Monday, September 8, 2008

Scheduled for 10/16 and 10/17 this year, the thrust of the Fall session is the Security Development Lifecycle, :

Microsoft BlueHat Security Briefings

What is BlueHat?

BlueHat is a twice a year, by-invitation-only Microsoft security conference aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas and social networking. BlueHat is a cutting-edge conference aimed at improving the security of Microsoft products. BlueHat continuously seeks out new and innovative material, highlighting important emergent technologies, techniques, and industry best practices.

  • Vulnerability economy
  • Web application security
  • Mobile/Wireless devices
  • Crimeware
  • Penetration testing and fuzzing
  • Architecture flaws
  • Network design and compromise
  • Reverse engineering
  • Exploit development
  • Intrusion prevention
  • Cryptography
  • Lions and tigers and bears

http://technet.microsoft.com/en-us/security/cc748656.aspx

Wednesday, August 27, 2008

“In Space No one can hear you scream” – tagline for the sci-fi classic “Alien”.

I’m sure astronauts at the ISS are screaming at their computers.  Apparently, one of the astronauts unleashed the Gammima.AG virus via a USB stick:

“The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection.

halOnce it has scooped up passwords and login names the Gammima.AG worm virus tries to send them back to a central server. It targets a total of 10 games most of which are popular in the Far East such as Maple Story, HuangYi Online and Talesweaver.”

No Command/Control computers are affected (as far as they know)

 

Article: http://news.bbc.co.uk/1/hi/technology/7583805.stm

Sunday, June 29, 2008

June 29th, the 50% mark for Summer of Code 2008 is here.  Here’s an unofficial update of what has been done for the OWASP .NET Project for SOC 2008:

Goal 1:  OWASP .NET Site Reorganization

Pages (I’d say I’m about 50% done – there’s a ton of stuff that I *want* to add, but as far as what is useful and relevant, the content is about 50% there.)

Special Projects becomes Vulnerability Research

After discussions with OWASP .NET Project contributors and Dinis Cruz, added Recommended Resources

Goal 2: OWASP .NET Project Outreach

Presentation Materials for OWASP & OWASP .NET & Software Lifecycle

OWASP .NET Bullet Points

Community Outreach

  • User Groups – I gave a 10 minute introduction to OWASP .NET Reorg in the OWASP EU App Sec 2nd Keynote.  I reached out to OWASP Philadelphia and New York to find time for me to present (still working on these), plan on reaching out to other groups for the 2nd half.)
  • Forums - Participating in ASP.NET forum, I need to be more involved and find additional forums.
  • Microsoft MVP Community – I reached out to Alex Smolen, a Security MVP who informed me that there was talk about having MVP’s participate in the OWASP .NET side.  I will continue to push for their involvement.
  • Microsoft - I have a couple of contacts that I will work with at Microsoft to keep me in the loop.

Media Outreach

  • ISSA Journal - I was asked to submit an abstract for an upcoming issue of ISSA.  The editor is interested in a couple of ideas that I provided.  I will be completing this in the next few weeks.
  • ISC2 Blog - I was giving blogging privileges for the ISC2 Blog (CISSP folks).  I haven’t found the right content to bridge security development and the CISSP level stuff, but I have a few ideas in my backlog.
  • MSDN Magazine - I e-mailed the editor and he offered to present OWASP .NET as a resource for their Toolbox section.  I volunteered to provide anything required.
  • OWASP Media Guidelines - As I’m working on an article for ISSA, I’m keeping a log of what things other OWASP authors might find useful.  For example, a standard blurb about OWASP and your project as part of your author introduction.

Goal 3: OWASP Project Support

Projects that I’m working with in addition to OWASP .NET Reorganization that will allow me to continue to recruit content for OWASP .NET

Here is the roadmap going forward for the next half of Summer of Code 2008

Thursday, June 26, 2008

Couldn't find specific .NET incident response guidance or tools, but there are a few good links to general incident response resources at .NET Incident Response.

