Tuesday, May 26, 2009

'Sound' Analysis by Dave Wichers

( This blog post was authored by dave.wichers@aspectsecurity.com )

I recently attended the NSA High Confidence Software & Systems (HCSS) Conference and noticed that many tool vendors and researchers working on static and dynamic analysis were using a new term called sound analysis, which means, ‘no false negatives’. In other words, a ‘sound’ analysis won’t miss any of the types of flaws it is looking for. It might have some false positives.

Bill Scherlis, one of the speakers, defined this as: “In a sound analysis, as distinct from heuristic analysis, we do not produce false negatives. If there is a defect of a particular variety, our sound analysis will find it. I’ll note that a sound analysis may have false positives. The mathematics generally preclude the possibility of having it both ways. But in practice we don’t get many false positives. But the main point is to avoid false negatives, to not miss a diagnosis. We may occasionally over-diagnose but we will never miss a diagnosis.”

I like the idea of this, but I have never heard any of the vendors in our space claim sound analysis for anything they look for. I did see one vendor there that claimed they could provide sound analysis for buffer overflows. The company was Kestrel Technology. They define soundness as: http://www.kestreltechnology.com/about/sound.php

So, if you hear of any code scanning vendor claim they provide ‘sound’ analysis, I’d be interested in hearing about it. dave.wichers@aspectsecurity.com

- Dave Wichers

PS: Because Kestrel does ‘sound’ analysis, they are able to report the kinds of positive information I would love to see from a tool. In my presentation, I had the following security facts label (updated based on Jeff’s original idea 5+ years ago). Imagine tools in our space reporting what I have listed in gray … Wouldn’t that be nice :-)

PPS: I don’t think this is an attack ‘against’ the tools. I think there are two points here:
1) Sound analysis vs. best we can do with current state of the art (and even sound analysis can improve with less false positives).
2) And separately, tools reporting what they have found that’s good, rather just what is bad. However, if tools aren’t doing ‘sound’ analysis, they will be reluctant to report goodness, since they can’t find/report everything that’s relevant (and are thus unsound) :)


OWASP Top 6 2009

6. OWASP Legal Project (Secure Software Contracts for Developers and their Clients) http://www.owasp.org/index.php/Category:OWASP_Legal_Project

5. OWASP Live CD! FREE TOOLS! http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

4. OWASP Application Security Verification Standard http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

3. OWASP Code Review Guide http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

2. OWASP Developers Guide http://www.owasp.org/index.php/Category:OWASP_Guide_Project

1. OWASP Coders Security Library for Java, PHP, .NET, ASP and Haskel (ESAPI - FOSS
Enterprise Security API) http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Monday, May 25, 2009

Please do not log session ids

I'm very disappointed to see Johannes Ullrich @ the Internet Storm Center lead off the SANS Software Security Institute blogging effort at appsecstreetfighter.com by providing a software security recommendation that will significantly increase application risk!!

http://appsecstreetfighter.com/2009/05/24/logging-cookies-in-apache/

This is absolutely positively bad application security advice. Logging a session id will actually increase application risk! Never log session ids!

To quote Johannes, "The cookie typically includes the session ID, which then links to a particular user. So this way, you can figure out which user caused a particular action."

An insider could hijack all active sessions by simply having access to a live application log file.

Never log session ids. If you need to uniquely identify each session in your log files for debugging or other purposes, then hash your session id's before logging them. Only transmit session ids over well configured https. Keep session ids out of urls. Make sure session ids are cryptographically random and long. Reduce idle timeout. Enforce absolute timeout. Invalidate session ids at logout.

But really, if you think you need to log a session id or ANY credentials, think again.

Make sure your Web Application Security educator utilizes OWASP principles!

PS: appsecstreetfighter.com is a great blog name.


Friday, May 22, 2009

OWASP Podcast #22 - Dan Cornell

OWASP Podcast #22, an interview with Dan Cornell, CTO of the Denim Group - is now live! http://www.owasp.org/index.php/Podcast_22
Dan is a smart cookie who puts in incredible amount of time volunteering for OWASP. He's a great guy with a very pragmatic perspective on Application Security. I hope you enjoy!
OWASP Podcast Series RSS: http://www.owasp.org/download/jmanico/podcast.xml
OWASP Podcast Series iTunes: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012

Wednesday, May 20, 2009

OWASP Podcast #21 - Richard Stallman

OWASP Podcast #21, an interview with Richard Stallman, is now live!

Richard is the founder of the GNU Project and the Free Software Foundation. Created the GNU Compiler and Debugger. Emacs, too. He is one of the original (MIT Style) hackers. He also created a few licenses, like the GPL. He is the original Software Freedom Fighter. (Just don't ask him what his Skype address is, ouch my bad)

To listen to OWASP Podcast #
21, you can download the OGG file directly or subscribe to the RSS feed. This podcast is only being released in OGG format only to honor Richards request.

I'm very grateful to
Shpongle and Twisted Records for allowing the OWASP Podcast Series FREE use of their music for the show!

Tuesday, May 12, 2009

OWASP Podcast #19 - March 2009 News Part 2

OWASP Podcast #19 - Part 2 of the OWASP Newscast for March 2009 - is now live!

OWASP Podcast #19 features Arshan Dabirsiagh, Andre Gironda and Jeff Williams. Andre did all of the extensive copy editor work. We cover a variety of Web App Sec articles found here. The show lasts about 55 minutes.

To listen to OWASP Podcast #19 you can download the mp3 file directly, subscribe to the RSS feed, subscribe directly to iTunes!

Gareth Heyes was kind enough to donate some new album art for the show!


The OWASP Podcast News Commentary Show will soon be on a 2 week production cycle. I've also invited John Steven from Cigital, Alex Smollen from Foundstone, and Tom Brennan from Whitehat Security to join the show. It should make for a very interesting appsec mix!

Sunday, May 3, 2009

OWASP Podcast #18 - Jeremiah Grossman

OWASP Podcast #18, an interview with Jeremiah Grossman, is now live! Jeremiah is the CTO of Whitehat Security and has been an active member of the Web Application Security community for well over 10 years.

To listen to OWASP Podcast #18, you can download the mp3 file directly, subscribe to the RSS feed or subscribe directly through iTunes!


I'm very greatful to
Shpongle and Twisted Records for allowing the OWASP Podcast Series to use their music for the show! I'm a very big fan of Ambient and Down-tempo techno. Perfect coding music. Shpongle is among the best.