Challenges

Johnathan Ham and Sherri Davidoff from SANS Internet Storm Center (ISC) and Raul Siles from InGuardians have created two recent, still open, security challenges. Sherri, co-author with Jonathan of the SANS’ Network Forensics course, has posted “Network Forensics Puzzle Contest!” (8-14-2009). The most elegant solution wins a free SANS On-Demand class (worth up to $3500 depending on the course). Raul wrote a new hacking challenge on the Ethical Hacker Network site, titled “Prison Break – Breaking, Entering & Decoding” (7-27-2009). Three winners will be selected based on: the best technical answer, creativity (while also technically correct), and a random drawing. Winners will receive signed copies of Ed’s book, “Counter Hack Reloaded.”

Ed Skoudis, of Counter Hack Reloaded fame along with various SAN’s hacking and penetration testing courses (see Ed in Virginia Beach teaching “Network Penetration Testing: Planning, Scoping, and Recon” August 30th – September 4th), is the host bringing monthly new challenges created and managed by the fine folks of InGuardians. The great thing about past challenges is that they allow you to try the problems and check your solutions immediately. Check out Ed’s Counter Hack Reloaded site for a few additional, older challenges.

UPDATE: For a challenge in the forensic’s realm, check out the series of posts by Dave Hull (trustedsignal) on the SANS Forensics Blog. This series discusses the FAT file system. Dave provided the following description: “I’ve provided a copy of the disk image used during the series and have ended almost every post with a challenge question and have been giving away a forensics related title from the Syngress Publishing group. We’ve had a great time and the series is in the archives for anyone who wants to check it out.” Dave is working on a series for NTFS, which he should start posting in the next few weeks. The series is very informative and a great hands-on way to learn.

Data Sets

Greg Conti, author of Security Data Visualization, co-authored the paper, “Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets.” The paper was done for the CSET ‘09 Worksop on Cyber Security Experimentation and Test. The authors demonstrates how the network warfare competitions can be instrumented to generate modern labeled data sets. They have made available the archived data capture and log files from the 2009 Inter-Service Academy Cyber Defense Competition. The annual competition pits the service academies, including West Point, against an actual National Security Agency Red Team. There is a great deal to be learned by examining this data. A blog has been setup to discuss the data. They are hoping to do a few data captures of network warfare games, as well as, data captures of red-on-blue events at the US Military Academy at West Point.

There are a few additional sites where you can obtain data captures. JJC, from the “Security – The Global Perspective” blog, manages the OpenPacket.org site. The site’s mission is to “provide quality network traffic traces to researchers, analysts, and other members of the digital security community.” The site pcapr, powered by Mu Dynamics, calls itself a “social nOtworking site.” Go to the site to learn about networks and protocols from packet captures.

UPDATE: The folks from pcapr wrote in and pointed out that they just made available the “Collaborative Network Forensics” area where they “took the recently published ITOC dataset and the CCTF captures from the Shmoo group, indexed them for real-time browsing and contextual search/extract.” As they point out, “with over 15.0 GBytes and 26.3 million packets, this now represents the largest collection of indexed pcaps online.” Really nice.

The VizSEC site maintains links to various repositories of data sets. SourceForge, as part of the NetworkMiner tool, has links to publically available PCAP files. The wireshark site also has a few links and sample PCAP files.

Practicing

Practice can be done by installing software, using disk images, or by going to sites/training grounds. Installing software will create a vulnerable site. Make sure to do it onto a local machine inside your LAN which is used solely for testing. For ISO images, make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only). If you go to a site, take caution and remember the site could be hostile. In other words, be properly paranoid.

Software

In my post “WebGoat, Lua, and ModSecurity verses Password Guessing,” I go through the steps of setting up WebGoat. WebGoat is a deliberately insecure J2EE web application maintained by OWASP and is intended to teach a structured approach to test and exploiting vulnerabilities within an application security assessment. WebGoat is written in Java and installs on any platform with a Java virtual machine. The YGN Ethical Hacker Group has made available a series of video on walking through WebGoat v5.2. There are currently over 30 lessons.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL Web application that is light weight, easy to use and full of vulnerabilities to exploit. Ryan Dewhurst, developer of DVWA, created a video showing the installation process:

If you prefer PHP scripts, Mutillidae is a set that implements the OWASP Top 10 vulnerabilities. Adrian Crenshaw posted the presentation he gave to the Louisville Chapter of OWASP about the Mutillidae project titled “OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF).”

Owasp Louisville 2nd Meeting from Adrian Crenshaw on Vimeo.

ISO Disk Images

On the ISO disk image side, there are few interesting options. Badstore demo helps in the understanding of Web application vulnerabilities and shows how to reduce exposure.

For full scaled lesson based environment, there is the Linux-based distribution Damn Vulnerable Linux (DVL). Mayank Sharma writes in the article “Securing Linux by breaking it with Damn Vulnerable Linux:”

“Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.”  “The one thing that sets DVL apart the most,” Josh Sweeney says, “is the focus on buffer overflows and disassembly.” Disassembly, he says, is often talked about in conjunction with buffer overflows and reverse engineering. “Disassembling is when someone breaks down a program into the assembly language for further analysis. By doing this, users can analyze code at a very low level and look for security issues. There have been many excellent papers on the subject over the years, but these generally don’t come with learning tools in a self-contained, easy-to-use environment.”

Thomas Wilhelm is the author of “Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” and the creator of both the Hackerdemia project and the De-ICE.net Pentest LiveCDs project. Hackerdemia is a LiveCD that containing several vulnerabilities, including un-patched software, mis-configured services, default passwords and a few other surprises. Paul Asadoorian posted “Scanning Vulnerable Linux Distributions With Nessus” where he walks through using Nessus to determine the vulnerabilities within Hackerdemia. The De-ICE.net Pentest LiveCDs are disk images that are fully-functioning server. The Security Aegis site has an interview with Thomas where he discusses these projects along with the Heorot.net pentest video training and his recently published book.

One more Linux VM intentionally configured with exploitable services pWnOS. It was created by Brady Bloxham, a.ka bond00. Below is a nice introduction video.

The Web Application Attack and Audit Framework (w3af) project has created a VMware image, called Moth, which is a set of vulnerable Web Applications and scripts. The w3af core and it’s plugins are fully written in Python, has more than 130 plugins checking for SQL injection, cross site scripting (xss), local and remote file inclusion, etc. What is really interesting about Moth is that it allows for testing of web application scanners and learning how web application firewalls work by providing a way access web applications and vulnerable scripts directly, through mod_security, and through PHP-IDS.

On the system side, LAMPSecurity has been creating a series of capture the flag exercise that uses a full Linux virtual machine that is vulnerable to remote root compromise due to a number of vulnerabilities. The most recent exercise is Capture the Flag 6 and was released 7/17/2009. The documentation will take you through the steps of the exercise.

Training Ground

The Mighty Seek Podcast did a Hands On Series and setup the NTO Hackme Test site, which includes the podcasts with the opportunity to test what is discussed out. Dan Kuykendall did two episodes: “Episode #01 – SQL Injection Part 1 [Intro]” and “Episode #02 – Cross Site Scripting (XSS) Part 1 [Intro].”

Hack This Site (HTS) is a website to test and expand one’s hacking skills. You will need to register with the site to access the hacker challenges.  There are various lessons and missions.  User cwade12c has posted the several video tutorial covering missions. Below is “Hack This Site – Basic 1 Tutorial” to give you an feel for the simplest of challenges:

HellBound Hackers (HBH) is another site offering a large resource consisting of challenges, articles, forums, etc. The LifeofaHacker site has published some challenge tutorials/walkthrough guides for both Hack This Site (HTS) and HBH.

Enigma Group is similar to HTS and HBH in terms of tutorials, articles, and hacker challenges. There are some education and humorous short tutorial videos.

The Bright Shadows site also offers challenges on JavaScript, cyptography, cracking, steganography, Flash, Java, various programming exploits, etc. Registration is required. The challenges get voted on by the members in terms of difficulty, creativity, education, and presentation.

Smash The Stack (StS) Wargaming Network has a progression of challenges where each challenge is dependent on the completion of the previous challenge. The challenges are *nix based. To get started you ssh into one one of the wargame servers on port 2224 using password “level1″, at which point you receive a message letting you know how to get started. The password for the next level will be located in different placed, depending on the game. Questions can be asked on their forums area. OverTheWire offer similar wargame challenges.

A Few Final Thoughts

The above list represents a few source I have experience with. Duncan Alderson on his site Webantix has done a great job of listing war games/hacking simulators in his post, “War Games. Current and past hacking simulators and challenges. The New Order site also has a much more comprehensive list.

Just remember, it is good to be paranoid. Even HTS, with a user base of over 1,300,000 can still have problems with disgruntled and past employees. We are talking very skilled, intelligent, and disgruntle employees. In the last major attack, root-level access to the website was gained and HTS was taken down for months.

It is a dangerous world. That is exactly why skilled ethical hackers are needed. One of my college professors would always say, “Repetition is the key to learning.” He repeated it so many time, I finally learned that lesson. The above links help provide a challenging way to practice and learn. Give them a try and have some fun.

To deal with administrative accounts at Twitter, Adam O’Donnell provides some great advices to corporate CSOs in his article, “A roadmap for the Twitter CSO.” Dave Goldsmith post, “My Pentest Secret: Password Guessing,” provides more advice to mitigate risk of password guessing attacks.

Today’s post focuses on Dave’s point:

FAILED LOGIN DELAYS. What to do when someone is grinding passwords on the same account? Account lockout is pretty unpopular as it can lead to a denial of service attack. Doing nothing is pretty unpopular because attackers can grind forever. Enter the exponentially increasing login delay. Every failed login on an account causes the system to delay more and more on that account until a reset on that counter after a reasonable period of time or a valid login.

