Security – Page 17 – Adventures in the programming jungle

Book review: Foundations of Security (Part 2 Secure Programming Techniques)

9 August, 20095 November, 2015Adrian Citu

Chapter 5: Worms and other malware

This chapter present some “famous” worms that had major impact on the security industry. Every worm presented in the chapter had used one of the security holes that will be presented in the following chapters: Morris worm (buffer overflow of the finger daemon server), the Code Red worm ( buffer overflow of the II Server), the Nimda Worm (buffer overflow of the II Server and infection using the web browser), the Blaster worm (buffer overflow of the DCOM), the SQL Slammer (buffer overflow of the SQL Server). The authors also presents definitions of another types of malware like rootkits, botnets, spywares, keyloggers, adware, trojan horses, clickbots.

Chapter 6: Buffer Overflows

This chapter threats the buffer overflow vulnerabilities; a very small example (written en C) is presented and explained then the possible solutions to this problem are enumerated and explained :

use safe string libraries
use a “canary” compiler technique
use static analysis tools in order to find the buffer overflows at the code level

The end of the chapter presents another types of memory corruption vulnerabilities:

Chapter 7: (Web)Client-State Manipulation

The goal of this chapter is to present how a malicious user can pass to a web server modified requests. The example used as example is a pizza ordering web site which accepts GET requests containing sensitive information as the price of pizzas or the number of bought pizzas. The attack scenario consists in modifying the values of the parameters sent to the server (ex: by 10000 pizzas at the price of 0 $). The possible solutions to this kind of attack would be :

sensitive information stays on the server. Don’t send sensitive information to the client, send only an id (session id) identifying the client sensitive informations. Another technique is to send to the client a signature of the session in order to prevent the tampering of the session if by a (malicious) client.
do not use HTTP GET but use HTTP POST. The HTTP POST use can be combined with the use of cookies and or use of JavaScript.

The main idea of this chapter is web application should never trust the clients and should always validate the clients input.

Chapter 8: SQL Injection

Using the same example as in the previous chapter (the pizza ordering web site) the authors explains the anatomy of a SQL injections attack and then they propose various solutions to this kind of attacks. The proposed solutions are:

use a white-list input validation.
escape the dangerous input characters especially if the database provider support it.
use the prepared statements and bind variables.

Chapter 9: Password Security

This chapter goal is to present some of the techniques used by a password management system in order to reduce the impact of an attack. The authors will prove some of these techniques by implementing a mini-password manager that can be plugged-in into the toy web server (presented in Chapter2 :Secure Systems Design) for authenticate the users . The mini-password manager implementation starts by a straw man proposal, the users and passwords are stored into a property file. The following state is to replace the passwords by hashed versions. In order to mitigate the dictionary attacks a “salt” is added at every password. At the end of the chapter, the authors briefly presents additional security techniques :

password filtering (if a user choose a password that is in the dictionary or identified as easy to guess then must require to the user to choose another one).
limited logging attempts (the user have a limited number of login attempts before the account is locked or disabled)
aging passwords (the users are forced to change the passwords after a certain time)
one time passwords

Chapter 10: Cross-domain Security in Web Applications

This chapter starts by explaining some concepts linked to the web application security; same policy origin, Http Request Authentication, lifetime of the cached cookies and the the HTTP Authentication credentials. Then, some attack patterns are presented in detail:

The last part of the chapter presents the solutions for preventing each of the attack patterns.

The proposed solutions for the XSRF are:

inspecting the Http referrer headers (not a complete solution since the Http headers can be modified on the fly )
validation of the Http user forms via a user-provided secret (every Html form contains an additional field representing the user password; not very user friendly)
validation of the Http forms using an Action Token (in order to distinguish “genuine” instances of forms from ones that were forged by a third party, a token is included as a hidden field in the form. The main difficulty is to find a generation schema in order to be impossible for a third party site to generate valid tokens)

Solutions for preventing the XSSI are:

use an Acton Token (s in the case of XSRF)
restrictions to form submission only using Http POST

Solutions for preventing XSS are :

HTML escaping (any string that is possibly derived from untrusted data and is inserted into an HTML document must be HTML-escaped).
HTML tag attributes (form fields attributes, URL attributes, JavaScript-valued attributes) must be quoted.
use of HTTP-only cookies (cookies that will no be exposed to client-side scripting)
bind Session cookies to IP address

Chapter 11: Exercises to part 2

As for the first part, this chapter contains questions and exercises in order to “walking the walk not just talking the talk”.

Book review: Foundations of Security (Part 1 Security Design Principles)

7 June, 200918 October, 2009Adrian Citu

Lately, I was interested on “security applications” (view Security certifications for programmers) so I will do the review of the Foundations of Security: What Every Programmer Needs to Know.

Chapter 1: Security goals

The first chapter make a brief description of the security domains. For the author the IT security can be split on the following domains:

Physical security (mechanisms that limit the physical access to the IT material: locked doors, card readers, biometric lockers, etc… )

Technological security
- Application security (the domain that this book covers)
- OS security
- Network security
Policies and Procedures (each employee may need to be educated to never give out her password, the systems are so that the system administrators have the ability to reset passwords)

The chapter also introduce and explains the seven key concepts in the security field :

Authentication (is the act of verifying someone identity)
Authorization (is the act of checking whether a user has permission to conduct some action)
Confidentiality (is the act of keeping the content of a transient communication or data accessible only to authorized entities)
Message/Data integrity
Accountability (the goal of the accountability is to ensure that you are able to determine who is the attacker in the case that something goes wrong)
Availability (an available system is one that can respond to it’s users in a reasonable timeframe)
Non-repudiation (is the act of ensuring the undeniability of a transaction by any of the parties involved)

Chapter 2: Secure Systems Design

The chapter contains some general advices in order to design secure systems. The fist advice is that it must understand the threats that can impact your project/organization. The author enumerate some of the possible security threads that can occur if the security is not part of the product design: web site defacement, computer infiltration (using buffer overflow, command injection, etc), phishing, pharming (dns cache poisoning), click fraud, denial-of-service.
In order to present various security design problems, the authors presents the code of a simple web server (you can find teh code here); the web server is written in Java language and a complete code walk through is made in the chapter.

