I will be presenting to OWASP San Antonio tomorrow about how to use Static Analysis techniques to improve application security. More details can be found on the OWASP San Antonio page. As always the meeting is free and I hope to see folks there.
Since then, more capable machines (such as the Turing machine, the model of all modern-day computers) have shown to be constructible. In fact, in 2002, a DNA computer that could perform 100,000 times as many operations per second as the (then) fastest PC was created. What makes DNA computing so interesting is that parallel processing on a DNA computer is much more natural to achieve than on a regular PC. On your Windows or Linux box, multithreading (both in hardware and software, which mimics hardware) is more of a kludge and suffers a performance hit that rises polynomially with the number of separate threads created.
Intriguingly, while DNA computing does not offer a sufficient counter to computational complexity theory (other technologies such as quantum computing (which may also sound like science fiction) do provide such interesting capabilities), it does offer the speed increase and parallel processing abilities that many security solutions will suffer from as they become mainstream. In fact, many solution tactics, from brute force to more sophisticated techniques, are amazingly separable. As the price of DNA computers slide down the scale to the level of "professionals", perhaps more novel security implementations will have arisen to cover the slack.
This is one of the better books I have read about software security in quite a while. It does a solid job of explaining what static analysis is and how it can be applied to software security and then provides a expansive tour of security issues that can be detected with static analysis and the patterns that lead to this detectability. Just reading through all of these examples forces the reader to come to a better understanding of how software security vulnerabilities come about in general.
When I first picked up the book I expected it to be be essentially a 500 page advertisement and user manual for Fortify's Source Code Analyzer tool. That would make sense as the authors are Brian Chess and Jacob West - Fortify's founder/Chief Scientist and manager of their Security Research Group. I don't know that I would have a problem with that because I'm a big fan of the tool, but it would have limited the audience of folks the book would have been useful for. However I was especially pleased to find that the book is a actualy a great general purpose reference for software security and static analysis that anyone wanting to write more secure code can read.
Part I (chapters 1 - 4) provides a very solid introduction to the value of software security and the theory behind static analysis and provides some really interesting material on different approaches to static analysis that can be applied to solve software security problems. This is pretty theoretical stuff, but does a great job of providing a framework for the patterns explored through the rest of the book. There is also some good material on how to integrate the use of static analysis tools into a software development process - essentially establishing who is going to run the tool, when it is going to be run and what is going to be done with the results. The first three chapters could be read by anyone interested in the topic - the fourth chapter is probably for programmers only.
Part II (chapters 5 - 8) steps through the general problems of software security that can be attacked with static analysis - primarily input validation. The bulk of this material is focused on C and C++ issues - buffer overflows, integer overflows and string formatting vulnerabilities. Even though I personally don't do a lot of C/C++ programming any more I found the material to be fascinating. If you actually are programming in C and/or C++ on a regular basis you will hopefully find the material both fascinating and immediately useful. Chapter 8 has material that applies to all environments for dealing with exceptions and error codes, resource leaks and logging.
Part III (chapters 9 - 12) looks at more specialized topics. There is good material on web applications and web services as well as some information on how to integrate cryptography into applications. Chapter 12 deals with programs at different privilege levels. Again - since I don't do a lot of system-level C and C++ programming it has been quite some time since I wrote a binary that was supposed to have setuid privileges. Regardless I found the material very interesting.
Part IV (chapters 13 and 14) is a tutorial on how to use Fortify SCA. The book comes with a CD-ROM containing a demo version of the software and you can go online to get a license key. Running through the exercises is a good way to get an idea of how modern, commercial static analysis tools work and get a feel for how they might integrate into your team's development process.
Overall I really enjoyed this book. The fact that it mixed a theoretical treatment of the material with a large number of practical examples made it very interesting. I consider myself to be pretty knowledgeable in this area and I learned some new tips and tricks from the book. More importantly - I learned some new ways to think about software security and that really has long-term value for me.
Analysis of software refers to examining source code and other software
artifacts without executing them. This
presentation looks at how these techniques can be used to identify security
defects in applications. Approaches
examined will range from simple keyword search methods used to identify calls
to banned functions through more sophisticated data flow analysis used to
identify more complicated issues such as injection flaws. In addition, a demonstration will be given of
two freely-available static analysis tools: FindBugs for the Java platform and
FXCop for the .NET platform. Finally,
some approaches will be presented on how organizations can start using static
analysis tools as part of their development and quality assurance processes.
snacks will be provided. Feel free to
bring a brown-bag lunch.
E-mail owasprsvp _at_ denimgroup.com or call (210) 572-4400.
Denim Group has been growing rapidly in the last few months. We'd like to introduce four team members who have joined us since November.
A.T. F., Project Coordinator A.T. joins Denim Group after
working five years with the Southwest Research Institute as an analyst,
research analyst and project manager. At Denim Group, A.T. will work
directly with the development team, executive directors and clients to
ensure smooth project operation. He has a Bachelor of Science degree in
Computer Science from Trinity University and is currently completing a
Master's degree in Computer Science from UTSA.
Jason P., Consultant Prior
to joining Denim Group, Jason was a research analyst in the Automation
and Data Systems Division at Southwest Research Institute. He joins
Denim Group as a consultant specializing in .NET development. Jason has
a Bachelor's degree in Computer Science from UT Austin. He is currently
completing his Master of Business Administration degree at UTSA.
Peter S., Consultant Peter
joins Denim Group as a consultant specializing in Java development.
