Denim Group, Ltd. Blog

By Dan Cornell

Brian Prince from eWeek included some of my comments on HTML5 risks in his article “Will HTML 5 and IPv6 Find Their Way into Malware Attacks in 2010?”

HTML5 is certainly exciting from a features and functionality standpoint – it offers a number of new capabilities for web application developers to create cool applications.  However – as we saw with mainframe developers who started developing web applications and web application developers who started developing AJAX applications – a lack of understanding about how new technologies work can lead to problems.  Just because you can do something doesn’t mean you should do something.  HTML5 offers a number of new capabilities that web application developers need to take a little bit of time to understand before they actually deploy applications using them.  Threat modeling is invaluable for developers who want to develop applications in a secure manner with new and exciting technologies.

Please contact us if you would like to discuss steps you can take for your organization to deploy cutting-edge technologies in a secure manner.

-Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

Happy holidays to everyone from Denim Group.  We’re looking forward to a great 2010 with our customers and employees.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell and Michael McBryde

There has been a lot of hubbub over the past day and a half about insurgents intercepting video feeds from US unmanned drone aircraft.  Wired has covered this story pretty extensively:

·         Insurgents Intercept Drone Video in King-Size Security Breach

·         Not Just Drones: Militants Can Snoop on Most U.S. Warplanes

Basically, a system was designed quickly, without security as a requirement, for a very limited number of Predator drones used by Special Operations.  Then the drones became much more popular, the system was adopted for much wider use, and the system’s scope was increased to include a majority of the jets flown in the U.S. military.  Net result?  Iraqi insurgents can view or potentially jam video feeds from the majority of U.S. aircraft using materials they could get at Radio Shack.  Yikes!

So let’s review:

·         A system was designed and implemented quickly – with limited scope.

·         Obscurity was the main security protection, and general system security was not a requirement.

·         The usage and utility of the system increased rapidly – so rapidly that decision-makers ignored security reviewers warning of the vulnerability.

·         Gaping security holes were found by 3^rd parties and exploited.

·         Fixing the problem will not be cheap and will likely result in material operational downtime

Strange … I’ve heard this before.  This isn’t a case study specific to the military – this is something we see all the time with both public and private sector organizations.  Business (or “mission,” in this case) requirements for new features and functions are favored over addressing known system weaknesses.  This decision gets made once.  And then again.  And then again.

Vulnerability management and security remediation are ongoing tasks in the development of any system.  Ignoring vulnerabilities and focusing exclusively on new features pretty much guarantees that you will get hit eventually.

Contact us if you would like help remediating those pesky, lingering, known vulnerabilities in your software systems.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

Since everyone seemed to be so excited about our new web application scanner technology that guarantees no false positives, I’m sure everyone will be equally excited about the new Static Analysis Edition.  This is just as simple to use as the dynamic scanning tool we released yesterday – just point the scanner to the directory that the application code lives in and it will scan the application for vulnerabilities but the results will inclue NO FALSE POSITIVES.  Couldn’t be easier…

Here’s the code.  All yours, under an Apache 2.0 license.  Just like the web scanner edition.

package com.denimgroup.nofalsepositives;

import java.io.File;

import java.util.ArrayList;

public class StaticAnalyzer

{

     public static void main(String[] args)

     {

           ArrayList vulnerabilities = new ArrayList();

           String sDirToScan;

           File dirToScan = null;

           long scanStart;

           long scanEnd;

           //   Must at least enter a URL for the site to scan

           if(args.length < 1) {

                usage();

                System.exit(1);

           }

           //   Make sure the file path is valid

           sDirToScan = args[0];

           dirToScan = new File(sDirToScan);

           if (!dirToScan.isDirectory()) {

                System.out.println("Provided path was not a directory.  Unable to scan.");

                System.exit(2);

           }

           //   Kick off the scan

           scanStart = System.currentTimeMillis();

           System.out.println(String.format("Starting scan of %s at %d", dirToScan.toString(), scanStart));

           //   Finalize scan and report findings

           scanEnd = System.currentTimeMillis();

           System.out.println(String.format("Finished scan of %s at %d", dirToScan.toString(), scanEnd));

           System.out.println(String.format("Found %d vulnerabilities with NO false positives", vulnerabilities.size()));

     }

     public static void usage()

     {

           System.out.println("usage: java com.denimgroup.nofalsepositives.StaticAnalyzer <BASE_DIR>");

     }

}

Another facetious post!  Based on some Twitter chatter yesterday I’ll bet folks can’t wait for our NO False Positives Web Application Firewall.  That one will probably be a shell script that uses netcat.  And we can run it in the Cloud if we need to.  Buzzword buzzword buzword!

