LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

« May 2007 | Main | July 2007 »

June 14, 2007

Agile and Secure Update - Slide Deck Online, Presenting in Chicago

By Dan Cornell

I just posted on the Agile and Secure Blog about my recent presentation to SA-SPIN and my upcoming talks in Chicago.  Check it out.

--Dan
dan _at_ denimgroup.com

June 14, 2007 in Agile and Secure, Dan Cornell, Denim Group, Information Security, Java, Java Users Group, OWASP, Security, Web Application Security | | Comments (0) | TrackBack (0)

June 12, 2007

AJAX on Your Apple iPhone: "Secure" Development Indeed

By Dan Cornell

It looks like the folks at Apple are pretty excited about the Safari browser that will be loaded with the iPhone.  Steve Jobs has apparently promoted the browser capabilities as a way to do development for the iPhone while still keeping it "secure"  Given how completely broken the initial release of Safari was for Windows, I am not sure this will accomplish the task.

Thanks to Alan Weinkrantz for letting me know about the AJAX plans for iPhone.

--Dan
dan _at_ denimgroup.com

June 12, 2007 in AJAX, Dan Cornell, Denim Group, Information Security, Security, Web 2.0, Web Application Security | | Comments (0) | TrackBack (0)

June 08, 2007

Patenting Security Fixes - Dumbest Idea Ever?

By Dan Cornell

I saw an article today about what must be the dumbest idea ever.  I hate to get them any more free publicity, but this was too ridiculous to pass up.

Apparently this firm wants crackers to tell them about 0days they find so that they can jointly develop and patent a fix.  They then want to license that fix to the original software vendor and sue anyone who uses knowledge of the fix without a license.

Now I am not a lawyer and I am certainly not an intellectual property lawyer, but I do know (or at least Wikipedia told me) that patents have to be:

  • New
  • Inventive
  • Useful or industrially applicable

Let's look at those in reverse order.  Useful or industrially applicable would be pretty easy to demonstrate.  Fixes to security bugs are certainly helpful in maintaining system security and industry requires security these days.  Great work, Intellectual Weapons.

Inventive is going to be a tough one.  This is also described as non-obvious.  If you look at most buffer overflow flaws in applications the fix consists of "replace gets() with fgets().  That isn't terribly inventive, nor non-obvious.  Some more subtle bugs might need to have more involved fixes, I suppose, but the most common security flaws have pretty standard fixes and unless whole new algorithms had to be invented I don't suspect these fixes will be terribly inventive.

Finally "new" is a real killer for this idea.  As mentioned above, there are plenty of examples and patterns for fixing security bugs so there is going to be a tremendous amount of prior art out there.

They have an FAQ with all sorts of answers why the glaring flaws in their idea can be worked around but most of this looks like bunk.  I have dealt with the US Patent and Trademark Office before and they are almost unbelievably slow.  Even their simple and expedited services are too slow for this idea to be workable.

This has to be a hoax.  It did serve to get me all riled up on a Friday, though.  Bravo!

--Dan
dan _at_ denimgroup.com

June 08, 2007 in Dan Cornell, Denim Group, Information Security, Security | | Comments (0) | TrackBack (0)

June 06, 2007

OWASP Houston Slide Deck on Web 2.0 Security Online

By Dan Cornell

The slide deck from the presentation I made yesterday to the inaugural OWASP Houston meeting is up online.  We had a great turnout and some great questions.  Thanks to all who attended.  Also thanks to the meeting sponsors: Microsoft (who provided the facility), Set Solutions and SPI Dynamics.

I also wanted to point interested folks to the OWASP resources I mentioned at the end of the presentation:

Again thanks to everyone for coming out and I hope to see you folks at future OWASP events.  Please keep an eye on the OWASP Houston page for news on upcoming events.

--Dan
dan _at_ denimgroup.com

June 06, 2007 in AJAX, Dan Cornell, Denim Group, Information Security, OWASP, Security, Web 2.0, Web Application Security | | Comments (1) | TrackBack (0)

IBM Acquires Watchfire

By Dan Cornell

Today IBM announced that they will be purchasing Watchfire.  Press release is here.  It was interesting to see that Watchfire's tools were slated to find a home with the Rational development tools rather than the business unit that was formerly ISS.  Personally I think that is a great idea because it give the application security tools to the application developers.

--Dan
dan _at_ denimgroup.com

June 06, 2007 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Security, Watchfire, Web Application Security | | Comments (1) | TrackBack (0)

June 01, 2007

Agile and Secure Talk to Chicago Java Users Group

By Dan Cornell

I will be speaking to the Chicago Java Users Group on Tuesday June 19th, 2007 about integrating security into Agile development processes.  This will be a "Downtown" meeting not a "West" meeting so it will be held at the CTI Building of DePaul University's Loop Campus.

I will be following this up with a similar talk to the Chicago chapter of OWASP the following evening at ABN AMRO Plaza.  See the chapter page for more info.

One thing to note: I think both of these venues have building access security requirements so it would probably be best to RSVP and get your name on the building's list.

Hope to see folks there.  I will be up in Chicago around that time so let me know if anyone would like to meet up.

 

--Dan
dan _at_ denimgroup.com

June 01, 2007 in Agile and Secure, Dan Cornell, Denim Group, Information Security, Java, Java Users Group, Security, Web Application Security | | Comments (0) | TrackBack (0)

Google Gears and Security

By Dan Cornell

Google has announced their Google Gears tools for making online/offline web applications.  This is a great idea and I am looking forward to looking into it further.

I was kind of surprised to see that it has to run native code on the local machine.  This isn't a terrible idea - it gives you a lot more capabilities and features.  I had been hoping for a fully browser-based JavaScript datastore with online synchronization capabilities.  Something that would run without any special plugins.  This would be more limited because the browser would have to be back on the network before being closed if you wanted to persist any of the changes that had been made when offline.  Instead they are using a local copy of SQLite along with some other native code/browser plugin stuff.

From a features standpoint that allows you to make much more interesting applications.  Maintaining local-disk state that lives across browser lifetimes is super-helpful.  From a security standpoint, however, this opens up a whole can of worms.  If this framework is going to require a user to run local code attackers are not just limited to breaking current browser security protections.  They can also attack the local code that Google Gears will rely on.  This is a huge difference so we will see how things turn out.

However I was encouraged to see that they have a fledgling security page that talks about design and coding issues that could affect Google Gears applications' security.  They have a little bit of talk about their security model and a little bit of talk about things like SQL injection.  This is a good start but with such a new mentality for building web applications and so much new code in the frameworks I suspect that there will be more than a few security issues to work out - both in the framework and in the application built on top of it.

Fun stuff!

--Dan
dan _at_ denimgroup.com

June 01, 2007 in AJAX, Dan Cornell, Denim Group, Google, Google Gears, Information Security, Security, Web 2.0, Web Application Security | | Comments (0) | TrackBack (0)