Thursday, March 5, 2015

Making Applications Secure


Developing applications that are secure is becoming an essential part of the toolkit of any programmer, and project managers are increasingly tasked to 'Make it more secure - we don't want to be the next headline...' In 2015, this has become a major priority for many people.

So if you want a week of immersive training in making mobile, web and other applications more secure, then I thoroughly recommend the annual SecAppDev conference. It's an intense program of background lectures where you learn the theory, and hands-on workshops where you get to try it out for real. Even better, it's set in a renovated 17th century university location 25 kilometers east of Brussels, in the EU (European Union), and easy to get to by train or plane from many places worldwide. Leuven is a charming 'student city' venue, full of bikes and cobbled streets, and where you can walk to just about anywhere inside the ring-road in less than half an hour. And the cars on that outer ring aren't allowed far into the central area, so apart from a few busses: students and bikes rule! There's a very good overview of the history of Leuven here.

The SecAppDev conference is held in the Faculty Club, to the south of the centre of Leuven. It's a perfect mix of old exteriors and modern interiors, and whilst this is the Dutch/Flemish part of Belgium, the conference language is English. KU Leuven, the University of Leuven, founded in 1425, is the oldest Catholic University in the world.


Inside the conference, you step straight into the 21st century. The two-track program covers topics like post-Snowden, cryptography, TLS hands-on, SDL, Threat Modelling, and web/mobile hardening. I like following a topic and getting immersed, and so I went to the sessions where the introductory lecture covered the theory, and then the hands-on double-lecture provided a detailed hands-on workshop with plenty of opportunity to dig deep into the material. Pre-prepared VMs are used for some of the workshops, so that everyone has an isolated and common starting point, and I was particularly impressed with the TLS session, where you configured an Apache web server (on Fedora) from scratch so that HTTPS worked properly by using tools like mod_ssl and Open_SSL, replacing the default self-signed certificate with a trustable one from a CA using a CSR, generating a key-pair... The Threat Modelling workshop was notable too, with teams competing to find flaws in a web system. The lecturers were all very familiar with their subject matter, and I learnt a lot.

If a day of intense learning wasn't enough, the local chapter of OWASP had an evening event on the Tuesday night, which was an opportunity for more learning and networking. With the Computer Security and Industrial Cryptography (COSIC) research group and the Department of Electrical Engineering nearby, and the meeting being held in the Department of Computer Science, there was a large and informed audience.

There is a wealth of information on the SecAppDev website ( http://secappdev.org ), with handouts going back to 2007 (the first SecAppDev was in 2005, so this was the 11th conference!), video recordings of lectures before 2013, a YouTube channel for more recent videos, and a blog which has an entry that describes the user/attendee experience in more detail.

Secappdev.org is a non-profit organisation whose aim is to broaden security awareness in the development community and advance secure software engineering practices. For me, the week at SecAppDec 2015 taught me a lot, provided consistently excellent interactive workshops, good networking and follow-up opportunities, and was totally worthwhile. If you develop, or manage developers, or just want to be 'security-savvy', then you should be considering attending SecAppDev 2016!
Posted by at No comments:

Tuesday, January 20, 2015

How real is it?


We're really bad in the software world at recognizing and taking action against real threats. We fail to see and fully grok the threats that are bearing down on us, and as a result, our software all too often contains security defects that are well understood by our adversaries. When that happens, things only get worse.

One of my passions is to show software developers the myriad ways in which software can fail to deliberate attacks. I do that in my hands-on lab sessions. One of my biggest motivators is when I notice one or two software developers "get it". We talk about common problems like SQL injection or cross-site scripting (XSS) and they all nod, but when they actually see it work when they enter poisonous data into a real app, a light goes on. It's those "ah ha!" moments that keep me doing what I do.

But even when we do that, I'm often asked by those same developers just how real the attacks are. How common are they? How much time and effort should they put into protecting their applications? It's one thing to understand a software security defect and even deeply grok how it works, but how does that translate into their world? How much testing is enough? How much code review is enough? What problems should they spend the most time on remediating?

Security folks want to tell those developers to fix all the problems. We want to tell them to scan every line of code and test their software rigorously. But when they hear that, they get overwhelmed and they realize that we're prescribing far too much for them to realistically accomplish.

How should those developers then budget their effort?

Of course, that's a hugely difficult question to answer in a general sense. There's no one size fits all solution. It depends... And so on.

Does that mean you should simply throw your hand up in the air and give up? Of course not.