Before Denim Group, Peter worked as a java programmer/analyst for
Accenture and was a Communications Officer in the United States Air
Force. He has a Bachelor of Business Administration in Management
Information Systems degree from Texas A&M University.
Stephen M., Consultant With
over ten years of software development experience, Stephen joins Denim
Group as a consultant specializing in Flash/Flex development and UI
design. Stephen previously worked as the web development manager for
New Century Graphics, a web designer and application developer at Image
Networks and as a freelance web and print designer. He has a Bachelor's
degree from UTSA with majors in English and Philosophy.
We just rolled out the updated Denim Group portal running on Microsoft's Sharepoint 2007 Server. We have been using SharePoint 2003 for the last couple of years and rely on it for a lot of our business functions. We have also implemented it for a number of our clients. However, one thing we have always been aggravated about with SharePoint 2003 was the quality of the search functionality. That is why it was so amusing to see this quote in an ad on Microsoft's SharePoint site:
I never found a single document using the prior search feature. Now I find 80 percent of what I'm looking for. - Mary Kay
Wow - when did Microsoft get so focused on truth in advertising? That quote is pretty accurate - the previous search capabilities in SharePoint were pretty terrible. And in the new version they work reasonably well. However, if I were Microsoft I don't know if I would want to emphasize that:
The previous version didn't work
The new version works (only) 80% of the time
In any case we're super-happy with the new Microsoft Office SharePoint 2007 implementation of our corporate portal/intranet. The new workflow features are fantastic and the Web 2.0 / social networking capabilities (blogs, wikis, etc) are great in a fast-growing organization. However, that user "testimonial" amused me quite a bit when I saw it. Reminiscent of high-quality movie lines like "Volvo. They're boxy, but they're good."
I saw this article over on AccountingWeb about how social networking sites are increasingly becoming vectors for identity theft and other attacks. Echoing something we have discussed on this blog before, they noted that having a lot of information about yourself online has drawbacks - specifically allowing identity thieves (and CIA) to collect it in support of their identity theft attempts. Also, social networking sites can host links to malware.
In the article they mention one attack where clicking on a MySpace friend request results in a pop up windows that is supposed to look like a Windows Update window. I was particularly amused by McAfee's somewhat silly suggestion "One way to guard against such attacks is to minimize your browser. If the dialogue box disappears, it is probably an impostor." Now that is some useful, general purpose online security advice! If we can't teach people to look for lock icons when the browser is talking over HTTPS, I don't think we'll be able to train them to make decisions based on which windows minimize at various times.
If you recall, more attacks on and via social networking sites was one of my Top 5 predictions for 2008. Barely a week after that post we're already seeing some confirmation. Making predictions is easy!
I just heard an NPR report about Estonia's new "Enterprise Estonia Technology Embassy" in San Jose. Estonia has established this one-man shop, ran by the unofficial "Technology Ambassador", to provide "financing, counsel, partnership opportunities and training for entrepreneurs and research and development institutions." Apparently, they have similar setups in Helsinki, London Stockholm, Moscow, St. Petersburg, Hamburg, Kiev, and Shanghai. Check out their Embassy's official page, titled "Information Society" and detailing all the official state-ran telecomm and IT institutions.
Estonia has a really interesting tech history. At the end of the Cold War, Estonia didn't have any computer networks in the country. Since then, however, Estonians now conduct 98% of the country's banking electronically, 80% of tax returns were filed online, 65% of population have national ID cards with smart chips, they've had electronic voting since 2005, and over 30,000 people voted online in 2007. You can pay city parking meters with your cell phone via SMS, a system they implemented in 2002.
All this from a country that has a population roughly equal to San Antonio. Oh, and something else you won't be seeing in Texas anytime soon—most Estonian gas stations are Wi-Fi hotspots! Estimates place the country's entire IT workforce at only 10,000 people. Yet out of this small country came Skype, which was recently acquired by eBay for $2.5 billion.
The 90's brought us the era of boutique dotcoms and now we have countries specializing in niche markets. Sealand is a data haven, Tuvalu selling off their .TV country code top-level domain name, and now Estonia is the go-to spot for web telecommunications. Maybe the US or the state of Texas can leverage this in some way? Perhaps a huge tech conglomerate can purchase a town and turn it into the hot new place for their slice of the IT market. Maybe UPS and Brownsville?
Sun Microsystemsannounced today that they have purchased the company behind MySQL, the incredibly popular open source database. Sun CEO, Jonathan Schwartz, discussed the news in his blog. They also announced the availability of software support services through the normal Sun channels, which is presumably an augmentation of what MySQL AB already provides.
I think this is exciting news. I have been using and administering MySQL for many years now. It is an excellent product that has only gotten better with the official support provided by MySQL AB. MySQL is synonymous with web applications and services these days. It has thoroughly penetrated that market, but it has been notably absent in the traditional corporate space. I don't think it is for lack of functionality, stability, or speed. I suspect that with the weight and enterprise relationships of a large corporation behind it the visibility and legitimacy of MySQL will increase.
So, if one of Dan's predictions was instead that "More Software Vendor Acquisitions" would occur, he would already be right!
As mentioned previously, here at Denim Group we're really digging the new Language Integrated Query (LINQ) technology Microsoft embedded in its latest version of the .NET Framework. There are plenty of tutorials around for it, but for those who like to dig deeper, MS Press has released a new E-Book on LINQ as well as sample chapters on its other new technologies, ASP.NET AJAX and Silverlight. The free download requires signing up for a monthly e-newsletter (so technically, not free), but for those unwilling to sign up, they show the first chapter for each book, which might be enough to get a feel for what LINQ can provide.