[SC-L] Evolution of OWASP
*ALERT* OWASP 4.0 evolution is underway. http://www.owasp.org/index.php/Membership/2011Election We are looking for industry leaders to help us continue to grow and evolve as a global professional association. If you missed the 2011 Summit in Portugal, see results @ http://www.owasp.org/images/2/27/OWASP_Summit_2011_Results.pdf Semper Fi, Tom Brennan Global Board Directors & NY/NJ Chapter Leader OWASP Foundation 973-202-0122 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Hi everyone, Assuming that "are we missing DEP and assorted userland exploit mitigations" for the web is not a rhetorical question, indeed assorted technologies based on randomized instruction sets have been researched and I have seen PoC solutions circa 2004 (SQLi) and more recently for XSS. [1] is a nice starting point, as I am in somewhat of a hurry to locate the papers/PoCs now. Obviously, if that was a rhetorical question, :) [1] http://www.cs.columbia.edu/~angelos/cv.html On 03/26/2011 09:12 PM, Arian J. Evans wrote: > [SNIP] > And why is that? Are we missing DEP and SEHOP and such for the web? > > Or is the web, the browser, and userland malware just where the easy > money is, so the attackers focus there? > > --- > Arian Evans > Software Security Realism -- -- thanasisk ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
On 03/26/2011 01:12 PM, Gunnar Peterson wrote: > Advanced = goes through firewall > Persistent = tried more than once > Threat = people trying to get into valuable stuff > > Nothing new to sc-l readers, but a Reasonably good marketing term esp by > infosec standards (yay we get to scare business people with something other > than an auditor's clipboard!); really its all just the collective sound of > infrastructure security people coming to grips with the fact that their > firewall isn't a wall at all, but rather a series of holes. Uh..., doesn't *most* of malware go through firewalls now days? So how is that "advanced"? In reality, "advanced" a used with APT means that malware that was clever enough to evade our normal AV defenses and socially engineer its way past the common sense of those humans who wanted to see the "dancing pigs". In short, APT is spin-doctoring for getting caught with ones pants down. -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents."-- Nathaniel Borenstein, co-creator of MIME ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Excellent response, Ivan. Malware is a business, not a programming mistake, which Gary's article mentions then sidesteps. This is the "Secure Coding" list so I can understand the myopia. As for "Long Term Solutions and Wishful Thinking" in the article: It is clear that current solutions are not working, if you step back and look at the malware landscape. Now, some steps we have taken have had significant positive impact, It's been a while since network-replicating worms ripped through every windows box on the Internet. However, the steps taken so far to protect user-land, the browser, and web applications have not proven effective yet on a broad scaleSDLCify sensationalist rhetoric aside. And why is that? Are we missing DEP and SEHOP and such for the web? Or is the web, the browser, and userland malware just where the easy money is, so the attackers focus there? --- Arian Evans Software Security Realism On Fri, Mar 25, 2011 at 2:19 PM, iarce wrote: > On 3/22/11 12:41 PM, Gary McGraw wrote: >> hi sc-l, >> >> The tie between malware (think zeus and stuxnet) and broken software >> of the sort we work hard on fixing is difficult for some parts of the >> market to fathom. I think it's simple: software riddled with bugs >> and flaws leads directly to the malware problem. > > Non sequitur > > C'mon Gary, I understand the purpose of making such a simplifying > statement on the secure coding mailing list but its logic is untainable. > > Bugs and flaws do not *directly* lead to malware, not even if you > defined bugs and flaws in a way that would nearly make your statement a > tautology (ie. "a bug|flaw is something that proves the existence of > malware possible") > > What leads directly to the malware problem are the individuals and > organizations that develop and deploy malicious software. The fact that > they usually use undocumented APIs (what you call "bugs and flaws") for > their purpose does not make those APIs the cause of the malware. > > You could statically-analyze and SDLCfy all software till kingdom come > and that will still not prevent large consumer electronics or firmware > vendors from developing and shipping their own breed of malware with > their products. > > Advocating development of secure software by "Building Security In" is a > commendable position but in my opinion it is only a necessary > component of a long term solution. I think that a long term solution > also requires us to stop dancing around the