Making Applications Secure

Developing applications that are secure is becoming an essential part of the toolkit of any programmer, and project managers are increasingly tasked to 'Make it more secure - we don't want to be the next headline...' In 2015, this has become a major priority for many people.

So if you want a week of immersive training in making mobile, web and other applications more secure, then I thoroughly recommend the annual SecAppDev conference. It's an intense program of background lectures where you learn the theory, and hands-on workshops where you get to try it out for real. Even better, it's set in a renovated 17th century university location 25 kilometers east of Brussels, in the EU (European Union), and easy to get to by train or plane from many places worldwide. Leuven is a charming 'student city' venue, full of bikes and cobbled streets, and where you can walk to just about anywhere inside the ring-road in less than half an hour. And the cars on that outer ring aren't allowed far into the central area, so apart from a few busses: students and bikes rule! There's a very good overview of the history of Leuven here.

The SecAppDev conference is held in the Faculty Club, to the south of the centre of Leuven. It's a perfect mix of old exteriors and modern interiors, and whilst this is the Dutch/Flemish part of Belgium, the conference language is English. KU Leuven, the University of Leuven, founded in 1425, is the oldest Catholic University in the world.

Inside the conference, you step straight into the 21st century. The two-track program covers topics like post-Snowden, cryptography, TLS hands-on, SDL, Threat Modelling, and web/mobile hardening. I like following a topic and getting immersed, and so I went to the sessions where the introductory lecture covered the theory, and then the hands-on double-lecture provided a detailed hands-on workshop with plenty of opportunity to dig deep into the material. Pre-prepared VMs are used for some of the workshops, so that everyone has an isolated and common starting point, and I was particularly impressed with the TLS session, where you configured an Apache web server (on Fedora) from scratch so that HTTPS worked properly by using tools like mod_ssl and Open_SSL, replacing the default self-signed certificate with a trustable one from a CA using a CSR, generating a key-pair... The Threat Modelling workshop was notable too, with teams competing to find flaws in a web system. The lecturers were all very familiar with their subject matter, and I learnt a lot.

If a day of intense learning wasn't enough, the local chapter of OWASP had an evening event on the Tuesday night, which was an opportunity for more learning and networking. With the Computer Security and Industrial Cryptography (COSIC) research group and the Department of Electrical Engineering nearby, and the meeting being held in the Department of Computer Science, there was a large and informed audience.

There is a wealth of information on the SecAppDev website ( http://secappdev.org ), with handouts going back to 2007 (the first SecAppDev was in 2005, so this was the 11th conference!), video recordings of lectures before 2013, a YouTube channel for more recent videos, and a blog which has an entry that describes the user/attendee experience in more detail.

Secappdev.org is a non-profit organisation whose aim is to broaden security awareness in the development community and advance secure software engineering practices. For me, the week at SecAppDec 2015 taught me a lot, provided consistently excellent interactive workshops, good networking and follow-up opportunities, and was totally worthwhile. If you develop, or manage developers, or just want to be 'security-savvy', then you should be considering attending SecAppDev 2016!

How real is it?

We're really bad in the software world at recognizing and taking action against real threats. We fail to see and fully grok the threats that are bearing down on us, and as a result, our software all too often contains security defects that are well understood by our adversaries. When that happens, things only get worse.

One of my passions is to show software developers the myriad ways in which software can fail to deliberate attacks. I do that in my hands-on lab sessions. One of my biggest motivators is when I notice one or two software developers "get it". We talk about common problems like SQL injection or cross-site scripting (XSS) and they all nod, but when they actually see it work when they enter poisonous data into a real app, a light goes on. It's those "ah ha!" moments that keep me doing what I do.

But even when we do that, I'm often asked by those same developers just how real the attacks are. How common are they? How much time and effort should they put into protecting their applications? It's one thing to understand a software security defect and even deeply grok how it works, but how does that translate into their world? How much testing is enough? How much code review is enough? What problems should they spend the most time on remediating?

Security folks want to tell those developers to fix all the problems. We want to tell them to scan every line of code and test their software rigorously. But when they hear that, they get overwhelmed and they realize that we're prescribing far too much for them to realistically accomplish.

How should those developers then budget their effort?