The Open Web Application Security Project (OWASP) has begun a podcast focused on web application security. The podcast is hosted by Jim Manico, a Web Application Architect and Security Engineer for Aspect Security. In Podcast #2, Stephen Craig Evans, an independent software security consultant, talks about Lua and the OWASP Summer of Code project wiki, Securing WebGoat using ModSecurity. The project goes through the steps involved in securing WebGoat using the combination of ModSecurity and Lua. To quote Ivan Ristic, creator of ModSecurity, the project “stretched the boundaries of what ModSecurity could do.”

To help address the problem of dictionary attacks against your web server, today’s post will be using ModSecurity with the scripting language Lua. First, let’s setup WebGoat for testing purposes.

WebGoat

For those unfamiliar with OWASP WebGoat project, WebGoat is:

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

WebGoat is intended to teach a structured approach to test and exploiting vulnerabilities within an application security assessment. Also being developed is the OWASP Testing Project, which provides a full application security assessment testing methodology. Through WebGoat, companies have a way to teach web application security lessons to their developers. There are over 30 lessons dealing with such issues as:

The YGN Ethical Hacker Group has made available a series of video on walking through WebGoat v5.2. The videos consist of:

Please recognize that WebGoat is a vulnerable server and therefor you will want to set it up so no one but you can access the WebGoat server. By default WebGoat only listens on the loopback address. Below are the steps to pull down WebGoat and install it on a Linux server. Since this is not a production system, we will be installing the WebGoat developer release.

Installing JDK

WebGoat will require Sun JDK 6 to be installed. Get the Sun JDK 6 from Sun’s website. Sun requires you to agree to terms, so you’ll need to go there and agree. Run the installer which gets downloaded. Agree again to the terms. The installer will install a few rpms and jars.

root# /bin/sh jdk-6u11-linux-i586-rpm.bin
root# ls -la /usr/java
default  jdk1.5.0_17  jdk1.6.0_11  latest
root# declare -x JAVA_HOME="/usr/java/latest"
root# declare -x PATH="${JAVA_HOME}/bin:${PATH}
root# java -version
java version "1.6.0_11"
Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
Java HotSpot(TM) Server VM (build 11.0-b16, mixed mode)

Running WebGoat Standard Release

While the documentation for WebGoat says to install Tomcat, the WebGoat zip file will come with its own version of Tomcat. Running WebGoat in this manner can prove to be the easiest path allowing the avoidence of Java software version problems. We will go through both deployments. First, installing WebGoat with Tomcat.

 root# cd /usr/local/src
/usr/local/src root# wget \

http://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.2.zip

/usr/local/src root# /usr/bin/openssl sha1 WebGoat-OWASP_Standard-5.2.zip
SHA1(WebGoat-OWASP_Standard-5.2.zip)=
1e8950d8af0a1726ee1c4509cb64ee4ee6da7584
/usr/local/src root# unzip WebGoat-OWASP_Standard-5.2.zip
/usr/local/src root# cd WebGoat-5.2

At this point, a slight modification needs to be made to webgoat.sh. It checks if the java version is 1.5. This is an odd check, since WebGoat was compiled under 1.6 and will not run under 1.5. Find where webgoat.sh has grep ‘version \”1.5′ and change 1.5 to 1.6. At that point, you are read to start WebGoat.

/usr/local/src/WebGoat-5.2 root# /bin/sh webgoat.sh start8080
Using CATALINA_BASE:   ./tomcat
Using CATALINA_HOME:   ./tomcat
Using CATALINA_TMPDIR: ./tomcat/temp
Using JAVA_HOME:       /usr/java/latest

  Open http://127.0.0.1:8080/WebGoat/attack
  Username: guest
  Password: guest
  Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack

This is running WebGoat accessible only to 127.0.0.1. From your web browser, go to http://127.0.0.1:8080/WebGoat/attack and log in with username guest and password guest. At this point, WebGoat is running and you are set to start going through the lesson plans and exercise.

Installing WebGoat.war

If you have Tomcat on your server, you will want to install only the WebGoat.war file. I am going to make this a little more complicated by going through the steps to install Tomcat. In previous posts, I have stepped through installation of Apache and ModSecurity. Walking through the installation of Tomcat will help get us on the same page as far as configuration and installation.

There is a known issue with the latest stable release of Tomcat, 6.0.18. It requires JDK 5 at the moment, due to incompatibilities introduced by Sun JDK 6. Sun changed the JDBC spec in an incompatible fashion that was discovered after Tomcat 6 went out. There are changes in the trunk to replace the DB connection pooling mechanism with one that isn’t impacted by the 1.6 change. Unfortunately, WebGoat required JDK 6. To get a round this problem, we will use the subversion release of Tomcat.

We first need to install Apache Ant, which is a software tool for automating software build processes. It is similar to make but is implemented using the Java language.

root# cd  /usr/local/src/
/usr/local/src root# wget http://www.uniontransit.com/apache/ant/binaries/apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# md5sum apache-ant-1.7.1-bin.tar.gz
cc5777c57c4e8269be5f3d1dc515301c  apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# tar xzf apache-ant-1.7.1-bin.tar.gz
/usr/local/src root# mv apache-ant-1.7.1 /work/software
/usr/local/src root# cd  /work/software
/work/software root# ln -s apache-ant-1.7.1 ant
/work/software root# declare -x ANT_HOME="/work/software/ant"
/work/software root# declare -x PATH="${PATH}:${ANT_HOME}/bin"
/work/software root# ant
Buildfile: build.xml does not exist!
Build failed

The error above indicate that ant command is recognized by shell but it did not find build.xml file that needed to compile ant projects. So, it’s absolutely normal and the installation was successful.

We are now ready to download and build Tomcat.

root# cd  /usr/local/src/
/usr/local/src root# svn checkout \
http://svn.apache.org/repos/asf/tomcat/trunk tomcat-7
/usr/local/src root# cd tomcat-7
/usr/local/src/tomcat-7 root# ant download
/usr/local/src/tomcat-7 root# ant
/usr/local/src/tomcat-7 root# cd output
/usr/local/src/tomcat-7/output root# mv build \
/work/software/tomcat-7
/usr/local/src/tomcat-7 root# cd /work/software/
/work/software root# ln -s tomcat-7 tomcat
/work/software root# declare -x CATALINA_HOME="/work/software/tomcat"
/work/software root# chmod u+x $CATALINA_HOME/bin/*
/work/software root# mkdir $CATALINA_HOME/logs

Configuring and Using Tomcat

The following modifications can be done to configuration Tomcat files that came down as part of WebGoat or the latest version from the Tomcat site. If you make the modifications to the Tomcat under Webgoat, keep in mind:

1. Set $CATALINA_HOME appropriately
2. Modify webgoat.sh, removing the line “cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml”.
3. Adjust paths based on where WebGoat is installed.
4. Add to the $CATALINA_HOME/conf/tomcat-users.xml file. Do not replace content.
5. You can use $CATALINA_HOME/bin/shutdown.sh to shutdown Tomcat.
6. You can start with $CATALINA_HOME/bin/startup.sh instead of webgoat.sh, provided you have $PATH, $JAVA_HOME, and $CATALINA_HOME set.

Before starting, create a manager username and password. This is set in the $CATALINA_HOME/conf/tomcat-users.xml file. The following is an example only:

/work/software root# vi $CATALINA_HOME/conf/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="manager"/>
  <user username="jerry" password="mousepower" roles="tomcat"/>
  <user username="tom" password="catpower" roles="manager"/>
</tomcat-users>

We can setup secure web authentication through the use of digital certificates using SSL. First step is to use the keytool utility, which is included in the Sun Java Standard Edition JDK, to create a keystore file. Use “changeit” as the password. (If you don’t use “changeit” you will have to state the password in with the keystorePass setting in server.xml). For example:

/work/software root# mkdir /work/software/tomcat/keystore
/work/software root# cd /work/software/tomcat/keystore
/work/software/tomcat/keystore root# keytool -genkey -alias tomcat \
-keyalg RSA -keysize 2048 -keystore /work/software/tomcat/keystore/keystore
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  John Gerber
What is the name of your organizational unit?
  [Unknown]:  SecurityMonks
What is the name of your organization?
  [Unknown]:  OrderOfUnix
What is the name of your City or Locality?
  [Unknown]:  Knoxville
What is the name of your State or Province?
  [Unknown]:  TN
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=John Gerber, OU=SecurityMonks, O=OrderOfUnix, L=Knoxville, ST=TN, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):
/work/software/tomcat/keystore root# ls  /work/software/tomcat/keystore
/work/software/tomcat/keystore root# keytool -list -keystore keystore

The keystore created will not be trusted by JVM until the certificate is imported into JVM’s trusted certificate keystore. We will export the SSL certificate we just generated and import it into the JVM’s keystore.

/work/software/tomcat/keystore root# keytool -export \
-alias tomcat -keystore keystore -file tomcat.cer
/work/software/tomcat/keystore root# keytool -import \
-trustcacerts -keystore /usr/java/jdk1.5.0_17/jre/lib/security/cacerts  \
-alias tomcat -file /work/software/tomcat/keystore/tomcat.cer
/work/software/tomcat/keystore root# keytool -list -alias tomcat \
-keystore /usr/java/jdk1.5.0_17/jre/lib/security/cacerts

Modify the $CATALINA_HOME/conf/server.xml section which defines a SSL HTTP/1.1 Connector on port 8443. It should go with the other connectors in the Service section and looks something like this:

    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100"  maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystore="/work/software/tomcat/keystore/keystore"  keypass="changeit"
           clientAuth="false" sslProtocol="TLS" />

In order to require SSL on a specific site configure a security constrant for that app. Do this by editing the $CATALINA_HOME/conf/web.xml file and adding the following section just before the ending </web-app> tag:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Automatic SSL Forwarding</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

Now startup Tomcat.