issue of abusive EULAs, the > lack of vendor liability and to factor in the adversary's motivations > and incentives. > > I realize the above remark may lead to a discussion that is off topic > for this mailing list so I'll turn to the last paragraph of your article: > >> Fortunately, many leading firms, including Adobe and Microsoft, are >> taking a determined approach to software security and real results >> are coming in the form of more secure software and less vulnerability >> to malicious code. > > How do you measure software security? You say "real results", "more > secure" and "less vulnerable" but this may just be a highly subjective > assessment about the success of the approach of some specific vendors. > > One could also say that despise some vendors' "determined approach" to > software security a decade and hundreth-million dollars into the process > they've still not made a dent to the "malware problem" so how does that > make their current software more secure|less vulnerable in practical terms? > > -ivan > -- > Ivan Arce > CTO - Core Security Technologies > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
A positive side effect of many vendors being US-based is that the US market takes most of the buzzword marketing hit. :) On a more serious note, I think there really are APTs out there, state-driven and all. The problem is when organizations use the term to get away with sub-standard security or to motivate why they can't tell you any details of a recent hack. We need to define what is required for a threat/an attack to be APT. State-driven and funded? 0-day(s) used? Tailor-made exploit for the target? That way we can at least interpret what RSA and others are saying. Right now I can only interpret their statements as "We got owned but we'll loose too much business if we tell you what happened. Just trust us instead." And I really hope that's not the truth. Continued Business by Obscurity Regards, John Sent from my iPad On 26 mar 2011, at 18:12, Gunnar Peterson wrote: > Advanced = goes through firewall > Persistent = tried more than once > Threat = people trying to get into valuable stuff > > Nothing new to sc-l readers, but a Reasonably good marketing term esp by > infosec standards (yay we get to scare business people with something other > than an auditor's clipboard!); really its all just the collective sound of > infrastructure security people coming to grips with the fact that their > firewall isn't a wall at all, but rather a series of holes. > > -gunnar > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Advanced = goes through firewall Persistent = tried more than once Threat = people trying to get into valuable stuff Nothing new to sc-l readers, but a Reasonably good marketing term esp by infosec standards (yay we get to scare business people with something other than an auditor's clipboard!); really its all just the collective sound of infrastructure security people coming to grips with the fact that their firewall isn't a wall at all, but rather a series of holes. -gunnar ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Agreed. Now all you need to do is convince the people who need to solve the problem that you have a pointer for them to use without a label?? The market (probably because of the marketing types) is discussing and wanting solutions for "the APT problem." To see how embedded this language is in the current discourse, look no further than the RSA SecureID problem "explanation" that is being proffered in lieu of a real technical explanation of what happened. Welcome to commercial security. gem On 3/26/11 9:52 AM, "Haroon Meer" wrote: >Heya Gary (all) > >On Sat, Mar 26, 2011 at 3:32 PM, Gary McGraw wrote: >> I agree that the APT term is overused by the marketing types. In this >> case you can translate it as malware that infects a server or an ad >> network and is "served up" to unwitting victims in a drive by download.> > >Malware distributors look for good distribution channels, and the >ad-server provides one. >While it is a Threat, it's no more Advanced than we have seen before. >It isn't more "Persistant" than Stoned [1] was on a disk. > >> What would you call it haroon? > >In truth, i would avoid giving it a new name. >Drive by download: Yes. APT: No > >/mh > >[1] http://en.wikipedia.org/wiki/Stoned_(computer_virus) > >-- >Haroon Meer | Thinkst Applied Research >http://thinkst.com/pgp/haroon.txt >Tel: +27 83 786 6637 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Heya Gary (all) On Sat, Mar 26, 2011 at 3:32 PM, Gary McGraw wrote: > I agree that the APT term is overused by the marketing types. In this > case you can translate it as malware that infects a server or an ad > network and is "served up" to unwitting victims in a drive by download.> Malware distributors look for good distribution channels, and the ad-server provides one. While it is a Threat, it's no more Advanced than we have seen before. It isn't more "Persistant" than Stoned [1] was on a disk. > What would you call it haroon? In truth, i would avoid giving it a new name. Drive by download: Yes. APT: No /mh [1] http://en.wikipedia.org/wiki/Stoned_(computer_virus) -- Haroon Meer | Thinkst Applied Research http://thinkst.com/pgp/haroon.txt Tel: +27 83 786 6637 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