The use of static analysis tools is an incredibly powerful way to identify potential vulnerabilities in code, but no tool is perfect.  Automated scans are a portion of an application assessment – not the entirety of one if you really want a realistic evaluation of your security posture.  Tuning the default ruleset and crafting framework- and application-specific rules allows you to extract so much more value from your static analysis tools.  And manual review is required to look for business logic issues such as problems with authentication, authorization, etc.

Contact us if you would like help performing thorough application assessments or crafting a sensible application security program for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

Recently I’ve been working with some other Denim Group folks to do our regular internal benchmarking of various application security scanners.  Last week we got into a deep discussion of false positives, how many scanners claim to reduce or eliminate them, and different techniques to make this happen.  During the talk we came across an idea for a surefire way to completely eliminate false positives and this weekend I had enough free time to put together a proof of concept.  I’ve included the proof of concept code at the bottom of this post and you can consider it to be released under the Apache 2.0 license.

This is revolutionary enough that we are currently trying to make testing with this technology required for Scanless PCI Certification and we want to make sure that all Certified Application Security Specialists are required to be conversant with it.  We’re considering shifting all our use of scaning tools to use our new technology.

Below is the proof of concept code:

package com.denimgroup.nofalsepositives;

import java.util.ArrayList;

import java.net.MalformedURLException;

import java.net.URL;

public class DynamicAnalyzer

{

  public static void main(String[] args)

  {

    ArrayList vulnerabilities = new ArrayList();

    String sUrlToScan;

    URL urlToScan = null;

    long scanStart;

    long scanEnd;

    // Must at least enter a URL for the site to scan

    if(args.length < 1) {

      usage();

      System.exit(1);

    }

    // Make sure the URL is valid

    sUrlToScan = args[0];

    try {

      urlToScan = new URL(sUrlToScan);

    } catch (MalformedURLException e) {

      System.out.println("Provided URL was invalid.  Unable to scan.");

      System.exit(2);

    }

    // Kick off the scan

    scanStart = System.currentTimeMillis();

    System.out.println(String.format("Starting scan of %s at %d", urlToScan.toString(), scanStart));

    // Finalize scan and report findings

    scanEnd = System.currentTimeMillis();

    System.out.println(String.format("Finished scan of %s at %d", urlToScan.toString(), scanEnd));

    System.out.println(String.format("Found %d vulnerabilities with NO false positives", vulnerabilities.size()));

  }

  public static void usage()

  {

    System.out.println("usage: java com.denimgroup.nofalsepositives.DynamicAnalyzer <SITE_URL>");

  }

}

In case anyone hasn’t figured it out by now this whole post is completely facetious.  Automated scanning has its place in any credible application security program, but no credible application security program consists only of automated scanning.  And you will always get false positives as well as results that need to be re-prioritized based on the business context of the vulnerability.  Automation is great, but you can’t automate everything.

Contact us if you would like more info on constructing your application security program.

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

Michael Montecillo from the analyst firm Enterprise Management Associates recently put up a blog post discussing the integration between WhiteHat Sentinel and Snort we built.  It was also covered by Dark Reading a while back.

The integration takes the manually-reviewed vulnerability results from Sentinel and generates targeted Snort rules to identify attempts to exploit the identified vulnerabilities.  This is exceptionally helpful for streamlining the IDS/IPS configuration process because you can apply aggressive inspection and protection where you know you are most vulnerable.

Thanks to Michael for the mention.  The integration project was a fun and exciting one and helps to increase the value of both Snort and Sentinel.  Folks who saw my OWASP AppSec DC 2009 presentation on Vulnerability Management in an Application Security World know that we have some more things to be released shortly that continue this trend of making disparate application security technologies work together more effectively.

Please contact us if you would like more information about WhiteHat Sentinel as well as integrating assessment results with IDS/IPS and WAF systems.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous