Ted has posted another fascinating talk, this time by behavioral economist Dan Ariely. The talk is essentially about how context and complexity can influence decision-making contrary to what one would generally call a rational process.
While interesting in its own right, this analysis could have an immense effect on security. In it's simplest form, OpenBSD understood this years ago with "secure by default" -- make insecure configurations more difficult than secure configuration and systems will, for the most part, be configured properly.
One can take this a step further and apply it to user interface design. Internet Explorer 8 does this with SSL errors -- the user is steered towards not viewing a site instead of blindly clicking through to a potentially hostile page.
Human error is the single largest vulnerability out there. Instead of looking at security as the enemy of usability, there could be a significant security gain by engaging our usability experts to guide users into making smarter decisions about security.
The folks at LayerOne have already posted video of the talks. There were some excellent talks. If you have the time, I'd especially recommend David Bryan's talk on GNURadio and Joe McCray's Advanced SQL Injection.
Here's my talk, Is XSS Solvable? (and yes, I know I speak too quickly):
I just finished my LayerOne talk. My slides are available here via Scribd. The demo code is also available via Subversion here.
I will be giving a talk called Is XSS Solvable? at LayerOne this Saturday in Anaheim, California. If you're in the LA area, the conference is inexpensive and has some great talks lined up; I'd encourage you to come.
I'll post slides and source code once the talk is finished.
Today, Microsoft released new tools that supplant a couple of tools I mentioned last week. The first is an update to the Anti-XSS library that is now current with the version we use internally.
The second, a static code analyzer called CAT.NET is an extraordinary tool. If used with some discipline, it can virtually eliminate XSS and SQL injection vulnerabilities in managed code.
From the SDL Blog on MSDN:
Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code. [From Announcing CAT.NET CTP and AntiXSS v3 beta]
If you're working in any .NET language on the web, including non-Microsoft languages, you should check CAT.NET out.
Following my past post about the Microsoft SDL Threat Modeling tool, I have a list of other free Microsoft risk management tools. I think full disclosure is important up front for this post: I am a Microsoft employee. I am not discounting the value of non-Microsoft tools - I am simply posting a list of tools that I recently compiled for a colleague.
In addition to the SDL Threat Modeling Tool, which is geared toward developers with a limited security background, there's the Microsoft Threat Analysis & Modeling tool. It uses the "DREAD" threat model (Damage potential; Reproducibility; Exploitability; Affected Users; Discoverability) rather than the "STRIDE" model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) that the SDL tool uses. IMHO, the DREAD model is geared more towards risk managers than developers. OWASP documents a couple of other frameworks (including Homeland Security's CVSS) here.
If you want to do large-scale security assessments, there is the Microsoft Security Assessment Tool. It's designed for a much higher-level view (or lower, depending on your perspective) than an either threat model tool.
I'd love to be able to point you to a good attack surface analyzer that looks for misconfigured services and applications, but I don't know of a good comprehensive public tool (though I'd love to find one). Instead, I'll point out a couple of tightly-scoped tools that I'm familiar with.
The MS Baseline Security Analyzer will check patching states. It's probably the tool on the list that's most widely known.
The Best Practices Analyzer Tool for MS SQL Server for 2005 came out recently. There's also an older one for SQL Server 2000.
XSSDetect is a static code analysis tool that identifies XSS vulnerabilities (in case the name didn't give that away). There's a second static code analyzer to battle SQL Injection.
Both of those tools work on compiled assemblies, so in addition to working on VB.NET and C#, they should also work on PHP (via Phalanger), Python (via IronPython) and Ruby (via IronRuby). I think Perl folks are out of luck.
And here's a version of the Microsoft's Anti-XSS libraries for ASP.NET. It's older than I'd expect since this sort of library needs to be actively maintained, but it is certainly better than just relying on html-encode.
According to one of my favorite blogs, The Dark Visitor, the Chinese hacker website hackbase is looking for new talkent.
The salary range is from 30,000-100,000 yuan (USD 4,300 to 14,500 approx) and they are inviting computer and network security personnel from all over the country and the world to join their organization. However, the applicants must work at the Beijing headquarters for a trial-period of three months.
If you make it past the trial period you get to enjoy the same perks as the rest of the staff such as dining together, birthday cakes, free travel, paid holiday, training and end-of-year red envelope (these contain money). For those who show exceptional skill at their post, arrangements can be made to go to Hong Kong, South Korea, the US and the UK.
They are trying to fill four positions:
1) Training department manager
2) Training department computer lecturer
3) Training department network lecturer
4) Training department security lecturer [From The Dark Visitor » Chinese hackers now hiring for locations in the US, Hong Kong, South Korea and the UK]
Of course, the posting is completely in Chinese, but you can read the original courtesy of google language tools.
This isn't new, but Microsoft released it's Threat Modeling Tool v3.1 as a public beta a couple of weeks ago. I've been using this tool internally at Microsoft for a bit longer than that, and it is impressive.
Instead of being a comprehensive tool for experts only, this tool makes threat modeling approachable to the average developer with little security background. At its core is a hosted Visio data flow diagramming tool. The tool produces workable diagrams which are then automatically analyzed to suggest common threats.
Adam Schostack presented a demo of the software at the Bluehat Conference in October as part of a point/counterpoint session (Adam begins about halfway through). Don't blame me for being too far behind, though -- the video was just posted to technet before Thanksgiving.