/work/software root# $CATALINA_HOME/bin/startup.sh
Using CATALINA_BASE:   /work/software/tomcat
Using CATALINA_HOME:   /work/software/tomcat
Using CATALINA_TMPDIR: /work/software/tomcat/temp
Using JRE_HOME:       /usr/java/jdk1.5.0_17
/work/software root# ps awx | grep tomcat
  783 pts/14   Sl     0:04 /usr/java/jdk1.5.0_17/bin/java
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/work/software/tomcat/conf/logging.properties
-Djava.endorsed.dirs=/work/software/tomcat/endorsed
-classpath :/work/software/tomcat/bin/bootstrap.jar
-Dcatalina.base=/work/software/tomcat
-Dcatalina.home=/work/software/tomcat
-Djava.io.tmpdir=/work/software/tomcat/temp org.apache.catalina.startup.Bootstrap start
/work/software root# /usr/sbin/lsof -iTCP -n -P | grep java
java      6175   root   10u  IPv6 327556       TCP *:8080 (LISTEN)
java      6175   root   12u  IPv6 327557       TCP *:8443 (LISTEN)
java      6175   root   21u  IPv6 327562       TCP *:8009 (LISTEN)
java      6175   root   22u  IPv6 327565       TCP 127.0.0.1:8005 (LISTEN)

Tomcat is now built and running. You can access it by going to:

http://localhost:8080

which will redirect you to:

https://localhost:8443

When you goto https://localhost:8443 you will be asked to accept the certificate. If you have problems, make sure to clear you browser’s cache. Now that we have Tomcat server running, we are ready to download and setup our WebGoat server.

 root# $CATALINA_HOME/bin/shutdown.sh
 root# cd /usr/local/src
/usr/local/src root# wget http://webgoat.googlecode.com/files/WebGoat-5.2.war
/usr/local/src root# /usr/bin/openssl sha1 WebGoat-5.2.war
SHA1(WebGoat-5.2.war)= c5aab7c5496625777a3b9e21b9888cddee5b649c
/usr/local/src root# mv WebGoat-5.2.war /work/software/tomcat/webapps/WebGoat.war
/usr/local/src root# $CATALINA_HOME/bin/startup.sh
/usr/local/src root# ls -la /work/software/tomcat/webapps/WebGoat
/usr/local/src root# ls -la /work/software/tomcat/conf/tomcat-users.xml

Add WebGoat users and roles to $CATALINA_HOME/conf/tomcat-users.xml file. Start Tomcat back up.

 root# $CATALINA_HOME/bin/shutdown.sh
 root# vi $CATALINA_HOME/conf/tomcat-users.xml
    <tomcat-users>
      <role rolename="webgoat_basic"/>
      <role rolename="webgoat_admin"/>
      <role rolename="webgoat_user"/>
      <role rolename="tomcat"/>
      <user password="webgoat" roles="webgoat_admin" username="webgoat"/>
      <user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
      <user password="tomcat" roles="tomcat" username="tomcat"/>
      <user password="guest" roles="webgoat_user" username="guest"/>
    </tomcat-users>
 root# $CATALINA_HOME/bin/startup.sh

At this point, WebGoat should be running. Pretend you are an 18-year hacker, and use your penetration skills to break into one of the accounts. Check out the Access Control Flaws material and the Remote Admin Access section. Being aware of what is possible, and that the threats are real, helps motivate a person to defend against them.

Now it is time to examine the work of OWASP Summer of Code project wiki, Securing WebGoat using ModSecurity. With a vulnerable server to test out the vulnerabilities against, we will move on to the required software that will help defend against brute force password attacks. First step, install Lua to use with ModSecurity.

Lua

The Lua language combines “simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode for a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping.”

For a complete discussion of the benefits of Lua, Soumya has written an article “10 Reasons Why You Should Make Lua (A New Programming Language) Your Coding Friend – A Detailed Review.” Erik Wrenholt has also done an interesting benchmark again popular languages to compute the Mandelbrot. We are focusing on Lua is because it can be used with ModSecurity. Plus, we want to take advantage of the work done by Stephen Craig Evans and others who worked on securing web applications.

To install Lua on a linux server by source:

root# cd /usr/local/src/ /usr/local/src root# wget http://www.lua.org/ftp/lua-5.1.4.tar.gz /usr/local/src root# md5sum lua-5.1.4.tar.gz d0870f2de55d59c1c8419f36e8fac150 lua-5.1.4.tar.gz /usr/local/src root#tar xzf lua-5.1.4.tar.gz /usr/local/src root# cd lua-5.1.4 /usr/local/src/lua-5.1.4 root# make linux /usr/local/src/lua-5.1.4 root# make install /usr/local/src/lua-5.1.4 root# cd /usr/local/lib /usr/local/lib root# gcc -shared -o liblua.5.1.4.so /usr/local/lib/liblua.a /usr/local/lib root# ln -s liblua.5.1.4.so liblua.so

ModSecurity

If you are running a version of ModSecurity older than version 2.5, you will need to upgrade. As of ModSecurity 2.5, Lua can be used:

The new SecRuleScript directive allows for the execution of Lua scripts which provide an even more flexible and powerful interface into ModSecurity. When is Lua needed? ModSecurity chained rules can easily implement AND logic to create complex rules that evaluate that specific variables are present and have certain data, however they can not easily create proper OR logic. This is where Lua can help.

A previous blog post, “Implementing a Web Application Firewall with ModSecurity,” goes through the step of installing ModSecurity with an Apache Web Server. Following that post, your Apache httpd.conf configuration files should load the mod_security2.so module and include the modsecurity.conf file. It is the modsecurity.conf file where the additional rules will be added.

Problem with Usernames and Passwords

WebGoat demonstrates a few security issues that need to be addressed. From OWASP’s “OWASP ModSecurity Securing WebGoat Section4 Sublesson 04.2” Forgot Password section, the following points are made:

• Attackers who are attempting to enumerate valid usernames. If you submit an invalid one the html response text includes info stating as such. We can track this.
• Once a specific valid username is identified, the attacker then starts a targeted attack to guess answers to the password hint (favorite color).
• Attackers can initiate reverse brute force attacks – this is when an attacker cycles through different valid user accounts and submits the same common answer to the question (submitting Blue as the answer to different usernames).

The OWASP ModSecurity Securing WebGoat document does such a good job outlining the security issues along with possible solutions, I am going to leave it to the reader to decide what solutions are appropriate for their systems. If I continued stepping through to a more secure implementation, I would end up copying everything in the document. Playing around with the rules, testing the results, is great fun in a geeky security kind of way. Do drop down and read the reviewer’s comments. A very good job by Stephen Craig Evans and all who worked on OWASP Summer of Code project. Of course, a special thank to Ivan Ristic, who gave us ModSecurity.

Recently, I listened to a IT Conversation podcast, from the O’Reilly Media Emerging Technology Conference. Tim O’Reilly spoke about hackers. Not the black hatters, but those folks who work tirelessly to bring about the kind of software and services that make the Internet possible. While the Internet may be at times a dangerous place, thanks to the efforts of these hackers who work out of love for the challenge, often with little regard to financial factors, we have these great tools that go a long way towards helping people secure their applications.

Final Thoughts

In today’s post we examined a security breach that occurred involving a major player in the Internet community. To help understand that problem, and others, we setup WebGoat. Sun Tzu wrote in The Art of War, “So it is said that if you know your enemies and know yourself, you will fight without danger in battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.” WebGoat helps us understand the attack vectors against web applications a little better. Once identifying a possible problems, we walked through a solution that can help reduce the risk.

It is easy to find humor in an employee with administrative access using the password “happiness.” The reaction from the Internet community to Twitter’s problems might be a little schadenfreude at play. Theodor Adorno, philosopher and sociologist, defined schadenfreude as largely unanticipated delight in the suffering of another which is cognized as trivial and/or appropriate. Or, maybe it is more like whistling past the graveyard, where folks are a bit cheerful or joyful in the face of a situation that doesn’t warrant it.

When very public security incidents occur, companies need to take a little stock. Not all employees will take training seriously nor follow all policies. That includes people with important roles. Employees make mistakes and it is difficult to guard against every possible mistake that could occur. That is why a layered approach to security is constantly preached. While each layer cost money, security groups at organizations are in a constant battle to monitor and prevent intrusions in a cost effective way. Fortunately, we have the work of many hackers (the good kind), helping us develop solutions to deal with daily new challenges. There are no guarantees. As Albert Einstein once said, “Anyone who has never made a mistake has never tried anything new.” Wisdom comes when we learn from these mistakes. CIOs need to ask themselves, “how safe is my company from being next week’s security headline?” Security groups within an organization must be able to learn and adapt. At the end of the day, the question is how different is your company from Twitter? Insanity is doing the same thing and expecting different results. I’ll close this post with the wise words of Sam Levenson, “You must learn from the mistakes of others. You can’t possibly live long enough to make them all yourself.”

Clickjacking, as described Grossman, is a browser vulnerability exploitation that gives “an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.” Dave Aitel adds a little more detail when he wrote to insecure.org:

Essentially if your web page is in the same frame as another page you can slide them under your buttons/URLS using DHTML such that when the user is clicking on your link, they instead really are clicking on some random place on a web page of your choice. This process is essentially invisible to the end user.

Clickjacking is a well-known issue and isn’t really anything new. The decision to do a presentation came about because RSnake and Grossman felt clickjacking was severely under appreciated and largely undefended. They had hoped they could begin to change that perception. The presentation was to consist of demonstrating the potential attacks along with some proof of concept (PoC) code and real working exploits. The problem was, to quote RSnake, “None of the issues we found relating to the browser were particularly easy to fix, it turns out.” Please read RSnake’s post, “Clickjacking” and Gossman’s post “(Cancelled) / Clickjacking – OWASP AppSec Talk.” The posts outline their decision to cancel along with additional details. Editorial Note: If you are interested at all in security, start reading both RSnake’s and Grossman’s blogs. Their posts are always very informative.

