blogging from owasp security meetup

The NYC Cyber Security meetup had Jeff Williams as a speaker.  He’s really good so I decided to go and blog about it.  All three sessions were really good!  Which sets good expectations for the Appsec USA conference which I’m thinking about attending in November.

Before we move on to security – a bit of humor.  I asked where the ladies room was and an employee pointed at what appeared to be the elevator bank.  On the end was a door with the word “womens” on it.  It looked just like the wall.  Camouflage!
Jeff Williams from Aspect – Is OWASP the New Rainbow Series?
Jeff is a very dynamic speaker so this was fun.
Rainbow series and security models
  • The Rainbow Series is colored pamphlets/thin docs.   Stopped printing due to internet.  Community evaporated and group folded. Info still holds – access control, encryption, etc. nobody shepherded knowledge over tech gap.
  • Security IMPLIES a model –  what does security mean?  Possibilities include: policy, no high exploitable vulnerabilities, standards, compliance , your tool’s ruleset, what pen tester interested in, whatever just got hacked (reactive). Need a model to say secure. Compliance is what others care about.  It’s like delegating your security model to someone else.
  • Rainbow had positive view – assurance world.  said controls must be analyzable – must know if good. Completeness, patterns, policy, etc.
  • OWASP uses a negative model. Top 10 is what thou shalt not do. Negative model is harder, but ok.   Current world is negative and risk based. Assume ok until prrove otherwise.
  • Goal – rational, defensible, confidence that our apps are “secure” – id important threats, strong defense for each, implement correctly and evidence defenses are working
Coverage
  • Code coverage – Static analysis tools only look at your custom code. They don’t look at libraries, frameworks, app server and runtime.  Only a small percent covered.  On the dynamic side we hit all te layers but only part of the app. 25-30% is typical.
  • Weakness coverage – NSA has a test suite called Juliet. You run static analysis against it to see how good the tool is. Found 80% failing test and more than 60% false alarms.   And Juliet is less complex than code real apps would have.
  • Portfolio coverage- most apps unreviewed because not critical. A small percent are scanned/penetration test.  And an even smaller portion get manual code review
Aspect Top 10 
  • Jeff hates top ten lists  Negative, incomplete (for example: clickjacking not in top 10), abstract (all of session management in one item), arbitrary, retrospective. Not a good model.   [This is sort of in jest as he does find them better not thing; it’s more frustration that we haven’t moved on]
  • Was needed in 2002.  Goal was to set a bar so can keep raising bar.   That didn’t happen. First top 10 was forward looking. Then started relying more on data and people doing reviews.  This is a problem. Because auditors behind casual hackers and way behind organized chrime and espionage. Compare to the crypto community who looks at what the threat will be in 10 years.  Better capability,better tools.
  • Owasp top 10 is most widely used project at owasp.  Failure because nothing has changed.  Also biggest success because raised awareness.
  • Security efforts and tools focused on apps of 2005. Not ajax, sockets, gwt, html 5, inversion of control, aop
A9 in top 10 – using components with known vulnerabilities  
  • New to the top 10.  (In case you are wondering, nothing got removed.  Insecure cryptography and insecure transport layer got merged.)
  • Reddit quote:  “One of the vulnerabilities is having known vulnerabilities”
  • The amount of custom code in our apps hasn’t changed much in 10 years. Amount of library code growing quickly. Now 80% library code. Hudson core has 103 open source library.  You are trusting ALL that code on your machine.   Dependency resolution brings in other dependencies so don’t know what using.
  • One single vulnerability (cve-2010-1622) on spring beans tainted 1447 projects!
  • Developers don’t update libraries in general. Sometimes not using that part of project. Some bad like spring EL injection policies
  • 2313 organizations using esapi and it is built into cold fusion
  • Rougly 26% libraries are vulnerable.
  • Maven can list what libraries using
 What to do
  • Focus on soeed and scale. If need an expert for technique or tool, introduces feedback lag and cant scale. Looks good for one app.  Which causes pressur to compromise on scope and accuracy to increase throughout.   Better to use experts to id threats, build automated tests, create rules, strategy, etc.   security HAS to work in parallel.
  • See if can embed sensors in app and report back data about security. Instrument code and organization so it feeds you info. Think big data.