Some of the highlights include:

  • Carnegie Mellon's SEI Incident Response Handbook
  • NIST Special Publication for Forensics guidance
  • Helix as part of your response toolkit
  • and more.

Thursday, June 19, 2008

I open sourced a project on CodePlex for handling SQL injection attacks.  The main piece is an httpModule that you can have check requests to the web server.  It’s very primitive at the moment, using a blacklist to filter request values (Querystring, Form and Cookies).  For example, “lend” and “Bender” both fail the validation check because the word “end” is on the black list (we will disregard the fact that we may use the word “end” somewhere).  So, what are the best practices for handling SQL statements posted to a web server?  Is there some preexecution check, or better heuristics for filtering?

The project can be found here: www.codeplex.com/shield.

Tuesday, June 10, 2008

I was going to name this blog post “You’re only as strong as your weakest Linq,” but I thought that would be trite (but funny enough not to not mention).

Here it is: Linq is not impervious to Sql Injection, as claimed in Eliminate SQL Injection Attacks Painlessly with LINQ. While I agree with the statement in the article that to eliminate SQL Injection, eliminate SQL; the reality for Linq is not so cut and dried. The author states that “every SQL query that Linq executes on your behalf is parameterized.” This is not true. In fact, inline SQL is recommended to improve the performance of certain Linq queries:

· see http://shrinkster.com/z2q for improved performance

· see http://shrinkster.com/z2p for bulk updating issues with Linq

· and here’s a fun one – passing the query to a function, http://shrinkster.com/z2o ).

It should be easy to see that the use of the DataContext ExecuteQuery and ExecuteCommand functions are problematic. Here is my proof of concept code using a simple example – a LinqDataSource and a web page with unvalidated input:

I am using Visual Studio 2008 and SQL Server 2005. For the datasource I needed to create a DataContext. I created a database with a table named Trade to query against:

clip_image002

Then I created the DBML for the DataContext by adding LINQ to SQL Classes and added my table to the design surface :

clip_image004

I created a simple page (includes a LinqDataSource, a ListView, a TextBox and a Button):

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" 
CodeFile="Default.aspx.cs" Inherits="_Default"
%>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<
html xmlns
="http://www.w3.org/1999/xhtml">
<
head runat
="server">
<
title>Untitled Page</title
>
</
head
>
<
body
>
<
form id="form1" runat
="server">
<
div
>

<
asp:Literal ID="Literal1" runat="server"></asp:Literal
>
<
br
/>
<
br
/>
<
asp:ListView ID="lstTrades" runat="server" DataKeyNames
="TradeID"
DataSourceID
="LinqDataSource1"> … template markup removed …
</asp:ListView
>
<
br
/>
<
br
/>
<
asp:TextBox ID="txtParams" runat="server" Width="352px"></asp:TextBox
>
<
br
/>
<
br
/>
<
asp:Button ID="btnExecuteQuery" runat="server" onclick
="btnExecuteQuery_Click"
Text
="Execute Query" />
<
asp:LinqDataSource ID="LinqDataSource1" runat
="server"
ContextTypeName="DriveHaxDataContext" TableName
="Trades">
</
asp:LinqDataSource
>

</
div
>
</
form
>
</
body
>
</
html
>

Default.aspx.cs

using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Diagnostics;

public partial class _Default : System.Web.UI.
Page
{
protected void Page_Init(object sender, EventArgs e)
{
this.LinqDataSource1.Selecting += new EventHandler<LinqDataSourceSelectEventArgs>(LinqDataSource1_Selecting);

}

void LinqDataSource1_Selecting(object sender, LinqDataSourceSelectEventArgs e)
{
DriveHaxDataContext driveHax = new DriveHaxDataContext();

if (this.txtParams.Text.Length > 0)
{

string sql = "select * from Trade where DealMember='" + this.txtParams.Text + "'";

            var trades = driveHax.ExecuteQuery<Trade>(sql);
e.Result = trades.ToList();
}

}

protected void btnExecuteQuery_Click(object sender, EventArgs e)
{
this.lstTrades.DataSourceID = this.LinqDataSource1.ID;
}
}

Here’s a quick look at results and how SQL injection causes more data to be returned.