One thing you might try to do is to seek out your security company's security folks, especially the incident response team. If your company has one, you might well find that they hold a treasure trove of real world data on how your company's systems come under fire in their production environments every single day. You might well find out the kind of tools and techniques your attackers are using right now. I personally spent many years working incident response operations myself, and I can say with confidence that these are the folks who most closely get to see real attacks and real security failures first-hand.

That, in turn, might help you better understand where you need to spend time in your software security efforts.

Sounds simple, right? You might even call this "common sense". And yet, in my own experiences at hundreds of companies, I've all too often encountered software developers who fail to seek out their own companies' security personnel.

At one client, I was working with a group of software developers and I asked them if they knew their own computer security incident response team (CSIRT). They didn't. However, when I walked around their office a bit, I found their CSIRT security operations center (SOC) right down the hall from where the software developers were sitting. They were right down the hall and yet they'd never met each other!

Don't let this happen to you and your company. I'm speaking here of a concept that I like to refer to as "confluence". Software development simply must involve not just the software developers and business owners, but also the various security stakeholders in a company. Seek them out and talk to them.

I provide various actionable tips on how to do this in my latest book, "Software Security: A Confluence of Disciplines". But even if you're not inclined to buy a book, I hope some of you reading this will join me at SecAppDev and try some of these hands-on lessons first hand.

Posted by at No comments:

Monday, January 19, 2015

Reflections on Software Security




Reflection on Secure Software
My name is Jim Manico. I'm a member of the software security research community. One of my greatest professional passions is understanding and investigating the creation of secure software. As a traveling software security educator, I have spent the last 4 years of my life teaching developers about software security in over 70 countries throughout the world.


talking-small.jpg

Although I live in Kauai, Hawaii (one of the greatest islands in the world) I tend to only spend about 2 months there a year. The rest of year is spent traveling, teaching or going to developer conferences. My wife is often on the road with me when the location is to her liking.


Looking left from my office chair at home on Kauai.

Here are my 2014 travel records for only one airline and one hotel chain. These are quite ridiculous for someone who is supposed to live in Hawaii!  
YTD premier qualifying miles with @united in 2014 : 180,493


Total days staying at a @starwood hotel in 2014: 78. Total cities visited via @starwood in 2014: 22.

I am also fortunate to have been elected to one of the global board positions at the OWASP Foundation. OWASP is the Open Web Application Security Project, a non profit foundation dedicated to spreading application security awareness. Driving the strategic vision of a non profit foundation full of web hackers is no easy task, but is something that brings me great joy. Like SecAppDev, I fully believe in the mission of the OWASP foundation and similar organizations such as BSides.

From the left: Tom Brennan (OWASP), Jim Manico (OWASP), Jack Daniels (BSides), Eoin Keary (OWASP) and Michael Coates (OWASP) at an award ceremony where the OWASP Foundation was awarded for their charitable efforts.
I never would have thought that my favorite professional travel destination would be Leuven, Belgium in February where the week-long SecAppDev developer security training course takes place. SecAppDev is more dedicated to teaching developers to write secure code than any other conference or organization that I've been a part of. I'm proud to be one of the many educators who participate in this special week-long secure coding course. While I am a teacher, I am also a student when I attend SecAppDev. SecAppDev is where I go to enhance my skills around secure coding and prep for a new year of developer education. One of the highlights at SecAppDev for me is cryptography education because the professors who teach the crypto classes at SecAppDev are world class!

"SecAppDev courses are run by secappdev.org,
a non-profit organization that aims to broaden security
awareness in the development community and advance
secure software engineering practices." - SecAppDev.org

I always make a point to attend the sessions lead by Dr. Bart Preneel (Prof. dr. ir. Bart Preneel heads COSIC, the renowned crypto lab), Professor Frank Piessens (Prof. dr. ir. Frank Piessens pioneered application security teaching at university level), Ken Van Wyk (Ken van Wyk is co-founder of the CERT® Coordination Center and a widely acclaimed author and lecturer) and others.
One of the highlights at SecAppDev is our daily group lunch. Fine dining is almost unheard of on the conference circuit, but it's the standard at SecAppDev. 

The next SecAppDev course will be held at the Faculty Club in Leuven, Belgium this February 23rd through 27th 2015. I hope to see you there!

Aloha,
Jim Manico
jim@manico.net
@manicode


Posted by at No comments:
Subscribe to: Posts (Atom)