  Panel – from Morgan Stanley – the hosts (I confirmed with the moderator from Morgan Stanley that it is ok to blog)
Securing the enterprise – what means to you
  • Protect developers from selves. Not have to think too much about what take off shelf and put in app
  • The enterprise used to be a building when gates, guards and guns were data security because thats where the data was.
  • Now have to worry about employees sending stuff out ,  not just attackers coming in.   Threat landscape changes, tech advances quickly. If rush and hurry, can roll out globally in 12-18 months
 What would you do if owasp releases new findings?
  • New data – threat intelligence – can mitigate, detect or respond with technologies in house. Big enough to have a team of people will full time jobs focused on this.
  • Financial industry grouos to share info. Move in a pack. Exchange info.
  • In small company with 20-30 apps can have one guy look at it. hTis doesnt scale to 20,000. Need to know what apps and people permitted on network
Thoughts on mailing plaintext passwords
  • Finanical sector means saving for 7 years in an archive.  Authentication and sso – have internal docs for developers so get this right so doesn’t happen.
  • Importance of keeping your personal email account secure.
  • Different passwords for all sites, password management system. Beyond what the average person will do. Need to hold system accountable. Shouldnt be able to email password to user.  [I’m surprised nobody mentioned two factor for email – I use that for gmail.
  • Need to give vendors feedback so can improve
  • Discussion on standard self declaration of password handling practice.   Another panelist refuted because additional intelligence – “if they know that, they wouldn’t be emailing you your password”. Don’t want it to be a hitlist when a vulnerability comes out.
  • Jeff Williams from audience said likes idea of making model public.  Morgan Stanley folks cringed. View as challenge or a boast. Jeff said make public internally.   Financial sector – you know what minimum standards are. For internet sites, don’t know threshold. Only held to FTC 15 years of supervision after breech.
Is data the thing that enables us to move into the future?
  • Data has always been at the core. After a breech, one of the first questions is what did they get.
  • Libraries should have an end of life or expiration date so doesn’t last with vulnerabilities forever.
  • Ability to process the data is catching up.  Easier to find the holes. And what went thru that hole
  • From vendors – need better metrics and inteligence. Currently get more graphics not intelligence
  • Can get badge saying ran automated scanning tool against site
Standards
  • New perimeter – bring your own device (BYOD) – access corporate intranet from whatever device
  • No such thing as a perimeter any more.   Or more perimeters on the inside. Not dead. Can’t just trust the inside. Contain breech. Compartmentalize.
  • Bring your own tech – bringing network connections too – Starbucks is in your enterprise
  • What enterprise thinks it can control will shrink – byod, cloud, paas, saas
  • If 20 person company, have a lot more control
  • On the AP Twitter hack (white house bomb false story.)  It affected the market because some high frequency trading was keyed into twitter.  This is the danger of being first and fastest.  Corners cut.  Want to know about twitter but not automated based on it.  Is Twitter in your security perimeter?
  • Cant just have tech. Need policies to back up. So can enforce and prosecute. Need management support
  • Wouldn’t consider having just 1 isp. If all 5 isps under siege, trading is the least of your problems. Extreme resiliency
  • Wouldn’t care if password policy published. Not a surprise because know vague idea in finance. Thousands of people. Every year. Assume info is out there. And give info to suppliers for confidence
 Tom Brennan -Trustware global security report
The report contains a collection of interesting stats.  You can read the report online (or at least last year’s version; see the resources section below for the link).
  • They focus on monetary loss.
  • Top victims – us, australia, canada, uk, brazil
  • Top attackers – romania, us, unknown, ukraine, china
  • Websites and email most utilized vector
  • Mobile malware on the rise
  • Breach quadrilateral – propagation, aggregation, exfiltraton, (how get data out of environment) and infiltration. – much emphasis on perimeter but not propagation. Once gets in, need to be able to stop. If can stop any phases, you beat the bad guy
  • 82% of apps they looked at have xss and 72% csrf. Wow. I shouldn’t be surprised.  CodeRanch only fixed CSRF (read about how) this year.
  • What  to do: Train developers, Review code, Test a lot, Protect in real time and patch

