LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

July 07, 2009

Denim Group Launches ThreadStrong

By Dan Cornell

This has been in the works for quite a while, but the actual public release came out today - Denim Group has released our new application security e-Learning program called ThreadStrong.

We have a brief video online here:

ThreadStrong is a great way for organizations to provide a base-level of application security knowledge for developers and other personnel involved in the software development process.  A number of organizations have also used it to address aspects of compliance requirements such as PCI.

The available courses include:

  • Introduction to Application Security Concepts (1 hour, for Developers, QA, Managers and Security Professionals)
  • Application Security for Java (4 hours, for Developers)
  • Application Security for .NET (4 hours, for Developers
  • Threat Modeling (1 hour, for Security Professionals and Developers)

Give us a call or drop us an email if you'd like a demo.


--Dan
dan _at_ denimgroup.com

July 07, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Java, Microsoft, Security, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

May 16, 2009

Web Application Security Panel at Austin ISSA Next Week

By Dan Cornell

I'll be moderating a panel on web application security at the Austin ISSA meeting next Wednesday May 21st from 11:30 to 1:00.  The panelists will be:

  • Phil Agcaolli from Dell
  • Gary Buonacorsi from Texas Office of the Attorney General
  • Frosty Walker from the Texas Secretary of State

This will be a great opportunity to hear what these folks have been doing in their organizations to address web application security risks.

The meeting will be held at:

Microsoft Technology Center
Stonebridge Plaza, Building One
9606 N. Mopac Expressway, Suite 200
Austin, TX  78759
Phone (512) 795-5300
Map: http://tinyurl.com/dzp537


--Dan
dan _at_ denimgroup.com

May 16, 2009 in Dan Cornell, Denim Group, Information Security, Microsoft, Security, Speaking Events, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

May 06, 2009

Command Injection in .NET: 82% Proven that is 98% Impossible

By Dan Cornell

So I decided to also slap together a .NET version of the Java command injection testing thing I posted yesterday in response to Alex Smolen's blog post on .NET and Java command injection.  It is up online here:

http://www.dancornell.com/files/DotNetCommandInjection.zip

.NET looks to be similarly resistant to command injection.

Also, "Jordan" posted a comment to the previous post:

One quick way to verify Java isn't vulnerable is to see which native functions it's using. On Linux, use strace -f java [...]/Main on your test app and look for exec or system. Yup, we see execve -- safe calls.

I suppose you could do it that way.  If you wanted the easy way to find out what was actually going on.  But then you wouldn't get to write any crudimentary Java code - and what fun would that be?  That's actually a great idea.

Does that mean that you don't need to validate input that is being sent to command interpreters on Java and .NET?  No.  Failing to do this can still give attackers control over command line arguments and filenames.  Plus there may be other ways to break out of this that my 60 lines of Java or C# test code and 15 test cases didn't find.  (What a surprise that would be!)  Sleep a little better at night.  But not too well.

--Dan
dan _at_ denimgroup.com

May 06, 2009 in .NET Users Group, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Java, Microsoft, Open Source, OWASP, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

April 30, 2009

QASL 1.0 Released!

By Dan Cornell

Qasl_logo

QASL (Quality Assurance Scripting Language) 1.0 has been officially released.  QASL is a lightweight scripting language that Denim Group uses to do automated functional testing of web applications.  It has a basic syntax that allows a programmer or QA person to control a web browser and run tests on a web application.  These tests can then be bundled together to provide a comprehensive set of functional tests for an application, as well as a robust reporting framework that indicates test failures and provides additional debugging information such as screenshots of unsuccessful test cases.

QASL has been released under an Apache License.  Here are the relevant links:

Many thanks to all the Denim Group folks who have been putting in long hours over the past six months to refactor QASL, test it, document it and make it release-ready.  You all have done a hell of a job.

--Dan
dan _at_ denimgroup.com

April 30, 2009 in Dan Cornell, Denim Group, Microsoft, Open Source, Performance Testing, Pro Services Life, Web 2.0, Web/Tech | | Comments (0) | TrackBack (0)

January 27, 2009

Houston TechFest Slide Deck Online

By Dan Cornell

The slide deck from my talk at Houston TechFest is now online: Static Analysis Techniques for Testing Application Security.  Also see my previous post about the trip there.