Of course, that's a hugely difficult question to answer in a general sense. There's no one size fits all solution. It depends... And so on.

Does that mean you should simply throw your hand up in the air and give up? Of course not.

One thing you might try to do is to seek out your security company's security folks, especially the incident response team. If your company has one, you might well find that they hold a treasure trove of real world data on how your company's systems come under fire in their production environments every single day. You might well find out the kind of tools and techniques your attackers are using right now. I personally spent many years working incident response operations myself, and I can say with confidence that these are the folks who most closely get to see real attacks and real security failures first-hand.

That, in turn, might help you better understand where you need to spend time in your software security efforts.

Sounds simple, right? You might even call this "common sense". And yet, in my own experiences at hundreds of companies, I've all too often encountered software developers who fail to seek out their own companies' security personnel.

At one client, I was working with a group of software developers and I asked them if they knew their own computer security incident response team (CSIRT). They didn't. However, when I walked around their office a bit, I found their CSIRT security operations center (SOC) right down the hall from where the software developers were sitting. They were right down the hall and yet they'd never met each other!

Don't let this happen to you and your company. I'm speaking here of a concept that I like to refer to as "confluence". Software development simply must involve not just the software developers and business owners, but also the various security stakeholders in a company. Seek them out and talk to them.

I provide various actionable tips on how to do this in my latest book, "Software Security: A Confluence of Disciplines". But even if you're not inclined to buy a book, I hope some of you reading this will join me at SecAppDev and try some of these hands-on lessons first hand.

Reflections on Software Security

Reflection on Secure Software

My name is Jim Manico. I'm a member of the software security research community. One of my greatest professional passions is understanding and investigating the creation of secure software. As a traveling software security educator, I have spent the last 4 years of my life teaching developers about software security in over 70 countries throughout the world.

Although I live in Kauai, Hawaii (one of the greatest islands in the world) I tend to only spend about 2 months there a year. The rest of year is spent traveling, teaching or going to developer conferences. My wife is often on the road with me when the location is to her liking.

Looking left from my office chair at home on Kauai.

Here are my 2014 travel records for only one airline and one hotel chain. These are quite ridiculous for someone who is supposed to live in Hawaii!  

YTD premier qualifying miles with @united in 2014 : 180,493

Total days staying at a @starwood hotel in 2014: 78. Total cities visited via @starwood in 2014: 22.

I am also fortunate to have been elected to one of the global board positions at the OWASP Foundation. OWASP is the Open Web Application Security Project, a non profit foundation dedicated to spreading application security awareness. Driving the strategic vision of a non profit foundation full of web hackers is no easy task, but is something that brings me great joy. Like SecAppDev, I fully believe in the mission of the OWASP foundation and similar organizations such as BSides.

From the left: Tom Brennan (OWASP), Jim Manico (OWASP), Jack Daniels (BSides), Eoin Keary (OWASP) and Michael Coates (OWASP) at an award ceremony where the OWASP Foundation was awarded for their charitable efforts.

I never would have thought that my favorite professional travel destination would be Leuven, Belgium in February where the week-long SecAppDev developer security training course takes place. SecAppDev is more dedicated to teaching developers to write secure code than any other conference or organization that I've been a part of. I'm proud to be one of the many educators who participate in this special week-long secure coding course. While I am a teacher, I am also a student when I attend SecAppDev. SecAppDev is where I go to enhance my skills around secure coding and prep for a new year of developer education. One of the highlights at SecAppDev for me is cryptography education because the professors who teach the crypto classes at SecAppDev are world class!

"SecAppDev courses are run by secappdev.org,

a non-profit organization that aims to broaden security

awareness in the development community and advance

secure software engineering practices." - SecAppDev.org

I always make a point to attend the sessions lead by Dr. Bart Preneel (Prof. dr. ir. Bart Preneel heads COSIC, the renowned crypto lab), Professor Frank Piessens (Prof. dr. ir. Frank Piessens pioneered application security teaching at university level), Ken Van Wyk (Ken van Wyk is co-founder of the CERT® Coordination Center and a widely acclaimed author and lecturer) and others.

One of the highlights at SecAppDev is our daily group lunch. Fine dining is almost unheard of on the conference circuit, but it's the standard at SecAppDev. 

