
For those not familiar with FxCop, StyleCop, and CAT.NET -- you
certainly should be. TFS has some great built-ins for Governance that
apply equally well between quality and security. The <a class="reference external" href="http://blogs.msdn.com/teams_wit_tools/">TFS Team
Blog</a> has some decent postings
on topic, not directly to security yet (but probably in the future). I'm
working on additional ideas, heavily borrowed from the <a class="reference external" href="http://msdn.microsoft.com/en-us/teamsystem/aa718795.aspx">Microsoft
Process Templates and
Tools</a>
development center -- and from watching <a class="reference external" href="http://blogs.infragistics.com/blogs/ed_blankenship/archive/2009/02/27/microsoft-process-template.aspx">how Microsoft uses
TFS</a>
with their new <a class="reference external" href="http://mpt.codeplex.com/">MPT toolkit</a>.</p>
<p>Security folk such as myself might want to just load Source Insight (or
the Microsoft Express Editions) along with using the command-line
CAT.NET or possibly SharpDevelop until Ounce O2 is widely available.</p>
<p>For Java, you can search the VMware Appliance Directory, but I found
nothing useful. Currently, the easiest and cheapest way to get JEE
AppDev/AppSec going is to use
<a class="reference external" href="http://www.easyeclipse.org/site/plugins/">EasyEclipse</a>. There is a
commercial equivalent called Yoxos that also sounds very promising. I
think most of us would be flying blind without a few Eclipse plugins
such as Classlocator, Jupiter, Flow4J, IvyDE, FindBugs, and PMD. Build
server ISOs such as <a class="reference external" href="http://buildix.thoughtworks.com/">Buildix</a> would
be wonderful to turn into a VA.</p>
<p>Again, us security folk would probably stick to Source Insight and/or
SciTE along with the command-line versions of FindBugs and PMD. Static
analysis tools are slowly turning to be out of vogue these days... so
YMMV.</p>
<p><strong>Summary</strong></p>
<p>Learning Virtual Infrastructure is going to take some time, but the
payoff is worth it. In no time, you'll be turning your
minimally-equipped Security Operations Center or appsec group into a
real infrastructure to fear.</p>
<p>Download the hardware-VMMs to "whitebox supported" hardware (note: this
doesn't always have to be on an "official list" from the vendor). Try
both the evaluation versions (Microsoft Windows Server 2008 R2 Beta with
Hyper-V Role enabled ; VMware ESX and vCenter Server VA) and the free
ones (Microsoft Hyper-V Server 2008 R2 Beta ; VMware ESXi). Download a
few VAs in various formats and learn how to import and start them.
You're on your way!</p>
Web application security incident handlinghttp://www.tssci-security.com/archives/2009/02/23/web-application-security-incident-handling2009-02-23T20:32:44ZMarcin Wielgoszewski<p>I thought I'd take a moment to post about some web security tools I use
pretty often, which help as a security consultant when responding to
various web hacking related incidents. These tools have helped me write
my own scripts whenever I'm in a jam and need something good and quick
to do the job.</p>
<p><strong>Application Log File Forensics: The Hard Way</strong></p>
<p>The first thing a security professional or administrator usually think
of when handling an application security incident is to check the logs
for the applications, databases, and other application-tiers involved.
Often, these logs are either on the servers that run the applications
themselves, or possibly in a central logging location. If a certain
attacker tool can be identified from the log files (or other sources
such as full packet-capture), then it may be of interest to run that
exact same tool against your own application-under-target (preferably in
a mocked-up lab or test environment, if it mirrors production well
enough).</p>
<p>The most popular web servers, Apache httpd and Microsoft IIS, do create
local log files by default. According to most compliance regulations and
standards (e.g. COBIT, HIPAA, GLB, PCI-DSS, FISMA, EU Directive on
Privacy and Electronic Communications, ISO 17799/27002, CA SB1386 and
similar), logging must be centrally located, or may have other required
provisions. This may include application-layer information, such as the
log information from Apache and IIS. It may be very likely that your
organization already has centralized logging where this information is
available.</p>
<p>If centralized logging does not exist, it may be a good time to start up
a project to enable it. <a class="reference external" href="http://isbn.nu/0596529945">The Apache Cookbook,
2E</a>, is the best place to go in order to
configure httpd to start sending syslog information. It's about as
simple to add "ErrorLog syslog:user" into the httpd.conf file, but this
only logs error messages, not authentication/access_log messages. The
book gives two prescriptions, one using "AccessLog "|/usr/bin/logger"
combined" if your OS supports the logger command properly. The other is
to run a custom log message through a Perl script, as seen below:</p>
<pre class="literal-block">
CustomLog |/usr/local/apache/bin/apache_syslog combined
</pre>
<div class="highlight"><pre><span class="c1">#!/usr/bin/perl</span>
<span class="k">use</span> <span class="nn">Sys::</span><span class="n">Syslog</span>
<span class="sx">qw( :DEFAULT setlogsock )</span><span class="p">;</span>
<span class="n">setlogsock</span><span class="p">(</span><span class="s">'unix'</span><span class="p">);</span>
<span class="n">openlog</span><span class="p">(</span><span class="s">'apache'</span><span class="p">,</span> <span class="s">'cons'</span><span class="p">,</span> <span class="s">'pid'</span><span class="p">,</span> <span class="s">'user'</span><span class="p">);</span>
<span class="k">while</span> <span class="p">(</span><span class="nv">$log</span> <span class="o">=</span> <span class="sr"><STDIN></span><span class="p">)</span> <span class="p">{</span>