Ryan Naraine of ZDNet posted “Clickjacking: Researchers raise alert for scary new cross-browser exploit” and included this great quote:

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

The news about clickjacking is not a news flash. Even news about the cancellation, RSnake and Grossman posted over ten days ago. The OWASP NYC AppSec 2008 Conference ended yesterday having run from from Sept 22nd – 25th 2008. What is new is that Giorgio Maone wrote Ryan Naraine concerning how NoScript can help. Clickjacking being “very, freaking scary” and “near impossible” to fix properly, sounds like another problem getting a bit more press in the US right now. All the more reason that while waiting for a patch, folks need a solution today. NoScript has can help. To quote Maone:

I had access to detailed information about how this attack works and I can tell you the following:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <iframe>” option.

Finally, some good news. And that, my friend, is what makes it a news flash.

Basic Terminology

A good starting point in developing a risk assessment process is NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The document provides the following definition:

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Frequently risk will be defined as a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability. What should also be included is the resulting impact of that adverse event on the organization.

NIST SP 800-30 contains information on risk assessment and management. Recently, NIST released NIST SP 800-39, “DRAFT Managing Risk from Information Systems: An Organizational Perspective,” which contains a references to NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” NIST SP 800-30 Revision 1, when it is released, will be the document for risk assessment while NIST SP 800-39 is for risk management.

Michael Smith, the Guerilla CISO, had a posting “An Open Letter to NIST About SP 800-30“. Michael writes “The best thing that you have given us is not the risk management framework, it was SP 800-30, ‘Risk Management Guide for Information Systems’. It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.” I’ll leave it to the reader to view the rest of the post. The point is, NIST SP 800-30 currently is the best document to start with when talking about risk assessment.

The nine primary steps in the risk assessment methodology:

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Now that risk assessment is defined along with which NIST documents contains what, let us talk about risk management. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The risk management process is meant to protect an organization and its ability to perform its mission. It is not just just a technical function carried out by the IT experts to protect IT assets. It is an essential management function of the organization.

Framework

Awhile back, I did a post “Intense Simplicities” which discussed the risk-based protection model verses the policy based compliance model. Several frameworks were discussed and a “Security Mappings” page was developed. Examine the frameworks discussed in the previous post and notice that basically the primary steps in risk assessment can be mapped back into the frameworks. Before developing a risk assessment methodology, consider its place in the whole risk management methodology and the framework of the organization. This allows you to utilize what has already been developed.

IT Governance Institute® (ITGI™) is also developing the IT Risk Management Framework. To quote from Urs Fischer article, “The framework aims to fill the gap between generic risk management frameworks such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO)’s Enterprise Risk Management (ERM) and Australia/New Zealand AS/NZ 4360, and detailed (mostly security-related) IT risk management frameworks. Indeed, the goal of this framework is to allow organisations to understand and manage all IT-related risks (beyond security) and to address all aspects (beyond operational management of IT) when managing risk.

Information Sources

ISACA has made available a great deal of information that can be used in developing a risk assessment process. The following documents are bit older, but open to the world.

• Framing Your Choices: Weighing Three Risk Management Frameworks by Linda L. Briggs

– offers the conclusion that newer frameworks such as AS/NZS 4360 or M_o_R offer a solid route to first understanding and then controlling business risk.

• Risk Assessment Tools: A Primer – the article looks at risk assessment tools, in order to creates a framework of understanding and provides insight into the world of automated risk analysis.
• Risk Without Remorse – the article makes the argument that “by implementing COBIT risk management, the CIO should expect better portfolio management decisions and improved risk-reward communications intra- and interdepartmentwide, as well as a better ROA.”
• Risk and Control Self-Assessment (RCSA) – the article makes the argument that risk and control self-assessment (RCSA) is “a great asset in several phases of the audit process, starting with the risk assessment and development of the annual audit plan or individual audit plans of the area being reviewed.”
• IS Auditing Procedure: P1 IS Risk Assessment Measurement
• IS Auditing Guideline: G13 Use of Risk Assessment in Audit Planning
• Standard for IS Auditing: S11 Use of Risk Assessment in Audit Planing

If you become a member of ISACA, you can access more recent documents involving risk assessment and management. These include:

• A Comprehensive Method for Assessment of Operational Risk in E-banking by George Tanampasidis, CISA, PMP
• Risk Management Standards: The Bigger Picture by David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
• Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions by Michael Godfrey
• New Framework for Enterprise Risk Management in IT by Urs Fischer, CISA, CIA, CPA Swiss

CERT just recently produced a podcast, “Security Risk Assessment Using OCTAVE® Allegro.” OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. The authors of the blog site, the RiskAnalys.is, are big advocates of the Factor Analysis of Information Risk (FAIR) Framework. FAIR is meant to provide a framework for understanding, analyzing, and measuring information risk.

Update:Alex Hutton provided some important clarification on FAIR. Alex points out, “FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a ’scan/prioritize/fix/repeat/’ Deming cycle at it’s core.” Alex also provides a great pointer to the ENISA’s website which includes a comparison of the 18 different Risk Assessment Methodologies. Alex writes, “They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.”

The ISO 27001 Security site has compiled a very nice listing with brief outlines of information security risk analysis methods, standards, and tools. IsecT Ltd., home of the NoticeBored security awareness service, voluntarily maintains the site as a “not-for-profit labour-of-love activity.” They have done a great job of keeping the site up-to-date. The site also makes available a free ISO27k toolkit. The toolkit consists of “a collection of papers contributed by members of the ISO27k Implementers’ Forum, either individually or through collaborative working groups organized on the Forum.” Three documents of particular interest are “Information security risk analysis spreadsheet,” “FMEA risk analysis spreadsheet“, and “Information security risk register.”

I tend to like information sources that are available to the public at no cost. Alex pointed out that Microsoft has put out the The Security Risk Management Guide. Microsoft describes the guide as helping explain “how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.”

After mentioning Microsoft, I feel compelled to point out an open source project. The Security Officers Management and Analysis Project (SOMAP) is a project with the goal to “develop and maintain Open Source Information Security Risk Management tools and utilities.” SOMAP operates on the belief that “Information Security is not a competitive issue and only freely available and cooperatively developed risk management utilities and tools can potentially lead to a better security management and to further development of the whole risk management field.” They have created the “Risk Management Handbook,” “Risk Assessment Guide,” “Security Officers Best Friend (SOBF Tool),” and “Open Risk Model Repository (ORIMOR).” See their site for additional details.

Blogs

A few blog sites where information can be obtained, and questions posted, are:

• Not Bad For a Cubicle: Risk Management made interesting.
• Risktical Ramblings: Assessing, Articulating & Quantifying Information Security Risk by Chris Hayes.
• Security and Risk Management Strategies Blog: Burton Group.
• RealTime IT Compliance: This is Rebecca Herold’s site who specializes in risk assessment, gap analysis, policy content development, awareness training, strategy development and implementation. The few times I have talked with her, she has been real friendly and helpful.

Recent Blog Posts

Below are a few recent blog postings that maybe of interest. The posts were pulled from Google Reader with accompanying blurbs of text.

• Risktical Ramblings: Risk and CVSS … I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful “metric vectors” that provide a simple yet powerful way to analyze a vulnerability.. …
• The Security Catalyst: Refreshing, Reloading, Refueling … My goal in writing the book was simple: present enough information to create a shift in thinking. Beyond that, a keynote, executive seminar and guided system has been developed, tested and refined to further expand on the information in the book, bring it to life and drive results. Part of our journey will be working with organizations (small and large) to implement the tenets outlined in Into the Breach to improve revenue, complete a successful risk assessment, build an awareness program that works or influence a positive change in how people, information and risk are managed …
• (ISC)2 Blog: Proving the Value of Qualitative Risk Assessments … Qualitative risk assessments are a cornerstone security management tool. This type of assessment process is characterized by estimates of asset values, threats, vulnerabilities, and costs from anticipated exposures. Risk management frameworks are a way for managers to determine where to allocate resources when risk is at an unacceptable level ….
• RiskAnalys.is: Relentless Reflection – What it Means in Risk Management … Picking up from yesterday, Today I’d like to talk about: HANSEI – WHAT IS “RELENTLESS REFLECTION?” – And why we’re talking about it in the context of Risk Analysis. Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk man …
• bsi: Navigating the Security Practice Landscape … RA risk assessment (5) SA system and services acquisition (11) SC system and communications protection (23) SI system and information integrity (SI) Mappings to Other Standards Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 paragraphs. Appendix H Standards and Guidance Mappings provide …
• RiskAnalys.is: UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU AND ME! …a Good Risk Assessment Methodology” – written by yours truly and Jack. It’s a very high-level document, and serves two purposes: For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document). …

Build Security In (bsi) is maintained for DHS. It contains documents that are continuously being updated. The “Risk Management” area provides a framework for identifying, tracking, and managing software risks.

Only a Starting Point

Overcoming Bias, a great thought provoking blog, recently posted, “Say It Loud.” The author, Eliezer Yudkowsky, quotes Will Strunk: “If you don’t know how to pronounce a word, say it loud! If you don’t know how to pronounce a word, say it loud!” Eliezer goes on to say, “This comical piece of advice struck me as sound at the time, and I still respect it. Why compound ignorance with inaudibility? Why run and hide?” This corresponds with one of my favorite graphics created by the Creating Passionate Users blog:

Eliezer makes a very valid point. To those who “sounds clueless, but isn’t,” you need to speak up. Otherwise, you are helping the “sounds smart, but isn’t” promote their cluelessness throughout the organization.