The next SecAppDev course will be held at the Faculty Club in Leuven, Belgium this February 23rd through 27th 2015. I hope to see you there!

Aloha,

Jim Manico

jim@manico.net

@manicode

SecAppDev 2014 Reflections from Ido Dubrawsky

Originally posted by Ido Dubrawsky on February 17, 2014 here. Reposted with permission.

I recently attended the SecAppDev conference in Leuven, Belgium from February 10th – 14th. The conference is hosted in February at the Faculty Club which is in the Groot Begijnhof van Leuven and organized by Johan Peeters. While I didn’t recognize many of the speakers I have to give special note to three speakers in particular: Ken Van Wyk, Jim Manico, Dr. Bart Preneel.

Ken van Wyk is an currently an independent consultant and previously worked at the Software Engineering Institute at Carnegie Mellon. Ken is well known for authorship or contributing authorship to a couple of excellent books on security – most notably O’Reilly’s Secure Coding: Principles and Practices.

Jim Manico is an author and educator of developer security awareness trainings as well as one of the members of the Global Board of Directors for the OWASP foundation. He has a 17 year history building software as a developer and architect and is a frequent speaker on secure software practices. Jim’s energy when he talks is highly infectious and really draws you in to the presentation and discussion.

Dr. Bart Preneel is a professor at KU Leuven focusing primarily on cryptography as a point of his interest. His knowledge of cryptography is expansive and he has a very grounded perspective on what it really takes to provide confidentiality and integrity to data in this day and age of NSA snooping and monitoring. I found his lectures (and there were a fair number of them) very informative and insightful. I definitely learned an enormous amount from him (and from Ken and Jim as well).

The discussions below are not meant to be detailed reporting on the sessions I attended at SecAppDev but rather a general impression – a flavor – of those sessions.  The materials for those sessions are available on the SecAppDev website and recordings of the sessions are available on their YouTube channel.

Monday, February 10, 2014

Having arrived in Brussels at 07:30 I was stuck at the airport for a short while trying to find my luggage.  My flight with Delta had me going through Amsterdam before arriving in Brussels and to my surprise my luggage did not go on the same flight.  Rather, Delta, for reasons I cannot fathom, sent my bag down to Atlanta and from there on a direct flight to Brussels.  So, I didn’t get out of the airport until approximately 08:00 (but hey, at least I had my luggage!).  I took the train from the airport to Leuven and from there walked to The Leuven Institute for Ireland in Europe (also known as the Irish College).   This was kindly arranged for me by Johan Peeters and I throughly enjoyed the stay.  After dropping my bags there I got cleaned up and went straight to the conference.  While I missed the first presentation of the day (Principles of Computer Security) I was able to attend three other talks that day: Low Level Exploits and Countermeasures, the SDLC Workshop, and Security Testing Fundamentals.  Each was interesting although the topics were already well known to me.

Tuesday, February 11, 2014

All of the sessions on Tuesday were excellent! I attended Dr. Praneel’s talk on Cryptographic Algorithms first, followed by Dr. George Danezis‘ (of the University College London) presentation on Access Control.  In the afternoon I attended Dr. Praneel’s Entity Authentication and Jim Manico’s Entity Authentication and Session Management presentations.  All in all, excellent talks by all o the presenters with Jim Manico’s Entity Authentication and Session Management as being a real eye-opener with material I could immediately use on some projects within Itron and some personal side projects as well.

Wednesday, February 12, 2014

On Wednesday I decided to attend the Threat Modeling session led by Jim DelGrosso of Cigital, Inc in the morning.  I’ve been doing threat modeling on applications and product designs for several years now and I have to agree with Jim – it’s kind of an apprenticing learning curve – the more threat models you do, the better you get at them.  Jim presented a different approach to threat modeling than the one I’m used to but it gave me a lot of good food for thought in how to improve the approach I use.  I have some work ahead of me to make changes but I think it will definitely be for the better.

After the threat modeling session I attended the Advanced Cross-Site Scripting (XSS) Defense session given by Jim Manico.  I definitely learned quite a bit here.  While I can’t go into the details in such a short area I feel that I took away a lot of new insights on how to both test for XSS vulnerabilities in the products I deal with as well as how to defend against XSS exploits.  It may take a little while to integrate that into the development teams’ approach but I think it will definitely be worthwhile.