<span class="n">syslog</span><span class="p">(</span><span class="s">'notice'</span><span class="p">,</span> <span class="nv">$log</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">closelog</span><span class="p">;</span>
</pre></div>
<p>Microsoft IIS will need to go through the Event Log, which can be
converted to syslog messages using a third-party software package such
as <a class="reference external" href="http://www.intersectalliance.com/projects/SnareWindows/">Snare</a> or
<a class="reference external" href="http://www.mwagent.com/">MonitorWare Agent</a>. If IIS logs can also be
converted to w3c standard log format, then Apache log analyzer tools
such as <a class="reference external" href="http://awstats.org/">AWStats</a> could also be used. W3C also
has their own log analysis tool that also does HTML validation, called
the <a class="reference external" href="http://www.w3.org/QA/Tools/LogValidator/">Log Validator</a>. These
may be useful to run following your own scan of the application using
the same or <a class="reference external" href="http://blog.tenablesecurity.com/2008/01/looking-for-web.html">similar attacker
tool</a>,
as they will not only point out where in your application the scan/tool
covered, but also where you may have the most errors or lack of
quality/security controls.</p>
<p>The book <a class="reference external" href="http://isbn.nu/9780596518165">Practical Information Security
Monitoring</a> also makes some suggestions
for log collections, including the use of
<a class="reference external" href="http://sawmill.net">Sawmill</a> or <a class="reference external" href="http://www.splunk.com/">Splunk</a> to
sort/search log messages and gain further information and detail. There
may also be further adjustments you will want to do at the application
(or other tier) layer, such as logging POST data. We discussed logging
HTTP referrers on our old post: <a class="reference external" href="http://www.tssci-security.com/archives/2007/09/12/using-google-analytics-to-subvert-privacy/">Using Google Analytics to Subvert
Privacy</a>.
<em>Practical Information Security Monitoring</em> talks about Oracle audit
logging, but there is also a detailed article on Pete Finnigan's blog on
<a class="reference external" href="http://www.petefinnigan.com/weblog/archives/00001021.htm">Oracle forensics and
UKOUG</a>. At
the recent BlackHat DC conference, David Litchfield gave a talk on <a class="reference external" href="http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Litchfield">The
Forensic Investigation of a Compromised Oracle Database
Server</a>,
which may also be of interest (once the slides are available). There are
also some new books coming out on the topic of Oracle Forensics in the
next few months / year.</p>
<p><strong>Web Application Incident Handling: The Easy Way</strong></p>
<p>Most of the logfile "digging" takes time, even when consolidated and
using expert tools and analysis. There are some very easy approaches
that we've come up with, or seen others using and talking about. These
tools integrate well at the HTML and Script layers.</p>
<p>Over a year ago, Mario Heiderich started the <a class="reference external" href="http://php-ids.org/">PHP-IDS
project</a>, as a way to build protection and
monitoring capabilities into PHP applications. Several side projects
spurred up as a direct result of the incredible work that was put into
PHP-IDS, mainly its <a class="reference external" href="https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml">default_filter.xml regular
expressions</a>.
This XML file of regular expressions provides capabilities to detect a
vast range of attacks, including XSS, CSRF, SQL Injection, Directory
Traversal, Local/Remote File Execution, DoS, and Information Disclosure.
Part of the success behind the PHP-IDS project, was the constant testing
and attacking of PHP-IDS regex filters, which can be reviewed
extensively in this <a class="reference external" href="http://sla.ckers.org/forum/read.php?12,8085">sla.ckers.org
thread</a>. More info on
PHP-IDS can be found in the <a class="reference external" href="http://php-ids.org/faq/">PHP-IDS FAQ</a>.</p>
<p>Romain Gaucher, wrote
<a class="reference external" href="http://rgaucher.info/post/2008/07/18/Scalp%3A-apache-log-based-attack-analyzer-using">Scalp</a>,
an Apache log analyzer in Python, which leverages PHP-IDS'
default_filter.xml to detect attack strings in logs. I've used Scalp on
numerous occasions, including a recent attack attempt on
tssci-security.com. By nature, Scalp cannot examine POST content because
Apache logs do not contain POST data. (See PHP-IDS or mod_security for
those purposes)</p>
<p>Simply use Scalp by running it as follows (keep in mind there may be
false positives with regards to the attack type, though it is very good
at pulling attack queries from the log):</p>
<pre class="literal-block">
./scalp.py --log access_log --filters ./default_filter.xml \
--html --tough --exhaustive
</pre>
<p><a class="reference external" href="http://i8jesus.com/?p=33">Arshan Dabirsiaghi</a> recently released
<a class="reference external" href="https://www.owasp.org/index.php/Category:OWASP_Scrubbr">OWASP
Scrubbr</a>.
Scrubbr works by detecting input data in a specified database that does
not match up with a specified AntiSamy policy file. Because Scrubbr uses
an AntiSamy policy to validate data, does not mean it necessarily
detects XSS in your database. Note, one does not require AntiSamy to be
implemented in an application to use Scrubbr. Using Scrubbr, you have
the capability of validating each and every column capable of holding
strings of every row of every table in a database.</p>
<p>Together, Scalp and Scrubbr make for excellent web application security
forensic tools. Scalp can help detect attacks in Apache logs, and
Scrubbr can help you clean your database of content that does not match
your site's policy.</p>