With that in mind, let me state this loudly: the above sources will provide a very useful starting point in developing a risk assessment process. NIST SP 800-30 is the best place to start. Also check out NIST SP 800-39. The IT Governance Institute has been talking about the IT Risk Management Framework for awhile now. It should be great when it comes out, but the last I heard there was no release date set. CERT OCTAVE is freely available, so that makes it a good resource. I am less familiar with FAIR, though it looks very interesting. I tend to use COBIT when dealing with business processes as a checklist of controls to have in place. Members of ISACA should look in the journal’s archive area. The last issue was focused on risk and contained a couple of articles that would be helpful. The articles that are open to the public are somewhat dated. The blog sites will be helpful once you start narrowing in and know what you are interested in doing. In the end, this post is meant only as a starting point. It is not a complete list; not even close. While there may be a great deal more work to do, your journey has begun. Good luck.

The crime landscape is shifting. Attacks are moving up the network stack. Network-based attacks are not the prime source of security problems anymore. The attacks today are moving into the application layer: Web 2.0, instant messenger attacks, fraud, information theft, and crime-ware are just some examples of new types of attacks that generate a load of data to be collected and analyzed. Beware! Applications are really chatty and generate alot of data.

While my current post is not about security visualization (see earlier post “Security Data Visualization“), I would like to point out that DAVIX, a live CD for data analysis and visualization, is expected to be released August 6th. That should be really cool and fun.

Since application security is a topic of interest for me, I ran into the problem of having too many topics I wanted to discuss when I started trying to write a post on ModSecurity, an open source, free WAF Apache module. Today, rather than waiting for me to integrate the information, I decided to move ahead and do the post while limiting myself to only pointing out the various sources. The reader can follow the links for a more in-depth discussion and understanding on the topic.

Why You Should Care

The Risky Business podcast has come to be one of my favorite podcasts. The host, Patrick Gray and regular guest Munir Kotadia, just cracks me up. Plus the show is informative and features great guests. This week’s show had an interview with H D Moore talking about the DNS bug. Timely and informative; what else can one ask for? The 68th episode, done at the beginning of this month, had an interview with Jeremiah Grossman concerning web application firewalls. As Patrick writes in the show notes, “it takes typical organizations around 130 days to fix sequel injection bugs in code. But you can mitigate these sorts of things with a Web app firewall, and you won’t even have to deal with the development team! Hooray!.”

In Grossman’s blog post “Can WAFs protect against business logic flaws?“, he pointed out that “WAFs don’t defend against every logic flaw, or even every crazy form of SQLi or XSS. Just as white/black box scanners can’t identify every vulnerability and neither can expert pen-testers or source code auditors.” Stuart King, in his article, “Larry David and Web Application Firewalls“, builds upon this idea when he wrote:

Back to the CSO article where the point is made that we are sitting on a huge legacy of insecure code and that “we can’t rewrite history.” So, the argument is that a web application firewall mitigates the risk – note: does not solve the problem – until the code can be replaced.

How much of the risk is mitigated is open to debate, but there are lots of other things to consider too. For instance the cost of redeveloping code against the cost of purchasing and supporting a WAF. We also need to consider the value and risk profile of the product.

Today’s world consist of attackers adjusting focus from network-based attacks to the application layer. Grossman in his post “Website Security Strategies that Work” makes the claim that “9 out of 10 (or more) websites have vulnerabilities as a result of being built by those who didn’t know or appreciate the severity of today’s attacks.” There is no arguing that many organizations are sitting on a huge legacy of insecure code, much of which may have been written before the discovery of prevalent vulnerabilities such as XSS, SQL Injection, CSRF, etc. Even worse, organization often have their security groups focused on network or system security, leaving application level security to developers. Unfortunately, these developers are receiving little or no training, while remaining under pressure to produce code under short deadlines.

Andre Gironda series, starting with “Week of War on WAF’s: Day 1 — Top ten reasons to wait on WAF’s,” provides important reasons why WAFs should not be viewed as a silver bullet solution. Rich Mogull in his post “Web Application Security: We Need Web Application Firewalls To Work. Better” makes the important point:

With old school vulnerabilities we know the details of the specific vulnerability and (usually) exploit mechanism. With WAFs, we are trying to block vulnerability classes instead of specific vulnerabilities. This is a HUGE difference. The WAF doesn’t know the details of the application or any application-specific vulnerabilities, and thus is much more limited in what it can block.

Mogull goes on to state that WAFs can:

no longer be merely external boxes protecting against generic vulnerabilities; they need tighter integration into our applications. In the long term, I’ve branded this Application and Database Monitoring and Protection (ADMP) as we create a dedicated application and database security stack that links from the browser on the front end, to the DB server on the back.

ADMPs, or if you prefer WAFs + Database Activity Monitoring (WAFs+DAM), would be another step in the evolution of WAFs. As Ivan Ristic, creator of ModSecurity, points out in his blog post “What’s the Score of the Game?“:

I feel that one of areas where organizations are failing, with regards to web application security, is that there is a lack of communication between the following three groups: Development teams (who are running source code reviews), InfoSec teams (who are running vulnerability scans) and Operational Security teams (who are running web application firewalls). These three teams each have unique perspectives on the vulnerabilities of the webapps and they should share their data with each other.

Nicely stated. No one is arguing that writing secure code is not the answer. If organization began adapting secure systems development lifecycle (SDLC) models into their business operation, many security problems would go away. Building secure software will require changes in the current development culture, which will include people, processes, and technology. No small task.

Gunnar Peterson has a nice post, “WAF and XSG Risk and Effectiveness at 20,000 feet” where he discusses modeling of combination of risk and effectiveness to identify areas of focus. As Peterson points out in another post, “WAFs are not as static as network firewalls…Instead WAFs collaborate much more directly with development, which is another growth opportunity for security industry.”

This post is going to stay focused on WAFs. With it taking on average 130 days to fix sequel injection bugs, organizations need something they can implement today. WAFs have an important role to play in adding a layer of security and monitoring to a defense in depth security approach. WAFs will evolve. They are in the process of evolving now. Understanding the fundamental ideas and going through the implementation of an open source solution starts us on the path of better understanding of future technologies.

An Implementation Using ModSecurity

Building on previous posts concerning “An Apache Implementation“, “PHP Implementation“, and “Apache and OpenSSL“, we have an Apache web server setup to build upon. For additional details, please get Ivan Ristic’s book, “Apache Security.” It really is a must have book for anyone serious about running an Apache web server. Ristic also maintains the ModSecurity website and blog, which serves as a great source for up-to-date information on ModSecurity.

The Apache module mod_unique_id needs to be installed for ModSecurity to work properly. This module was not installed when we configured Apache. At that time, we did not know we needed it. While it can be somewhat inconvenient, for security reasons it is best not to install modules not needed.

1. Stop Apache Server.

# /usr/local/apache/bin/apachectl stop

2. Install mod_unique_id Module.

For non Mac OS X, do the following:

root# cd /usr/local/src/httpd-2.2.8
/usr/local/src/httpd-2.2.8 root# make clean
/usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
./configure --prefix=/usr/local/apache \
--enable-rewrite \
--enable-so \
--disable-imap \
--disable-userdir --with-mpm=worker --enable-ssl --enable-unique-id --enable-unique-id
/usr/local/src/httpd-2.2.8 root# make
/usr/local/src/httpd-2.2.8 root# make install

For Mac OS X, please do:

root# cd /usr/local/src/httpd-2.2.8
/usr/local/src/httpd-2.2.8 root# make clean
/usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --prefix=/usr/local/apache --enable-rewrite \
--enable-so --disable-imap --disable-userdir \
--with-mpm=worker --enable-ssl --enable-unique-id
/usr/local/src/httpd-2.2.8 root# make
/usr/local/src/httpd-2.2.8 root# make install

3. Install PCRE.

Only under Mac OS X did I have to install Perl Compatible Regular Expressions (PCRE). You may be able to skip this step, depending on your OS.

root# cd /usr/local/src
/usr/local/src root# wget http://downloads.sourceforge.net/pcre/pcre-7.7.tar.gz
/usr/local/src root# tar xzf pcre-7.7.tar.gz
/usr/local/src root# cd pcre-7.7
/usr/local/src/pcre-7.7 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure
/usr/local/src/pcre-7.7 root# make
/usr/local/src/pcre-7.7 root# make test
/usr/local/src/pcre-7.7 root# make install

4. Install the latest version of libxml2 or Lua.

To quote wikipedia, libxml is “a library for parsing XML documents” and Lua is “a lightweight, reflective, imperative and procedural programming language, designed as a scripting language with extensible semantics as a primary goal.” ModSecurity requires dynamic libraries which are not built by default in the source distribution. Binary distribution is recommended.

I will go through configuration and installation of libxml2 from source and the binary installation of lua under Mac OS X. There is a good chance if you are running a different OS, the libraries will have already been installed.

root# cd  /usr/local/src/
/usr/local/src root# wget ftp://xmlsoft.org/libxml2/libxml2-2.6.32.tar.gz
/usr/local/src root# tar xzf libxml2-2.6.32.tar.gz
/usr/local/src root# cd libxml2-2.6.32
/usr/local/src/cd libxml2-2.6.32 root#  CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
/usr/local/src/cd libxml2-2.6.32 root# ./configure
/usr/local/src/cd libxml2-2.6.32 root# make
/usr/local/src/cd libxml2-2.6.32 root# make install
/usr/local/src/cd libxml2-2.6.32 root# cd ..
/usr/local/src root# wget http://luaforge.net/frs/download.php/3097/lua5_1_3_Darwin811x86_lib.tar.gz
/usr/local/src root# mkdir lua
/usr/local/src root# cd lua
/usr/local/src/lua root# tar xzf lua5_1_3_Darwin811x86_lib.tar.gz
/usr/local/src/lua root# cp liblua5.1.* /usr/local/lib
/usr/local/src/lua root# cp include/* /usr/local/include

5. Download, unpack, configure, and compile ModSecurity.

If you are interested in connecting a ModSecurity sensor to the central audit log repository, you will want to build the ModSecurity Log Collector below with the command “make mlogc”. Install instructions can be found under apache2/mlogc-src directory. That step will not be included below.

root# cd  /usr/local/src/
/usr/local/src root# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.5.tar.gz
/usr/local/src root# tar xzf modsecurity-apache_2.5.5.tar.gz
/usr/local/src root# cd modsecurity-apache_2.5.5
/usr/local/src/modsecurity-apache_2.5.5 root# cd apache2

For non Mac OS X, configure with the command:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# ./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--with-apr=/usr/local/apache/bin \
--with-apu=/usr/local/apache/bin

For Mac OS X, use the command:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --with-apxs=/usr/local/apache/bin/apxs

Continue to compile and install with the commands:

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make test
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# make install
/usr/local/src/modsecurity-apache_2.5.5/apache2 root# ls -la /usr/local/apache/modules

6. Configure Apache and ModSecurity.

We must now edit the httpd.conf file in order to load libxml2 or lua5.1 modules before the ModSecurity module.