Finally, I sat in on the SSL/TLS hands-on session given by Thomas Herlea.  Thomas clearly knows his material and this session would have been best given as a two-hour workshop rather than an hour-and-a-half.  We spent quite a bit of time getting the VirtualBox VMs working properly and that tended to be a problem given the time constraints.  The material was good (although I already pretty much knew it) – but I felt that the session was hampered by the difficulties people were having just getting the VirtualBox setup.  It would have helped immensely if Thomas had provided the VMs prior to the session along with detailed setup instructions for those who haven’t worked with VirtualBox before.   The material is definitely good – but the presentation and execution of the session was weak.

Thursday, February 13, 2014

Thursday proved to be a fantastic day at the conference.  I spent the morning attending Ken van Wyk’s Hands-on Mobile Apps presentation.  This was an absolutely fun three hours!  Ken is the lead for OWASP’s iGoat project (similar to the OWASP’s WebGoat project) which provides an iPhone simulator to learn about some of the attacks against the Apple iPhone platform.  The current version of iGoat is 2.0 and requires Xcode 5.0 on the Mac platform to work – but it’s an amazing tool.  Not only do you learn how to hack the iPhone (albeit, yes, it’s iOS 6 based and iPhone 4 as well) but you also learn how to fix the very problems you’re hacking.  It’s an amazing tool and I highly recommend anyone who has any interest in gaining some level of understanding of the iPhone platform to go and get iGoat.

In the afternoon I attended Dr. Preneel’s Post-Snowden Cryptography session and Lieven Desmet‘s Recent Web Security Technology session afterwards.  I was somewhat disappointed that Dr. Preneel didn’t discuss the longer range impacts of the NSA’s actions on cryptography but I found it a very informative and useful discussion nonetheless.  The session on Recent Web Security Technologies provided a very nice window into additional efforts being made in standards groups and in the development of HTML5 to provide more security to websites and to provide additional defenses to current attacks.

Friday, February 14, 2014

In the morning I attended Ken van Wyk’s Hardening Mobile Apps session.  This follow-on (actually it could be done as a standalone presentation as well) to the Hands-on Mobile Apps workshop on Thursday was again, an excellent session.  Ken goes through (as much as is possible to go through in only an hour and a half) how to harden mobile apps on the iPhone and iPad platforms.   I would like to see him develop this into a longer workshop like the Hands-on Mobile Apps workshop the day before.  I think it would be immensely helpful to many developers and app architects.

After the Hardening Mobile Apps session I stayed around for the Authorization with OAuth 2.0 provided by Jan Van den Bergh. While I haven’t followed OAuth development very much I am aware with some of what’s going on around it.  OAuth started out as a small, independent project that was meant to solve specific problems with authentication on the web.  The OAuth 1.0 specification which came out with RFC 5849 was simple and met the requirements specified by the community and the developers.  As I understand it, and again I haven’t been following OAuth that much lately, as OAuth 2.0 was being developed it became bigger, more complex and much more unwieldy than the original OAuth 1.0.  One of the biggest critics of the OAuth 2.0 specification (and of the standards process as a whole) was Eran Hammer who was the IETF working group editor for the OAuth 2.0 effort.  After three years of work Eran left the IETF working group and disavowed the effort claiming a wide variety of issues – many of which seem quite valid.  OAuth is interesting as it tries to address a very pernicious problem – but the current specification of OAuth 2.0 may be more complex and more unwieldy than is necessary.  I can’t say – but I do understand that there was a lot of bad blood within the IETF working in the end.  It’s a shame because it’s something that the web needs very badly.

The final session I attended was Dr. Preneel’s Cryptography Best Practices talk.  As with his previous talks this one covered an immense amount of material and provided some good food for thought on how to correctly implement cryptography in products.

While the material presented at a fair amount of the talks I attended were already known to me I still walked away from the overall conference feeling like I had really learned something.  If you have a chance to be in Europe next year and you’re interested in attending an excellent conference focusing on secure application development – I highly recommend you attend SecAppDev.