I must admit that was very hard to extract the essence (the main ideas ) of this chapter, for me the style is very unclear and I simply think that a part of this chapter would had a better place into the next chapter (Secure Design Principles).

Chapter 3: Secure Design Principles

In this chapter the authors enumerate and explain various principles in order to create a secure system. The following principles are explained:

the principle of least privilege (a computer or a user should have the minimum amount of privileges for accomplish a task)
defense in depth (the defense of a system must reside on multiple security layers not a single layer)
diversity in defense (use multiple heterogeneous systems that do the same thing, ex: use different operating systems in you infrastructure)
secure the weakest link (the system is only strong as the weakest link)
fail-safe stance or failing securely (design a system in such way that even if one or more components fail, the system can still ensure some level of security). In order to explain this principle, the authors will use the web server from the previous chapter.
secure by default (when designing a system, by default should be optimized for security wherever possible)
simplicity (keep the software as simple as possible to preserve the software security)
usability (in order to be usable, a software product should let the users to accomplish the tasks that the software is mean in most securely way). It is true that the usability and the security are sometimes 2 antagonist properties.

Chapter 4: Exercises for Part 1

The chapter contains some exercises linked to the previous chapters. Some of the exercises are just questions about things explained in the previous chapters, others are programming exercises (mount an attack to the web server or implement a basic HTTP authentication).

Security certifications for programmers

4 June, 2009Adrian Citu

This blog entry starts from a very simple question : “What a programmer need to know about the security in order to write more secure code ?” I know that IT security is a very vast topic but in my case I’m interested only in “application security”. My goal was to find some certifications that will teach me the basics of the “applications security”. You may wonder why I chose to look for the certifications, why not “normal” trainings. I choose to look for the certifications because I supposed and hoped that will provide me an objective measure of knowledge, skills and abilities.

So here are the security certifications for programmers:

Software Security Foundations Certificate from Standford University It consist in one course that can be taken online and it takes 6 hours. The price is $495 USD. The participants must complete a final exam at the end of the course consisting a multiple-choice examination. In order to receive credit for the on-line course, you must pass the course exam with a 90% score or higher. I think that this book: Foundations of Security: What Every Programmer Needs to Know will give you a good overview of the course topics since it is written by one of the instructors.

Advanced Computer Security Certificate from Standford University It consist in 6 courses, 3 required (Using Cryptography Correctly, Writing Secure Code, Security Protocols) and 3 elective (Computer Security Management – Recent Threats, Trends & the Law, Emerging Threats and Defenses, Securing Web Applications, Web Security 2.0: AJAX, Mashups, and Social Networking). Beside this, the conditions are the same as in the case of Software Security Foundations Certificate.

What I like about these certifications is that it gives you all the necessary informations before passing the exams but on the other side I was not convinced about the previews offered on the site.

GIAC Secure Software Programmer The GSSP certification exists in three flavors: GSSP-Java, GSSP-.NET and GSSP-C. The exam consists of 100 multiple-choice questions, is open book and has a 4 hour time limit and the price is $899 USD. For the GSSP-Java the exam fee can be reduces to $499 USD if you register for the Secure Coding in Java/JEE: Developing Defensible Applications: Security 541 training. The certification must be renewed every 4 years.

What I like about GSSP is that are different exams for different languages since the security risks are not the same for all the programming languages. What I don’t like (beside the price) is the missing of a study guide.

Certified Secure Software Lifecycle Professional(CSSLP) The process of certification is quite difficult: must provide proof of four years in the Systems Development Life Cycle (SDLC) process or 3 years plus a bachelors degree or regional equivalent in an IT discipline, submit Experience Assessment essays or pass examination, complete the endorsement process. The certification is focused on security of the following SDLCs: Systems Development Life Cycle, Secure Software Requirements, Secure Software Design, Secure Software Implementation, Secure Software Testing, Software Acceptance, Software Deployment. The price of the exam is $650 USD and the recertification is required every three years under the following conditions : earn 90 Continuing Professional Education (CPE) credits (minimum 15 CPEs earned each year) and pay annual maintenance fees ($100 USD). In case you need a study guide you can take a look at this book The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional (not released yet).

EC-Council Certified Secure Programmer (ECSP) In order to be an ECSP you must pass an exam ($250). Associated training is available (online training). On the site EC-Council offer very often free courses consisting in only one day. If you do not take the associated training from the EC-Council, you must complete an eligibility form before you can take the exam and for recertification each member must achieve 120 credits within 3 years and clock in 20 credits per year.

EC-Council Certified Secure Application Developer (CSAD) The CSAD is a ECSP + application development certification (for Linux: LCE / LCA / RHCE / LPI certification, for Microsoft: MCAD / MCSD / MCTS / MCPD certification, for Sun: SCJD / SCEA certification, for Oracle: OCP certification ( DBA), for IBM: Websphere certification)