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# vi /usr/local/apache/conf/httpd.conf

Add the lines for non Mac OS X:

#
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
#
LoadModule security2_module modules/mod_security2.so

For Mac OS X, add the lines:

#
LoadFile /usr/local/lib/libxml2.2.dylib
LoadFile /usr/local/lib/liblua5.1.so
#
LoadModule security2_module modules/mod_security2.so

Create the ModSecurity configuration file. There is a file modsecurity.conf-minimal present in the /usr/local/src/modsecurity-apache_2.5.5 that can be used. There is also a a Core Rule Set that was included in the /usr/local/src/modsecurity-apache_2.5.5/rules directory courtesy of Breach Security Inc. To quote the README file, “The Core Rule Set provides generic protection from unknown vulnerabilities often found in web application that are in most cases custom coded. The Core Rule Set is heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.” Under the rules subdirectory, there a directory “optional” which contains additional possible rules. It is left to the reader which configuration files they may want to include, though it might be wise to start with the minimal and make sure the Apache runs without problems. Then add configurations files as desired.

/usr/local/src/modsecurity-apache_2.5.5/apache2 root# cd ..
/usr/local/src/modsecurity-apache_2.5.5 root# cp  modsecurity.conf-minimal /usr/local/apache/conf/modsecurity.conf
/usr/local/src/modsecurity-apache_2.5.5 root# cp  rules/*.conf /usr/local/apache/conf/

Include the modsecurity.conf, and additional ModSecurity configurations file, in the Apache httpd.conf file.

/usr/local/src/modsecurity-apache_2.5.5 root# vi /usr/local/apache/conf/httpd.conf

Add the line:

Include /usr/local/apache/conf/modsecurity.conf
#Include /usr/local/apache/conf/modsecurity_crs_10_config.conf
#Include /usr/local/apache/conf/modsecurity_crs_21_protocol_anomalies.conf
#Include /usr/local/apache/conf/modsecurity_crs_23_request_limits.conf
#Include /usr/local/apache/conf/modsecurity_crs_30_http_policy.conf
#Include /usr/local/apache/conf/modsecurity_crs_35_bad_robots.conf
#Include /usr/local/apache/conf/modsecurity_crs_40_generic_attacks.conf
#Include /usr/local/apache/conf/modsecurity_crs_45_trojans.conf
#Include /usr/local/apache/conf/modsecurity_crs_50_outbound.conf

Edit /usr/local/apache/conf/modsecurity.conf. The modifications will be very dependent on your environment. See resources listed in the Additional Information section to help with configuration. The default configuration saves the log files relative to the configuration file directory. Change this to where the apache logs are currently being saved.

/usr/local/src/modsecurity-apache_2.5.5 root# vi /usr/local/apache/conf/modsecurity.conf

Change the values to:

SecAuditLog /var/www/logs/modsec_audit.log
SecDebugLog /var/www/logs/modsec_debug.log

Let’s create null files with the correct permissions for Apache.

/usr/local/src/modsecurity-apache_2.5.5 root# touch  /var/www/logs/modsec_audit.log
/usr/local/src/modsecurity-apache_2.5.5 root# chown httpd.httpd /var/www/logs/modsec_audit.log
/usr/local/src/modsecurity-apache_2.5.5 root# touch  /var/www/logs/modsec_debug.log
/usr/local/src/modsecurity-apache_2.5.5 root# chown httpd.httpd /var/www/logs/modsec_debug.log

7. Start Apache.

Check that the configuration file is correct and start up Apache.

/usr/local/src/modsecurity-apache_2.5.5 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
/usr/local/src/modsecurity-apache_2.5.5 root# /usr/local/apache/bin/apachectl start

Check if ModSecurity if configured into running Apache server.

/usr/local/src/modsecurity-apache_2.5.5 root# cat /var/www/logs/error_log | grep ModSecurity
[Thu Jul 31 18:24:59 2008] [notice] ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/) configured.

Additional Information

This post is only to get the basics down. The above information was taken from the ModSecurity documentation install section for version 2.5.5. A great deal more information is available at the ModSecurity blog site and in the book “Apache Security“.

Concluding Remarks

Ivan Ristic and Ofer Shezaf are working on an interesting paper, “Enough With Default Allow in Web Applications!” This paper demonstrates how WAFs are evolving. To quote the paper:

The default allow deployment model, which is commonly used to implement and deploy web applications, is the cause of numerous security problems. We propose a method of modeling web applications in a platform-agnostic way to adopt a default deny model instead, removing several classes of vulnerability altogether and significantly reducing the attack surface of many others. Our approach is best adopted during development, but can be nearly as efficient as an afterthought, or when used at deployment time. What they are looking to do is create a protection layer between the web servers and applications which would increase security and turn applications into verifiable components with external contracts that can be enforced.

Ristic mentions in his post the planned release of “an open source profiling tool (which I will announce next week) to help with the third use case and automate the creation of positive security models (also known as the learning feature of web application firewalls).” Breach Security has also teamed up with WhiteHat Security to add the ability to their Sentinel scanning service to automatically create custom ModSecurity rules for certain classes of vulnerabilities that are found in your web applications. This is the kind of evolution that is required in security and makes ModSecurity such an interesting software package.

• Apache Security by Ivan Ristic
• Securing Apache 2: Step-by-Step by Ivan Ristic
• Apache HTTP Server Version 2.2: Compiling and Installing
• Apache HTTP Server Version 2.2: Security Tips
• Center for Internet Security Benchmarks for Apache Web Server v2.1 by Ryan Barnett
• Securing Apache Step by Step by Ryan C. Barnett
• ModSecurity Reference Manual
• NIST SP 800-44 v2: Guidelines on Securing Public Web Server by Miles Tracy, Wayne Jansen, Karen Scarfone, and Theodore Winograd
• NIST SP 800-95: Guide to Secure Web Services by Anoop Singhal, Theodore Winograd, and Karen Scarfone
• OWASP WeBekci Project, a web based ModSecurity 2.x management tool.
• REMO, a project to build a graphical rule editor for ModSecurity with a positive/whitelist approach.
• Got Root, the Internets largest source of intrusion prevention signatures and comment spam blacklists for webservers, over 13,000 signatures.

There are two freely available tools for helping with the security of your Apache configuration:

• The CIS Scoring Tool for Apache
• Apache httpd Tools

A coworker was complaining that the majority of information he was finding in blogs was junk. I asked him how was he finding his information. He was doing a regular Google search; not even a Google Blog Search. I understood his pain. George Siemens makes a very interesting distinction between collective intelligence and connective intelligence. Collective intelligence is “a form of intelligence that emerges from the collaboration and competition of many individuals“. George defines connective intelligence as “individual creation of information, ideas, and concepts which are then shared with others, connected, and re-created and extended based on the interaction.”

George goes on to state, “simply, collective means blending together. Connective means connecting while retaining the original (though others may build on it in their own spaces).” Put another way, “the collective presents a melting pot of ideas. The connective represents a mosaic of ideas.” People are surprised when I tell them that I do not read blogs. I read Ivan Ristic, Jeremiah Grossman, Gunnar Peterson, Ryan Barnett, Dafydd Stuttard, etc. My coworker’s problem is that he’s drowning in the melting pot of information provided by collective intelligence. When I read an author I like or come across software I find really useful, I look to see if the authors have a blog. I will then subscribe to their RSS feed, allowing me to make use of connective intelligence.

A few blogs of interest for web application security:

• Ivan Ristic, author of “Apache Security” and principal author of ModSecurity, the open source web application firewall.
• Jeremiah Grossman, author of the CIS Scoring Tool for Apache and founder and Chief Technology Officer of WhiteHat Security.
• Ryan Barnett, author of “Preventing Web Attacks With Apache“, and Director of Application Security Training for Breach Security.
• Dafydd “PortSwigger” Stuttard, co-authof of “The Web Application Hacker’s Handbook” and Principal Security Consultant at NGS Software.
• Gunnar Peterson, Software Security Architect and CTO at Arctec Group.
• Robert “RSnake” Hansen, CEO SecTheory.
• Shreeraj Shah, founder of Blueinfy, a company that provides application security services.
• Billy Hoffman, co-author of “Ajax Security” and lead research engineer with Atlanta-based SPI Dynamics Inc.
• Bryan Sullivan, co-author of “Ajax Security” and developer and security researcher at SPI Dynamics, Microsoft.
• Chris Shiflett, author and speaker who leads the web application security practice at OmniTI.
• Ory Segal, Security Products Architect, Rational, Application Security (Watchfire), IBM.
• Anurag Agarwal, is a senior application security consultant providing expertise on secure development lifecycle and vulnerability assessment. He also manages www.attacklabs.com and www.myappsecurity.com.