Mobile

  • Mobile malware up 400% last year. Top findings are insufficient cache controls, replay attacks on sensitive transactions, sensitive info in server response.
  • Use case: Malicious game sends hidden sms messages. Similarly can use receiving hidden sms to launch botnet
  • Apple did better job than android.  Android kitered with malware
  • Can’t patch. With byod, phone not owned by company
Spam
  • Spam down to 2007 levels but nearly 7% of spam links to a malicious website.
  • Still 75% ompanies email is spam

Passwords

  • Weakest links are employees and users
  • Password1 is 38% of top 25 password
  • Lot of passwords are top child and dog names for reset questions
  • Peak password length is 8 characters because default active directory minimum length
Six security pursuits
  • visualize events
  • unify activity logs
  • register assets
  • educate employees
  • identify users
  • protect data
Problem: Businesses focus on making money in version 1 and security in version 2. And then forget about version 2
Resources
I learned about the following at the event:

intro to web accessibility

Someone asked me what someone should know/read as a crash course on web accessibility.  This seemed like too good a question not to blog about so he can read the answer here!

There are three main areas of web accessibility:

  1. W3C’s WAI (web accessibility initiative) has WCAG 2 (Web content accessibility guidelines) which are summarized on one page.  There’s a lot more to it than the one page, but it does represent the spirit.
  2. WAI also has ARIA (accessibility rich internet applications).  This is my favorite description.  Mozilla also has a good guide as does Opera.  In a nutshell, ARIA solves the problem of “how does a blind user know something on the page has changed.”  With AJAX and even DHTML, just because you made something available isn’t enough.  Be forewarned that older browsers have lousy ARIA support if any at all.
  3. Section 508 is in the same space as WAI except for government website.  It is part of the American with Disabilities Act.  It is more specific in some ways than WAI.  If you aren’t working on a government website, I’d focus on WAI.  Note that Section 508 is an OLD law and in theory they are working on a refresh.  I say in theory because I haven’t seen updates in a while.  There is a mapping in section 1194.22 between Section 5098 and the WCAG 1.0 guidelines.  Yes, 1.0.  Did I mention that Section 508 is old?  The government has free training.

The least you need to know for testing:

  • Make sure your application works without using a mouse.  Seriously, actually navigate your application without a mouse.  (Remember tab changes fields and space selects a checkbox.)  If it isn’t possible to use the application without the mouse, you have failed accessibility miserably.
  • Make sure you aren’t using color alone to convey information. Blind people will be using a screenreader and need alternate textual ways to derive this info. Colorblind can’t see the difference between red and green and won’t be using a screenreader so won’t see your alternate text.
  • Until you are REALLY familiar with how text only navigation works, use a screenreader emulator like the Fangs Firefox plugin and/or turn off stylesheets to see what your page looks like.
  • If you can afford a license for Jaws, it is helpful in testing that your application is accessible in practice and not just theory.

The least you need to know for coding:

  • For any image that conveys information, have an alt attribute.
  • Use form labels for all form elements so a screenreader can read what the form element is all about.
  • Use row and or column headers for all data tables so a screenreader can provide assistive text on where the user is in the table.  (And for the love pete, don’t complicate things with the navigation tables of the 90s)
  • I recommend automation to ensure you KEEP compliant.  It’s a pain to test this all once manually.  You don’t want to have to make sure the new person on your team remembered his/her alts.
  • Watch how you use JavaScript: Remember we need to work without a mouse.  That means an onchange handler in a pull down is the path to madness.  I want the fifth element so I tab to the field, choose the second, watch the page refresh, tab to the field again, choose the third, watch the page refresh and then decide never to do business with you again.
  • Some JavaScript libraries have accessible widgets.