10 years of SecAppDev

Tonight we are celebrating the 10th anniversary of SecAppDev.

In the summer of 2004, Dirk Dussart, Georges Ataya and I, shocked by the software industry's cavalier attitude to software security, decided to set up a course for developers.
I had worked with Frank Piessens of the KU Leuven DistriNet research group and Bart Preneel from COSIC at previous client engagements and had learned an enormous amounts about security from them in the process, so I talked to them. As they are both great teachers, when they said they were on board, I knew we could make this happen.

At the time, Gary McGraw was eloquently chastising the software industry for their bolt-on approach and urging us to, instead, build it in. So, I contacted Gary and asked him whether he could come over and teach a course in Belgium. He immediately said yes.

Dan Wallach, who had been part of the team at Princeton that exposed and then fixed the security holes in the Java 1.0 security model, couldn't make it in February/March 2005, but said he was keen to teach at future sessions.

With such eminent faculty supporting, we were off to an excellent start. Unfortunately, just a few weeks before the course, Gary had to call off. He apologised and recommended a friend with whom he had been developing course material to take his place. That is how I came to be introduced to Ken van Wyk.

So it was that, on February 28th 2005, the first SecAppDev course kicked off at the Domaine de Freins de Latour in Uccle, Brussels. The next year we moved to the Faculty Club in the Béguinage in Leuven, where we have been since, except for 2012, when we held the course in the Irish College, also in Leuven.

Frank, Bart and Ken have been teaching on every course. Gary McGraw came over several times, as did Dan Wallach. Other great teachers joined and the course became more widely known, which is why we are still here after 10 years.

Whereas in the early days, the course was mainly about building developer security awareness, we shifted our focus and started providing a platform for more leading-edge material on secure application development. This includes the timely confrontation of academic research with professional practice or pitching new, innovative course material by commercial trainers.

As a non-profit organisation, set up to raise the standard of secure software engineering, the best possible outcome would be that we would become obsolete. While we have traveled a long road in the last ten years, our mission has, sadly, not lost any relevance; while security awareness has certainly increased, we are not in a good place. Our society has come to depend on vulnerable IT systems for most of its critical infrastructure. This may well lead to increasingly spectacular failures.

But there is something else even more insidious. In essence, security is about how well you can control your own destiny. This ability to give direction and purpose to life increased significantly in the decades since WWII. But it looks like this trend is being reversed with IT systems that are being compromised to steal from us, invade our privacy or just randomly fail.

I believe that we can do better than this and that history will judge our generation on how well we rise to this challenge.

Every year I take heart from this course, because it is always an inspiration to spend a week with people who are passionate about this historic challenge. This community has come to mean a lot to me and I want to thank all of you for your dedication. Thank you Frank, Bart and Ken for your great contributions as teachers, and also as members of the non-profit board. Thank you, Lieven Desmet for joining the board, curating the course for the last couple of years and being a great organiser. Thank you, Jim Manico. You are a great teacher and lend us very vocal support, both on our board and in the wider community. Thanks to Gary McGraw for your contributions as a teacher and serving on our program committee. Thank you to all the other great teachers that have taught on this course in the past 10 years. And thank you to all participants over those 10 years. Your passion and enthusiasm inspired us to continue this activity. Last but not least, I want to thank my wife, Caroline Greenman, for all her support. Not only has she put up with me investing way more than a reasonable amount of time into this hobby, she actively helps to host the event.

Thank you all for the past 10 years. I thoroughly enjoyed it. I am looking forward to the next 10.

Welcome to the SecAppDev Blog!

SecAppDev courses are run by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. Katholieke Universiteit Leuven and Solvay Brussels School  of Economics and Management are founding partners.

When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats.

We do not target security experts nor developers of security products, but rather developers whose main focus not being security, nonetheless need to be sufficiently security-savvy to deliver reliable applications.

We believe that learning requires active engagement with the topic. We therefore promote interactivity, both in the classroom as well as outside - the courses are run in the inspiring surroundings of an outstanding béguinage in Leuven, and we have a well-attended social program.

Experiential learning sessions, including hands-on sessions and workshops, have been a much appreciated addition of the last couple of years.

Thank you and we hope to see you at the next SecAppDev!