Re: [SC-L] quick question - SXSW

2008-03-26 Thread Andrew van der Stock 
Hi all,

I have been specifically targeting developer conferences these last  
twelve months. I've had rejections from the likes of OSCON, and in  
fact, I was rejected from BlackHat, too. I have worked out the pattern  
to these conferences.

You gotta SEX IT UP.

Instead of submitting talks like Safe Ajax Coding Techniques or  
Securely using mainframe transactions in your web app, submit talks  
that are titled:

How we pillage your app, identity rape your users, steal all your  
money, and retire in the Caribbean with the loot

Then when you get there, start with a demo or three to end all demos.  
Totally scare them witless. Followed by a picture of a girly drink  
with an umbrella in it with a beach in the background, and take the  
girly drink to the talk, too. Once you've put the fear of god (or at  
least malicious attackers) into them, then you can:

* Do the talk you had in mind all along (Securely using  
mainframe ...), and they'll learn what they needed to learn by  
attending your talk.

This is not to say you should be a boring presenter, but we shouldn't  
shy away from saying to developers that they MUST do this stuff, or  
they'll be pwned.

Just before the folks fill in their presenter feedback forms, do an  
ASTONISHING demo. Something they will remember when they're filling in  
the feedback. When you're at the top of the feedback pile, you'll get  
invited back.

The program committees for these trendy conferences - with some very  
notable exceptions - are for the most part just as hostile /  
apathetic / know little about security as the attendees. Sometimes  
worse - many are truly hostile to security as it gets in the way of  
their fast and crappy beats correct every time mindset. So make your  
submission interesting to the program committee, so much so that they  
want to come see it, too. Once they start accepting the talks, sooner  
or later, after 10 years or so, we'll be able to submit the useful  
talks without any such cover. See the design pattern folks for proof.

Arian - ARGH! Tell Anurag to check out ESAPI - it has already hard  
core white list encoding, direct object reference maps, easy user  
object manipulation (logout that actually does the right thing with  
one call, etc), safe system(), encrypted property files, integrity  
protection and encryption for hidden fields and cookies, and so on and  
on and on.

Encoder::
canonicalize()   Simplifies percent-encoded and entity-encoded  
characters to their simplest form so that they can be properly  
validated.
decodeFromBase64()   Decode data encoded with BASE-64 encoding.
decodeFromURL()  Decode from URL.
encodeForBase64()Encode for base64.
encodeForDN()Encode data for use in an LDAP distinguished  
name.
encodeForHTML()  Encode data for use in HTML content.
encodeForHTMLAttribute() Encode data for use in HTML attributes.
encodeForJavascript()Encode for javascript.
encodeForLDAP()  Encode data for use in LDAP queries.
encodeForSQL()   This method is not recommended.
encodeForURL()   Encode for use in a URL.
encodeForVBScript()  Encode data for use in visual basic script.
encodeForXML()   Encode data for use in an XML element.
encodeForXMLAttribute()  Encode data for use in an XML attribute.
encodeForXPath() This implementation encodes almost everything  
and may overencode.
normalize()  Normalizes special characters down to ASCII  
using the Normalizer built into Java.

It's already done! However, there's more to do - let's work together  
on those gaps (client AJAX ESAPI) instead of re-inventing the wheel.

thanks,
Andrew

On Mar 13, 2008, at 4:11 AM, Arian J. Evans wrote:
 and Anurag will be releasing some APIs
 for java developers to actually do things like output encoding,
 where Java/J2EE is about 4 years behind the rest of the world.


thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Silver Bullet turns 2: Mary Ann Davidson

2008-03-26 Thread Andrew van der Stock 
Gary,

Good interview.

The discussion on being unable to develop trust relationships with  
contractors who release exploits was interesting, and I wished that  
there was more discussion on that point. I would have thought signing  
a contract made it easier to sue for breach of contract than untested  
laws (or bad laws like the UK's RIPA), so much so you'd really think  
twice as well as the negative downside of being considered  
untrustworthy with confidential data - which is like a plague to any  
consultancy business.

I really wish Ms Davidson had gone into detail on their SDL, as to  
what is really in there, and where we could read it and review it.

Oracle's is an interesting turn around considering back in 2005 /  
2006, the research community and Oracle's relationship was at an all  
time low, essentially begging Oracle to put in an SDL and address the  
security defects properly without outside folks finding them first.

I have since read that fences have been somewhat mended between  
researchers, such as David Litchfield, and Oracle. I still wince at  
that episode - it was entirely unprofessional of Oracle to attack  
Litchfield, who was practicing responsible disclosure for up to  
600-800 days, when 30 is the norm. I personally was extremely  
unimpressed with Oracle's approach of shooting the messenger rather  
than fixing the product.

I must admit that episode led me to dismiss Oracle as the walking dead  
as they obviously couldn't be trusted with data of value, and so  
didn't follow news about Oracle ... until this interview.

I'm glad they're now using automated SCA tools and fuzzers, they're  
now finding most of the security issues themselves, have an internal  
review team, and my personal favorite - developer awareness /  
education. This is a 180 degree turnaround from the prior to 2005/2006  
era. I particularly like that she's going to the universities and ask  
them to teach coding security. This is what they SHOULD have been  
doing rather than attacking the research community.

I'm glad that Oracle is now drinking the kool aid and treating  
security as a fundamental software engineering requirement. It's about  
time.

thanks,
Andrew van der Stock
Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___