blogging from reza rahman’s jee 7 talk

This month’s NY JavaSig was chock full of information about JEE 7.  It was nice seeing it before Oracle’s launch webcast.  And at a more convenient time as well!  Given that Reza Rahman works for Oracle, we got the standard Oracle disclaimer that anything can change in the next two weeks.  But we all know they don’t have time to change much so 99.9% of this should be true.  [comments in brackets are my opinions; not Reza’s or Oracle’s]
High level JEE 7 changes
  • JMS 2. Batch. Transactions. Concurrency, interceptor, web socket java api, json java api
  • El 3, jms 2′ jax-rs 2.
  • Rest like EJB are minor releases. Ejb 3.2 (interestingly CMP is from J2EE 1.3)
  • Add to web profile: jax-rs 2
  • Deprecate jax rpc, cmp, cmp, jsr 88 – no known tools to get off bmp/cmp
  • Themes are productivity and html 5, core foundational apis
Jms 2
  • 8 year old api. Needed an overhall
  • Change api to use  DI
  • Delivery delay, async send, delivery count, now standard rather than optional, mdb alignment
  • Now you just inject JMSContext and Queue – a  new Object. Reduces code from a slide to a few lines.
  • Uses default JMSContext connection factory unless specify otherwise
  • Context has createProducer() and createConsumer(). Uses builder pattern so can chain/use one liners to configure
  • New API uses runtime exceptions
  • Added JMSConnectionFactoryDefinition and JMSDestinationDefinition annotations so can configure in code instead of vendor specific descriptor. Can still use xml instead of annotations
  • MDBs have new @ActivationConfigProperty
  • Spring will be supporting JMS 2 in their apis. Will need new JMS apis as well from third party libraries.
Websockets
  • Stateful protocol. Bidirectional async communication. Good for gaming, online stock tickers, etc
  • Uses HTTO as handshake between client and server
  • Part of HTML 5. Hope people will be using within 3-5 years.
  • Very high level API
  • Supports both declarative and progamatic programming. Most people should be dealiling with declarative api.  The programmatic one is meant for third party api developers
  • Abstracts keep alive setting
  • Weakness in websocket spec: can use up all sockets on a machine
  • Keep alive packets sent about every 5 minutes (vs 30 seconds normally). If your router times out after a minute, you’ll need to reconfigure. No session replication yet. If server goes down, you lose it
  • Server side code – POJO with annotaton for serverendpoint(url)’ onopen and onclose. Onopen and onclose callbacks get passed a session. Also callbacks for onmessage and onerror.  Use session.getRemote.  To get handle to remote endpoint and call sendXXX. It is NOT an HttpSession  because you are not in http level of abstraction
  • Client – JavaScript has an api for websocket.  Use this 90 peercent of the time
Json
[feels like java util logging.  late to the party and not as good as open source libraries]
  • Have jsonp – Like xmlp?
  • Will have jsonb in future –  Like xmlb. Eclipselink has two implementations now. Moxi and eclipse link json binding. The later one is likely to be closest to the standard.
  • No safe bet. Use what exists now and change later
To use
  • JsonArray  array = Json.createArrayBuilder(). Can add primatives and objects
  • To read: parser().iterator and parser,getString()
  • iterator,nextO will return START_OBJECT, KEY_NA ME, etc in addition to the real values.  [ugly – reminds me of the early days of DOM]
JAX-RS 2
[Lost what i typed because after deleting text undo deleted still more text. I think i remembered it all to retype]
  • Jersey is an implementation as is RESTEasy
  • Jax-rs was was introduced in jee 6
  • Hypermedia support – using hyperlinks in rest, like for lazy loading
  • Cient api, message filter, entity interceptor, asnc processing for high throughput, content negotiation (queues used to apply weight to client)
  • Client api: ClientBuilder.newClient() and client.target(url, params, …  )
  • For filter implement ContainerRequestFilter
JPA 2.1
  • Schema generation – every provider supports already.  This adds a standard format. Can create database and/or ddl,   Showed examole with index names in Java and said “no other way to do it” [yuck – this is why you should separate your DDL and not store it in only in Java.  You are going to need that standalone DDL later anyway for laters so why not put the index there.]
  • Stored procedure support – people want it, all providers have it already so gave in and put it in in ORM spec.  Looks like namedqueries. @NamedStoredProcedureQuery
  • Unsynchronized persistence contexts – can join when  ready to rejoin context
  • Entity convertors – edge case solution for odd format in database field but dont want in java objects
  • Fixes/enhancement
Jta 1.2
  • Old api that needed an update. Lots of fixes and two new features
  • Declarative transactions outside EJB – any CDI object supported now. @Transactional. Default is rollback for runtime exception and ignore checked exception
  • @TransactionScoped – new CDI scope. JMSContext uses this scope
Jsf 2.2
  • Html 5 support – pass thru html 5 components. Use normal inout type=color and then jsf:value and el expression as attribute. That way not limited to jsf component libraries. Similary jsf:id, jsf:validate, jsf:renderer
  • @Flowscoped – alternative to conversation scope. Conversation was suited to wizards. Flow scoped keeps certain objects active for different parts of the app. [Code looks like a state diagram in java code – long]
  • @ViewScoped for CDI
  • Deprecated JSF managed beans. Use CDI instead
  • File upload component – couldn’t add until now because JSF was being backward compatible with 2 versions of servlet apis
  • View actions – can trigger an action when land on page rather than wait for user to click on something
  • Multi templating – templates can have parents
  • Security
Batch applications
  • Concepts. JobRepository, Job,JobOperator, Step, ItemReader, ItemProcessor, ItemWriter ( map reduce pattern with readerprocess, write)
  • The java community doesnt generally get into batch processing. Financial community is different. Hadoop and analytics starting to bring batch to wider audience
  • To code use named annotation and implement Itemreader, ItemProcessor, ItemWriter
  • Write XML for step to chunk it and send to reader, processor and writer. Methods. ReadItem, processItems, writeitems
  • IBM websphere compute grid  called out for batch multi threading on different machines.
  • IBM most active and spring second most active contributor to batch spec. Presumably that means Spring is interesting in supporting
Bean validation 1.1
  • Added method level constraints.  Useful in REST. Method param and return type constraints.  Used to only have property level
  • Bean validation artifacts injectable
Concurrency utilities for JEE
  • Builds on JSE Executor Service
  • Thread pool aware
  • Relatively low level API
  • Don’t expect a lot of people to use.  Meant for third parties running on JEE so can share app server thread pool
  • Inject ManagedExecutorService annotation. Submit your task to executor
El. 3
  • Lambda expressions, collections support, operator support
  • EJB 3.2 truncating BMP/CMP
  • Servlet api – non blocking IO
  • Ordering of interceptors
Jee 8 
  • jsonB. – probably before JEE 8
  • Jcache – available as drop in jar before. Just missed JEE 7 cutoff
  • Lots more stuff
Tomcat
  • Base Tomcat planning on supporting JSR 356 (web sockets), maybe concurrency utilities
  • TomEE – apache project taking plain tomcat and brining up to JEE web profile level. It is certified against web profile