--Dan
dan _at_ denimgroup.com

January 27, 2009 in .NET Users Group, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 26, 2009

The Road to Houston TechFest

By Dan Cornell

I was up in Houston last weekend for the rescheduled Houston TechFest.  The hurricane delayed this from the original date, but the event was still packed.

I flew into Houston for the day to give my talk on Static Analysis Techniques for Testing Application Security.  Unfortunately, when I was headed to my early-morning flight, I noticed that the airport had been overrun by birds:
IMG_0193
Yikes!  I didn't know who my pilot was, but I wasn't convinced he would be able to successfully land a 737 in the San Antonio River.  After all, the Hudson is a little wider than the Riverwalk...

Fortunately I made it to Houston all right and checked in with the TechFest folks.  The event was at the University of Houston so I went to the bottom of the student center where the event was being held to try and get some work done before my talk.  I soon found myself trapped between a bunch of martial arts students:
IMG_0195
And some folks playing "Magic - The Gathering" :
IMG_0196
No offense to the "Magic - The Gathering" crowd, but I had to cast my lot with the martial arts folks.  Cards representing elven chain mail and whatnot are no match for a crowd of folks ready to break actual bricks with their hands.

Fortunately everyone got to remain friends and I made it to my talk unscathed.

There was a great group there and we had some great questions such as:

  • Does the fact that most .NET static analysis tools rely on decompiling MISL make .NET, as a language, less secure than Java? (Both Java bytecodes and .NET MSIL are pretty easy to decompile, so there aren't a ton of differences there.  .NET static analysis tools usually use MSIL binaries because .NET code exists in a variety of languages and it is easier to write one parser/decompiler for MSIL that will work for all .NET languages wheras Java bytecode is almost always compiled from Java source code, thus making Java source or Java bytecode reasonably equally attractive choices for tool builders.)
  • Are there any subsets of PMD rules that are best for running security checks? (There are security-specific PMD checks, but they are mainly related to API misuse.  I don't know of any collection that includes the explicit security rules along with rules from other categories that often have security implications.)

One thing I talked about Saturday that was relatively new was the OWASP Open Review Project (ORPRO) which provides advanced static analysis capabilities for open source projects.

Overall it was a great session and I will be posting the slide deck shortly.

--Dan
dan _at_ denimgroup.com

January 26, 2009 in .NET Users Group, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Science, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

October 21, 2008

.NET Code for Setting IE Preferences

By Dan Cornell

GregL from Denim Group spent a bunch of time solving a .NET coding issue last week.  Since he couldn't find the information he needed with a simple Google query I figured I would put some of it up here hoping to help folks who had to solve the same problem in the future.

The situation was this: He had a WebBrowser control that we were using in a Windows Forms application to display web pages inside an application that was essentially a custom web browser.  On a new Windows XP installation, the first time you try to submit a form to access the Internet you get the annoying message:

When you send information to the internet, it might  be possible for others to see that information.  Do you want to  continue?

First of all this is a pretty pointless message.  But whatever...

The problem he ran into was that the pop up windows didn't appear when it was initiated by the WebBrowser control, causing the application to hang while waiting for a response.  To get around this he wanted to set the registry key related to this error message so the system treated it as if the message had already been accepted.

To find the correct registry key, he used RegMon from SysInternals to watch for keys being written.  He limited his search to keys off of "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Interent Settings"  He also limited the search to only look at keys associated with iexplorer.exe's registry activity and to highlight all SetValue calls.  There were still a HUGE number of entries because IE is very chatty with the registry...

The code to do this ought to look something like this:

RegistryKey key = Registry.CurrentUser.OpenSubKey("\\Software\\Microsoft\\Windows\\CurrentVersion\\Interent Settings\\Zones\\3",true);
if (key == null)
{
    key = Registry.CurrentUser.CreateSubKey("\\Software\\Microsoft\\Windows\\CurrentVersion\\Interent Settings\\Zones\\3");
}
key.SetValue("1601", 0);

Zone 3 is for the "Internet" zone.
1601 is the message key we are zeroing out.