I wanted to mention that I started off with the names of several web application professionals. I wanted to include links to their names in this post. As I searched out their names to add a little background blurb, I kept coming across postings from Anurag Agarwal. He has done a great job profiling many of the leaders in web application security. The above list is missing many people and that is entirely my fault. As I stated, the list is of people that I am familiar with and is not meant to be a complete list of web application security professionals.

With these resources at our disposal, we are well positioned to start our quest to secure Apache.

Many of the security issues we are beginning to see with Web applications are issues that we have seen in some form with traditional client/server applications. Unlike the Phoenix, the Web application security issues are not rising from the ashes of traditional client/server applications. Client/server security is still very much alive. The Phoenix just provides better imagery then the Hydra, where if you cut the head off the Hydra two came back in its place. In the old days of the Internet (a few years ago), everything was done on the server. When you think about vulnerabilities in ftp, mail, and Web servers, it was the infrastructure groups responsibility for fixing it. Fixes were done by doing such things as setting up firewall rules, patching systems, upgrading server software, etc. With Web 1.0, the intelligence was pretty much on the Web server. Your Web browser would simply talk to your server where the applications resided.

Asynchronous JavaScript and XML (Ajax) changes the traditional model by having the application running on the browser where more of the work is done. The JavaScript engine runs on the browser, talking to the server and third party sources on your behalf. This is not unique to Ajax. Anywhere you have Rich Internet Applications (RIA), there will be this interplay between the server, third party sources, and the client. State information has to be shared between the client and server. Unfortunately, one of the lessons we have learned over the years is that you cannot trust the client. Outside of client side certificates, there really is no way for the server to know who is talking to it.

Shreeraj Shah, the author of Web 2.0 Security – Defending Ajax, RIA and SOA; Web Hacking (Stuart McClure and Saumil Shah co-authors); and Hacking Web Services, did a presentation at the HITB Security Conference titled “Web 2.0 hacking, keeping focus on Ajax and Web Services.” In the presentation, Shreeraj discusses the vectors of change between Web 1.0 and Web 2.0. In Web 1.0, the entry points were structured, there were limited dependencies, the vulnerabilities were on the server side (typically through injections), and there were server side exploitations. In Web 2.0, everything changes. You have scattered and multiple entry points. There are dependencies on multiple technologies, information sources, and protocols. Vulnerabilities can be exploited on Web services through payloads and on the client side through such exploits as XSS and XSRF. Exploits exist for both server and client.

More worrisome is that in many organizations, security remains solely network focused while developers are left untrained and unaware. Up until now, developers have not had to deal seriously with security problems. Add to this changing environment, pressure on developers to meet deadlines and develop code quickly. Some developers main goal is simply getting their application not to crash. It is easy to understand how due to lack of exposure and the need for quick code turn around, developers can fail to put security measures in place sufficient for a Web 2.0 world. Ross Anderson and Tyler Moore add some great insight into the software development environment in their paper, “Information Security Economics – and Beyond.” Ross and Tyler wrote:

In many markets, the attitude of ‘ship it Tuesday and get it right by version 3’ is perfectly rational behaviour. Many software markets have dominant firms thanks to the combination of high fixed and low marginal costs, network externalities and client lock-in noted above, so winning market races is all-important. In such races, competitors must appeal to complementers, such as application developers, for whom security gets in the way; and security tends to be a lemons market anyway. So platform vendors start off with too little security, and such as they provide tends to be designed so that the compliance costs are dumped on the end users. Once a dominant position has been established, the vendor may add more security than is needed, but engineered in such a way as to maximise customer lock-in.

In some cases, security is even worse than a lemons market: even the vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.

Another outstanding article is by Sergey Bratus in the July/August 2007 IEEE Security and Privacy magazine titled “What Hackers Learn that the Rest of Us Don’t: Notes on Hacker Curriculum.” Sergey makes the following comparisons between developers in the academic programs to those in the hacking community:

• Developers are under pressue to follow standard solutions, or the path of least resistance to “just making it work.”
• Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.
• Developers often receive a limited view of the API, with few or hardly any details about its implementation.
• Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.
• Developers might receive explicit directions to ignore specific problems as being in other developers’ domains.
• Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.

No one said it was going to be easy. The first step is to recognize that there is a problem. Actually, there are multiple issues to deal with when getting into application security. Just keep reminding yourself, one step at a time. The second step is to reach out and seek help. To help us on our road to security recover, Billy Hoffman and Bryan Sullivan have written the book Ajax Security. Billy has an interview on IT Conversations Technometria titled “Ajax Security” where he talks about Ajax in general and reviews some of the specific security issues most likely to occur. He also gives a number of examples of where security is likely to be a problem.

Richard Bejtlich provided the following very favorable review of “Ajax Security:”

Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It’s really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors’ Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done.

This is extremely high praise considering Richard’s background and the number of books Richard reviews.

Billy has done some outstanding presentations at Black Hat. In 2006, he presented Ajax (in)security. In 2007, Bryan Sullivan and Billy Hoffman presented “Premature Ajax-ulation“. If video is more to your liking, Bill presented “0wn3d: How AJAX Makes Web Hacking Easier.” In the presentation area of this site, there are a couple very interesting talks on Ajax:

• Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) by Dave Wichers
• Ajax Security by Andrew van der Stock
• Ajax Security Concerns by Rohini Sulatycki
• Hacking Ajax and Web Services: Next Generation Web Attacks on the Rise by Shreeraj Shah

Borrowing from Dave Wicher’s presentation, security issues that need to be dealt with include secure communications, authentication and sessions, access control, data protection, input validation and output encoding, error handling, logging & intrusion detection, availability, and concurrency. Not a simple task. Is Ajax applications less secure then other Web applications? Ajax, in and of itself, is neither secure nor insecure. The OWASP 3.0 Guide chapter on Ajax and “Other” Rich Interface Technologies states, “AJAX applications face exactly the same security issues as all other Web applications, plus they add their own particular set of risks that must be correctly managed. By their complex, bidirectional, and asynchronous nature, AJAX applications increase attack surface area.” Because of the increase attack surface area of Ajax applications, one can argue these applications are less secure. The truth is that other Rich Internet Applications, such as Flash, Java applets, and Active X controls can be just as insecure.

How do you go about securing Ajax applications? Borrowing from Rohini Sulatycki presentation, you need to validate all inputs, all client side validation must be backed up by server side validation, do not implement business logic validation client side, implement whitelist validation, do not trust third party source (filter it out), identify valid data and reject everything else, no direct cross domain call back, and encode all outputs. Do not cripple Web development in the name of security. Instead, organizations need to make sure developers know the security issues. Get security involved on the application side.

Expanding from securing Ajax applications to moving your organizations toward software security and application security, Gary McGraw wrote a nice concise article titled “Four ways to kick off your organization’s software security initiative in the New Year.” Read the article along with everything Gary writes. To summarize the four methods:

• A top-down framework approach…perform a gap analysis between where you are and where you want to be from a software security perspective. Then build a plan to address the gaps….
• The portfolio risk method takes a more business-oriented approach to the software security problem. The idea here is to assess the entire application portfolio according to some risk criteria agreed on in advance. …
• The training first approach to software security is more grounded in the technical world. This approach helps developers who love to do the right thing but just don’t know what the right thing is when it comes to security. …
• The lead with a tool approach, meanwhile, makes sense for an organization that has already purchased and attempted to roll out a security analysis tool….

Gary also does the Silver Bullet Security Podcast, where on broadcast titled “Show 021 – A Panel Discussion with Cigital’s Principals“, the principals at Cigital discuss the best ways for large companies to get started with software security.

Gunnar Peterson is his post titled “Go Wide and Deep, Incrementally” makes the point that the best method for an organizations depends on “what you are trying to do, your company culture, and the people’s skills who are working on software security.” Gunnar suggest a fifth method, “namely decentralized specialized teams, or centers of excellence in PHB speak.” He makes the important point that “to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.”

Gunnar offers additional advice in his post titled “Phasing Security into the SDLC – A Comparison of Approaches.” He suggest four main ways to get started: top down, testing and validation, start in the middle, and training. Gary and Gunnar favor a mix approach of top down and bottom up, “that approach often leads with the creation of a special ops execution team that becomes the software security group. By far, this is the most impressive approach in terms of results and the one that is the most effective in well-run enterprises” (Gary quote). They will not get any arguments from me.

Moving an organization towards an environment where secure code can be produced, let it be Ajax or any RIA, is not an easy endeavor. Like the software development life cycle, an iterative, incremental delivery is the way to go. You do what you can. You work the program, one day at a time. This way, you take the needed steps to a secure recovery.

One of the things that I think frequently about as I listen to folks talk about security is that many people forget the fact that information technology exist to help us do something. Security’s job is to figure out how to allow the task to be done while minimizing risk. If implementing security only results in a company unable to advance, security has failed the company. It is like the old analogy about security being the brakes to the corporate car. To quote Ron Woerner of the Security Catalyst:

Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.

Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells, told security executives during a lunchtime presentation that “many people blog from work and mobile platforms and that’s very bad.” He went on to categories blogs as one of the bad guys’ tools. Alan Shimel, chief strategy officer for StillSecure, addresses Don’s statement in his blog, “Don Ulsch, keep the FUD to yourself.” Don’s job is to see emerging threats and he makes the point that blogs represent a possible source of data leakage. This is a case where risk needs to be weighed against reward. That is Alan’s point. I listen to the “StillSecure, After All These Years” podcast and I read Alan’s blog. I am aware of his company StillSecure, and I have respect for the people he works with. I think Alan has demonstrated how useful the latest technology can be if you do not allow risk to stop your company from utilizing such technology. Sure, you want to minimize risk, but it is about balance. You cannot allow just the existence of risk to stop you from doing your business efficiently.