hi mh, I agree that the APT term is overused by the marketing types. In this case you can translate it as malware that infects a server or an ad network and is "served up" to unwitting victims in a drive by download. Neil, anything to add? What would you call it haroon? gem On 3/26/11 8:14 AM, "Haroon Meer" wrote: >Hi > >On Wed, Mar 23, 2011 at 5:14 PM, Gary McGraw wrote: >> Dasient protects the server side of the APT problem >> (especially when it comes to bad ads) > >Arguing over semantics and loosely defined terms is a recipe for a >circular flame-thread, but this statement seems wrong on many levels. > >I know every vendor (and his cousin who is currently thinking of >starting a business) is claiming to defend against APT, but this seems >like horrible buzzword misuse. > >/mh >-- >Haroon Meerhttp://thinkst.com/ >Tel: +27 83 786 6637PGP: http://thinkst.com/pgp/haroon.txt > >___ >Secure Coding mailing list (SC-L) SC-L@securecoding.org >List information, subscriptions, etc - >http://krvw.com/mailman/listinfo/sc-l >List charter available at - http://www.securecoding.org/list/charter.php >SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >as a free, non-commercial service to the software security community. >Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
Hi On Wed, Mar 23, 2011 at 5:14 PM, Gary McGraw wrote: > Dasient protects the server side of the APT problem > (especially when it comes to bad ads) Arguing over semantics and loosely defined terms is a recipe for a circular flame-thread, but this statement seems wrong on many levels. I know every vendor (and his cousin who is currently thinking of starting a business) is claiming to defend against APT, but this seems like horrible buzzword misuse. /mh -- Haroon Meer http://thinkst.com/ Tel: +27 83 786 6637 PGP: http://thinkst.com/pgp/haroon.txt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Modern Malware
On 3/22/11 12:41 PM, Gary McGraw wrote: > hi sc-l, > > The tie between malware (think zeus and stuxnet) and broken software > of the sort we work hard on fixing is difficult for some parts of the > market to fathom. I think it's simple: software riddled with bugs > and flaws leads directly to the malware problem. Non sequitur C'mon Gary, I understand the purpose of making such a simplifying statement on the secure coding mailing list but its logic is untainable. Bugs and flaws do not *directly* lead to malware, not even if you defined bugs and flaws in a way that would nearly make your statement a tautology (ie. "a bug|flaw is something that proves the existence of malware possible") What leads directly to the malware problem are the individuals and organizations that develop and deploy malicious software. The fact that they usually use undocumented APIs (what you call "bugs and flaws") for their purpose does not make those APIs the cause of the malware. You could statically-analyze and SDLCfy all software till kingdom come and that will still not prevent large consumer electronics or firmware vendors from developing and shipping their own breed of malware with their products. Advocating development of secure software by "Building Security In" is a commendable position but in my opinion it is only a necessary component of a long term solution. I think that a long term solution also requires us to stop dancing around the issue of abusive EULAs, the lack of vendor liability and to factor in the adversary's motivations and incentives. I realize the above remark may lead to a discussion that is off topic for this mailing list so I'll turn to the last paragraph of your article: > Fortunately, many leading firms, including Adobe and Microsoft, are > taking a determined approach to software security and real results > are coming in the form of more secure software and less vulnerability > to malicious code. How do you measure software security? You say "real results", "more secure" and "less vulnerable" but this may just be a highly subjective assessment about the success of the approach of some specific vendors. One could also say that despise some vendors' "determined approach" to software security a decade and hundreth-million dollars into the process they've still not made a dent to the "malware problem" so how does that make their current software more secure|less vulnerable in practical terms? -ivan -- Ivan Arce CTO - Core Security Technologies ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___