No Parameters:


clip_image006


Use a name that I know has a trade, and return data:


clip_image008



Use a simple SQL injection statement, and return more data:


clip_image010


I only did a query statement for this post; I have repeated this with ExecuteCommand with DML operations.

As you can see, while Linq has probably reduced the scope of SQL injection vulnerabilities for those who use it, it is certainly not impervious. What hacks and shortcuts have you done for performance? Or because it was too time consuming to learn a new syntax. Linq and its functional programming aspects will be new to many developers. I personally like Linq and think it is a very useful technology, but you should be aware of both its strengths and its weaknesses.

Thursday, May 29, 2008

Introduction

  • OWASP.NET story and Who the heck am I?

Where we've been
  • Timely and targeted content and tools
    • .Net and Partial vs. Full trust
    • Rooting The CLR
    • .Net Assembly Analyzer
    • Owasp Report Generator
    • Owasp Site Generator
  • Great work with content and promotion by Dinis and Mike D, very tactical but maybe unreachable by a non-security developer

OWASP .NET SOC 2008 Goals
  • Balance highly technical content, tools with content to help developers get on board quickly.
  • Provide role based content (e.g. Architects, Developers, Ops, Pen Testers)
  • Get the word out. Remind everyone about us.
  • Participate in our consituent communities in OWASP, .NET and Security.
  • Alt.NET. There is great interest in alternative ideas, methodologies and tools. OWASP .NET can leverage this momentum and attract volunteers from this community.

OWASP .NET Long Term Goals

OWASP .NET In Action
  • Mobilize OWASP .NET resources. Project volunteers can consult technology teams and provide great resources.
OWASP .NET Vulnerability Reviews
  • Initiate projects to review community .NET web projects. How do you secure Flexwiki or Community Server? Has anyone pen tested these apps.
OWASP .NET Code Projects
  • Next generation of OWASP projects, like Report Generator and Site Generator.
  • Guidance and Framework that integrates with ESAPI.NET and other providers (E.g. OpenID). Put it in place, and login controls, access control, auditing/logging/instrumentation visualizers are available.
  • Security testing code projects. NUnit and mock objects are useful tools, maybe a security toolset that includes fuzzing objects, common vulnerabilities, injection, FXCop, Owasp objects. SDD - Security Driven Development.

Call to Action

Join the mailing list

Go to the following page http://lists.owasp.org/mailman/listinfo/owasp-dotnet and fill out the section that says is titled "Subscribing to Owasp-dotnet".

Join a project

http://www.owasp.org/index.php/OWASP_.NET_Active_Projects

Submit ideas for research

http://www.owasp.org/index.php/.NET_Project_Wishlist

Funded Summer of Code projects

For example, see SoC 2008: http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection

Feel free to contact me with any questions

mailto:mark.roxberry@owasp.org

Friday, May 23, 2008

Chronicling my trip to the Ghent, Belgium to talk about OWASP .NET Project plans, the next couple of blog posts will cover my recollections and impressions. First off, my presentation was fast and furious and while I was a little awkward, trying to get the feel for my audience and the environment, I think I managed to communicate our goals and plans. I had a few people express interest in different things we are doing and I consider that a win, as most of the developers at the conference were Java security pro's. I had to pimp my java skills to get the audience on my side, and not come across as a Microsoft only professional. So, it went well, I have a few references and will be posting more about Anti-Samy for .NET, Open research on community projects and an action plan. Look forward to these posts in the next few days.

Saturday, May 17, 2008

Project Reorganization

  • Added WCF Security Best Practices
  • Finished my bullet points or "elevator speech" for the OWASP .NET Project
  • Finished my OWASP .NET Project slides for OWASP Europe Keynote
  • Finished OWASP .NET Project presentation
  • Added / Updated OWASP .NET Content

Media Outreach
  • OWASP .NET Project mentioned at ASPNetPro, in Open Source Security
  • I've had a few people contact me or Paulo Coimbra who are interested in contributing to the project.
  • I'm selectively e-mailing people about the project, letting them know that it's around and what we're up to.

This week's plan
  • I'll be in Ghent, Belgium for the OWASP European Conference. I'm on stage for the OWASP Tour keynote presented by Dinis Cruz (I have a couple of slides).
  • I'll write some stuff for the .NET Security for Penetration Testing pages.
  • I will reach out to the people at the following print magazines, Homeland Defense, ISSA, MSDN Magazine and Code magazine. Maybe they're interested in the project or an article.

I'm looking for anyone who is interested in writing articles or content, or code and tools for the OWASP .NET Project. I've put out a few announcements about the project. The most recent can be found at ASP.NET (Microsoft's ASP.NET site) @ http://forums.asp.net/tags/OWASP/default.aspx :

Hi all,

We're starting up the OWASP (Open Web Application Security Project) .NET Project Reorganization and I'm looking for your feedback. OWASP is a worldwide free and open community focused on improving the security of application software. The purpose of the OWASP .NET Project is to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework for web applications and services. The project will try to include resources from Microsoft and from the Open Source community, the Alt.NET community and other related security resources. We're looking for feedback from the ASP.NET community here for projects, tools and articles to help developers secure their code and sites as we redirect our efforts.

In addition to feedback, if you have time and you're looking to work on projects for .NET security, if you want to write articles, create tools or other projects to help out fellow developers, please join us.

For more information, feel free to e-mail me @ mark.roxberry@owasp.org or visit our site in progress: OWASP .NET Project Reorganization (Alpha).

Mark Roxberry
OWASP .NET Project Leader
www.owasp.org

Friday, May 16, 2008

I added WCF Security Best Practices to the OWASP .NET Site. The content is just a summary of what lives at Codeplex, but OWASP .NET should have references like this attributed to the author(s). I put the checklist up at OWASP; the reader can go to Codeplex the site for more information.

Thursday, May 15, 2008

The Summer of Code is in full swing and we're looking for reviewers for projects. I am also looking for contributors for the OWASP .NET Project. For reviewers, there's quite a few projects and compensation, free tickets to the OWASP NYC Conference or 12.5% of the project's stipend (~$300-$600). Here's the recent e-mail from Paulo Coimbra:

Hello everyone,

I hope you all are well.

As you already know, OWASP has awarded 31 grants to promising application security researchers as part of the OWASP Summer of Code 2008 (SoC 2008).

As a result, I am here again taking your time - we are seeking out for project reviewers so as to have all these projects assessed.

Consequently, if you are interested in performing such task, please don't hesitate and let us know as soon as possible. As a volunteer organization, we rely absolutely on your contribution. Hence, we lively encourage you to put forward your application to assume this reviewer role.  

To make your decision please look at the following information:

1.
Where are the projects to review? These projects can be found here.

2.
What are the reviewers' main tasks?

A. The main tasks are the result of a set of rules previously established in both the OWASP Summer of Code 2008 initiative and the OWASP Project Assessment criteria .

B. To exemplify, please take into consideration the OWASP Skavenger Project.

C. Simplifying , I would say that the work review will basically consist in certifying that the project's objectives and deliveries were accomplished and, taking into consideration the OWASP assessment criteria, in certifying that the Beta Status was reached. Additionally we expect the reviewer always to be available to provide useful advice to the project developer. These tasks must be performed twice: the first one, the 50% Review, by June 29 and the second one, the Final Review, by September 15.

D. Regarding the question of the project status, it is important to clarify that, even though the majority of the projects have to reach Beta status, there are also some others, in which the status target is Release Quality. That is to say, that each project built on previous work done within OWASP (Existing OWASP Projects) should obtain Reviewers' agreement that a Release Quality stage was achieved.

3. Who can be a reviewer? If you are interested in contributing and feeling comfortable with the technical matters in question, you can be project reviewer. We encourage also the OWASP Summer of Code 2008 participants to take part in reviewing someone else's SoC 2008 project. However, please pay attention to the fact that, at least, one of the two Project Reviewers should be an OWASP Project or Chapter Leader.

4. Will this work be paid? Well, in terms of paying the market value of your work, we wouldn't dare say 'yes'. However, we will reward this contribution either with a free ticket to attend the OWASP NYC AppSec 2008 Conference or with 12,5% of the value of the project to be reviewed.

5.
Where can I find the project's progress page in which I am interested?  That is to ask, where can I find the page similar to the OWASP Skavenger Project one? Currently, nowhere, but very soon each project will be supplied with its own progress page.

6.
So, if I am interested in being one of the reviewers,
how should I proceed?

A. Please drop me a line to let me know about your interest.

B. I will put you in direct contact with the project's author.

C. Having reached the author's agreement, please inform us.

D. As all reviewers must have OWASP Board approval, we will inform you as soon as possible about their decision.  

To conclude, having any kind of doubt, don't hesitate and get back to us.

We thank you in advance, best regards,

Paulo Coimbra
OWASP Project Manager

Friday, May 9, 2008

First off, this is my blog for stuff for the OWASP .NET Project. It isn't moderated or officially endorsed by OWASP. And anything I write here, is my opinion or experience. Feel free to comment or criticize.

That being said, I'd like to use this blog as an online notebook to track progress and capture ideas that aren't necessarily ready for the OWASP .NET Project Wiki. I'd like to use this to preview articles and content and have anyone who is interested give me feedback. I will also use it for announcements about OWASP projects and OWASP events that are relevant to the .NET Project.

The status for the .NET Project as of 5/10/2008

Project Reorganization
I've spent more time on drafts and ideas. I put more links for pages up, but am still working on the content for roles. My draft is becoming more like a guide (and maybe that's what it should be).

I started a Google code project, OWASP .NET Content, to track content submissions, edits, reviews and archives. Specific status items can be found here. I'll keep it updated and when a critical mass is reached, I'll ping the mailing list. Each task will be listed, and you can get a status of what is being worked on. Feel free to join the project.

Media Outreach
I worked on the presentation and will put out "talking points" for the project (this is actually the current tasks that I am working on).

I'll put a link to the tracking document here. This week I'll send out a letter to the editor for MSDN, Code Magazine and hit up a few of the podcasts to see if anyone is interested. I'll also hit up OWASP again about their podcasting plan.

The difficulty I expect to have is that everything is a work in progress and everyone is short on time (this is why I started the Content project on Google Code, to get a good list of completed items to talk about).

Looking Ahead
Here are a few ideas that I'd like to explore beyond my commitment to the reorganization:

1. Measure / Countermeasure research for .NET technologies and platforms

I put up a page for OWASP .NET Vulnerability research. Has any of the stuff that we're putting into play been pen tested or is there sufficient guidance for security? Maybe, but OWASP .NET can be the clearinghouse for testing these projects.

2. Developing a Security Framework for ASP.NET

One of my personal fears is that as secure as I can make my site, or a client's site, that's all moot if you wander to a site that isn't secure. With the express editions of Visual Studio and the relatively cheap cost to run a .NET / SQL Server web application on a shared server, there's the potential of a lot of insecure code waiting to be exploited. I'd like to distill the SDL to a few checklists and push out a framework that gives a decent secure site. Some of the features that the framework would include:

  • Guidance navigator content (checklists for securing a site or service)
  • Provider model for security API (e.g. ESAPI .NET integration and realization
  • Webform and MVC flavors (including web controls using the API)
  • Unit tests
  • Access Control visualization - start with full exclusion and have an access control visualization for configuration and validation to test the controls.
  • Plugin / Provider framework for XSS / SQL Injection / Fuzzing / other vulnerability testing (ala NUNIT for penetration testing)
3. Interactive .NET Security Educational Materials

I've been using the Grava beta and it's a pretty engaging tool for education. It's obvious with the recent SQL Injection "worm" that applications are not being tested for basic security flaws. The problem is part tools and part education. And with the next generation of developers coming into the workforce, we have to provide the tools and education (and a discussion about consequences and ethics) to protect our users.

Comments are welcome.