For this reason, I feel that one of the most important quality in a security professional is their ability to keep up with the latest technologies. We need to know the tools our organizations will be using in order to understand the risks involved. I am thankful to O’Reilly for helping me do my best to stay up on developments in IT. I read daily the O’Reilly Radar blog. I listen to the Distributing the Future podcast. Finally, I am subscriber to Safari Books Online. When Tim O’Reilly speaks, I listen.

I have a confession and I hope Tim does not feel I am stepping out on him. Occasionally, I will check out what books the Pragmatic Programmers, LLC might have. Awhile back, I brought the online version of the book by Dave Thomas and David Heinemeier Hansson, “Agile Web Development with Rails, Second Edition.” I found the web site to be very profession and well done. This is what you want to see in a publisher that sells books on web development. They have continued to provide free updates to the book. Considering the changing nature of agile web development, I have been very appreciate of that.

I also recently purchased the electronic version of Harlan Carvey’s book, “Windows Forensic Analysis DVD Toolkit.” It is a great book. Syngress’ site is not as slick as the Pragmatic Programmer site. I purchased from Syngress only because Harlan has produced such a great book. If you want to get a feel for Harlan technical and writing capability, check out his blog, the Windows Incident Response.

Right now, I am sitting at work finishing up the printing of some documents. While it might be nice to have documents in PDF format for searching and convenience in carrying around on a USB stick, I like to read hardcopy. While printing, I also have my MP3 player. I was listening to podcasts until I figured I would post a blog while waiting for my documents to finish printing. My phone and MP3 player are capable of making voice recording, which I occasionally use to record notes to myself. I don’t think Don would approve. The questions is how much safer would the company be verses how less productive would I be if these technologies were eliminated?

Here are a few other documents I am printing:

• OCEG Foundation Guidelines Red Book
• Guide to NIST Information Security Documents
• COBIT 4.1
• IT Governance Implementation Guide
• IT Assurance Guide
• Version Control with Subversion

What a way to spend Sunday.

“The Blind Men and the Elephant” is a classic fable. As the world of IT becomes more complex, the people in IT become more specialized. People become so focused in their areas, they lose the ability to see the big picture. Life becomes the fable. The fable is about a group of blind men who came upon an elephant. The first man, feeling the enormous leg, said, ‘This thing is very much like a tree.’ The second, standing near its ear, reached up and said, ‘This is a winnowing fan!’ ‘No,’ said a third as he grasped the moving trunk. ‘Be careful. This creature is a serpent.’ ‘I disagree,’ said a voice at the other end. ‘It is only a frayed piece of rope’. The last man commented, ‘You are all wrong. I have felt this thing on both sides and it is just a wall.’”

Let’s talk about two parts of the elephant, open source software (OSS) and service-orientated architecture (SOA). John Grimes, assistant secretary of Defense for networks and information integration/chief information officer, told the Network Centric Warfare conference in Washington, D.C., on Jan. 23, “As we go to SOA architecture, we keep the applications behind and share the data on the network, and it becomes very critical that data is understood by everyone.”

“It just eats our lunch every time we get into a proprietary situation, because it’s noncompetitive,” Grimes stated explaining that DOD will increasingly move to SOA because it benefits information sharing and acquisitions. Federal Computing Weekly has an article, “DOD’s Grimes: Our focus is on data” by Josh Rogin. In another article in FCW, Bob Brewinn wrote an article, “DISA Buying into SOA ‘Big Time’.” John Grimes is quoted as stating, “DOD spends too much time and money acquiring individual, highly-tailored systems.” He continues, stating, “It’s time for the department to stop buying things and start buying services.”

In an article in the Linux Insider title “Iona Tightens Open Source, SOA Bond,” Dana Gardner writes:

Open source and SOA are increasingly joined at the hip. These twins are developing in tandem, not sequentially, which is giving CIOs and architects a variety of choices for picking and choosing the projects and products that make up their SOAs.

Darryl K. Taft writes an article for eWeek title, “Web Services, SOA, and Open Source Converge.” Hub Vandervoort, chief technology officer at Sonic Software Corp., Bedford, Mass., was on a panel of heavy hitters at the Web Services/SOA on Wall Street conference on Feb. 27. Vandervoort makes the point that, “SOA as a concept will challenge the whole concept of one throat to choke. SOA means federation and is built from federated components that are boundless.”

Han Zaunere, president of New York PHP, an organization for the Apache, MySQL and PHP community in New York, stated, “”In the long run, as far as looking at what you get, I think open source is more valuable.” He points out, “If I download [licensed] software and in two years it’s obsolete, I have no return on that. When you buy open-source support, the software is secondary.” Hiram Chirino, co-founder and director of architecture at LogicBlaze Inc., of Marina del Ray, Calif., believes that open-source software allows users to scale their systems more easily and cheaply because they can simply add more servers without having to worry about licensing costs.

Bob Sutor has written, and podcasted, extensively on the topic of open source. His four part series, is very interesting. I would recommend folks take a few moment to read it, paying particular attention to part 4, “The SOA Connection.” He covers:

• Part 1: Standards
• Part 2: Software
• Part 3: Open Source Software
• Part 4: The SOA Connection

Analyst at Forrester have written a report, “The Future of Enterprise Software.” Andy McCue has written the article “Open Source and SOA to Redefine Software Landscape” where he summarizes the report. The report stated: “Too many IT pros today reject the new ideas behind the four horsemen as ‘not ready for prime time’. Blanket dismissals of new ideas are defensive; IT executives should be looking instead for ways that the four horsemen can drive productive changes for business. These forces will define the future of enterprise software.” The “four horsemen” of commoditization are service oriented architecture (SOA), open source, software as a service and offshoring. Forrester predicts the four horsemen will lead to cheaper prices and a radical change in enterprise software landscape of the future.

SOA is ultimately about integration. It can be integration of open or closed source software packages. SOA brings agility to an enterprise. CEO and CIO are beginning to question the wisdom of getting locked into a software solution. When you take a solution, such as SAP, it is a solution that matches a complex problem with a complex solution. Annrai O’Tool, CEO of Cape Clear, tells the following story on Dana Gardner’s SOA trends webinar:

We have a couple of ex-PeopleSoft people working with us at Cape Clear, and they tell a great story about how they used to do sales pitches against SAP. They went to the customer with a small cup of quick-drying cement and poured it into a mold. By the time they finished the presentation, the cement is set and it has SAP written on it. They then say, “There you go, that’s the deal with SAP.” It is easy to design, but once you get your business process done, it is embedded in cement.

O’Tool points out that for many businesses, the business process is very difficult to change. He goes on to say, “SOA is all about how to use that application in new and more transparent ways that are easier to change and that deliver agility.”

Commercial solutions can have high up cost and high continuous operation costs. Even changing out hardware can end up costing a business significantly due to software licenses. In this rapidly changing IT environment, a company can easily find itself with a solution that no longer fits its business need, but it has too much invested to change course. Even worse, in time their software solution might no longer be actively developed as software companies change directions or go out of business. OSS helps reduce some of these risks. While there are costs, more of the expenditures goes into the companies own people. This helps create a work force better adapted to face a changing IT environment. Hub Vandervoort said it best when he stated “when you buy a software license you are paying for past innovation; when you buy open source, you’re investing in future innovation.”

Next to my bed, I have the book, “Time Management for System Administrators” by Thomas A. Limoncelli. I highly recommend the book. I have to confess, I have not gotten very for into the book. I just have not had much time. I know, it sounds like a punch line. Well, as I write, it is past midnight Sunday morning, and I am going to have to get up in a few hours.

Life in IT can be complicated. There is alot of issues to deal with. This seems especially true in Security. Security is all about layers. There is no silver bullet. If there was, you would still have to layer it.

This is why, I find COBIT interesting. First, it provides structure. This helps organize and ensure that different areas of security and IT operations are addressed. It is too easy to focus on the immediate problem and because of time constraint miss other problems. It is the classic scene from a movie where the person being chased secures the front door while forgetting that the windows are wide open. COBIT basically provides the forest view. Second, along those lines, it helps align the work to business objectives and auditing requirements. That saves time both with the auditors and with management. As life becomes more complicated, it is important to get people on the same page.

I find it interesting when I see COBIT gaining recognition in various projects and press. In the Open Web Application Security Project (OWASP) documentation, “A Guide to Building Secure Web Applications and Web Services” most sections have a subsection, “Relevant COBIT Topics.” It is looking like OWASP is embracing COBIT. The ISACA site, has a section for COBIT mapping documents. It provides good information on how these different standards relate to COBIT. Unfortunately, some documents do require membership to ISACA. There is a good deal of interesting information available from ISACA. If you are interested in membership, information is available at their site. ISACA maps COBIT against the following standards:

No Login Required: Login Required: Member Only:

• COBIT Mapping: Mapping of ITIL With COBIT 4.0 (PDF, 553K) Jan 2007
• COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0 (PDF, 582K) Jan 2007
• COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0 (PDF, 544K) Dec 2006
• COBIT Mapping: Mapping PMBOK to COBIT 4.0 (PDF, 669K) Aug 2006
• COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0 (PDF, 590K) Aug 2006
• COBIT Mapping to ISO/IEC 17799 :2000 With COBIT, 2nd Edition (PDF, 570K) May 2006
• COBIT Mapping Overview of International IT Guidance 2nd Edition (PDF, 444K) Apr 2006
• Aligning COBIT, ITIL and ISO 17799 for Business Benefit (PDF, 255K) Nov 2005

The article, “The 7 Best Practices for Network Security in 2007” from NetworkWorld, has the following statement:

If you don’t already have corporate security policies, now is the time. There are some excellent models out there for free or for a minimal charge. My favorites are the powerful COBIT model, the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799.

COBIT helps provide the high level view. This is complimented with the material from NIST and SANS, which helps with the trees.