So this was fun stuff.  Many thanks to GregL for all the detective work tracking this down.

--Dan
dan _at_ denimgroup.com

October 21, 2008 in ASP.NET 2.0, Dan Cornell, Denim Group, Microsoft, Pro Services Life, Visual Studio, Web/Tech | | Comments (0) | TrackBack (0)

September 17, 2008

Favorite Recent Blog Posts

By Dan Cornell

I've been quite the blog-post-slacker lately, but I have at least been halfway keeping up on my blog and news reading.  Here are some of my favorite posts from the last week or so:

  • Gazza on the Software Security Market - Interesting post from Mark Curphey with some updated numbers about the software security market.  Very cool to see how the focus is shifting from pen testing to source code review.
  • Are You a Builder or a Breaker - Another great post from Mark Curphey that echoes a problem we have had with the security market for far too long.  This is the focus on breaking unsecure systems rather than building secure ones.  The longer the industry focused on the "cool guy" process of breaking systems and making people look bad rather than the "actual solution" approach of designing security into systems from the ground up, the slower progress will be.
  • SDL Press Tour Announcements - Blog post from Steve Lipner talking about some of the things Microsoft is doing to promote their Secure Development Lifecycle (SDL) beyond Microsoft's walls.  Microsoft pushing SDL to a wider audience is pretty exciting stuff so keep an eye out for more information.

--Dan
dan _at_ denimgroup.com

September 17, 2008 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Microsoft, Security, Static Analysis, Threat Modeling, Watchfire, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 12, 2008

Apple Can Disable iPhone Apps Remotely?

By Dan Cornell

Peoplewithbeluga

I saw an article on Engadget indicating that Apple may have the ability to remotely disable iPhone applications.  I saw a similar article on MacRumors a couple of days ago.

We have done some development for mobile devices in the past - specifically with Windows Mobile.  One of the big issues we saw with organizations trying to deploy Windows Mobile applications is that they were caught in a "dead zone" between the software platform provider (Microsoft), the device maker (Samsung, HTC, etc) and the network provider (T-Mobile, AT&T, etc).  Whenever anything went wrong everyone could just point at other providers in the chain and act like nothing was their fault.

One of the interesting things about Apple iPhone is that these three components are all provided the same way for everyone (in the US at least).  Apple provides the software and hardware, and AT&T provides the network.  That is good for application developers because it makes it more reasonable to expect that your applications are going to work the same wherever you deploy them.  Same hardware.  Same software platform.  Same network.

However another issue we had developing enterprise Windows Mobile applications was that the enterprise management tools were still developing - it was tricky to automatically provision and de-provision devices, applications, settings, etc.  It looks like iPhone applications can be automatically de-provisioned - the only problem is that Apple is the organization pulling the strings rather than an enterprise's IT department.

To paraphrase and somewhat mangle the words of Bruce Schneier: "When people say 'security' what they really mean is 'control.'"

Contact us for more information about building security in to your iPhone applications.

--Dan
@danielcornell
dan _at_ denimgroup.com

August 12, 2008 in Dan Cornell, Denim Group, Information Security, iPhone, Microsoft, Pro Services Life, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 10, 2008

Kai Axford Coverage of Kevin Williams

By Dan Cornell

Denimformen

Kai Axford, former Army Ranger, Microsoft employee and all around general  security ninja was in our offices last week to give a presentation about corporate espionage.  Denim Group has a great Lunch and Learn program and we are always thrilled when outside gurus like Kai can make it by and give a talk.  Thanks, Kai - our folks really enjoyed it.

Kai has also been posting about a talk that Kevin Williams from Denim Group gave at the Hackers on Planet Earth (HOPE) this year.  He took the concepts of Threat Modeling and explained them in the context of the attack on the Death Star.  Fun stuff!  Kai's coverage is online here:

--Dan
dan _at_ denimgroup.com

August 10, 2008 in Conferences, Dan Cornell, Denim Group, Information Security, Microsoft, Security, Speaking Events, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »