Posts bydmitryc

OWASP Spring of Code

Over the past few years, I haven’t had the time to attend many security conferences. I happened to be in Seattle for the tail end of the OWASP autumn of code (October of 2006). I had the chance to go out to dinner and chat with many of the leaders in web application security. These are some of the sharpest guys in the industry and OWASP is on the cusp of really taking off. Some of their proposed projects for the Spring of Code will greatly aid the security industry. I already use many of their tools and the financing of innovative, open source security tools is *always* a good thing.

I’m very excited to see that a ‘source code scanner’ may be one of the funded tools. As I’ve blogged in the past, there are great ‘frameworks’ (CodeScout and SWAAT to name two), but the meat of the work is always the individual checks. I hope to see a great open source .NET source code scanner in the near future.
If you’re young (of heart or otherwise), full of vim and vigour, and can afford the time, check out their Spring of Code initiative at


Coming with the bling

There’s no real substance to this post…so, I’m just coming with a little bling to brighten your day.

Big ups to Microsoft for publishing a list of banned SDL functions.  I hope to come up with just such a list for other languages…More here

Big ups to this dude who writes about stuff like: hiring pen-testers, managing technical staff, and hiring code auditors.  This dude has a serious clue and has probably forgotten more than I know.   I’ve blogged about this in the past, but he does it better so go read more here


OWASP Testing Guide released (and, what might be a fairy tale?)

It don’t know exactly when it started…but, at some point a few years ago, network pen-tests started becoming 10% network scanning and 90% web application scanning. I guess it was around 2003 or so???? At any rate, I was working on a pen-test team for a large Fortune ^[1-9]{2}$ company and we ran out of vulnerable network apps. We were scared, since lack of vulnerable apps meant that the network pen-testing team was gonna lose staff, lose resources, or both. Not good. We knew that we had about 6 months until the current flaws made it through the Compliance team, out to the business units, down to the IT director, down to the first manager, down to the second manager, down a few more managers, and finally to the admin who would fix the bug in about 10 minutes (albeit 6 months late).

In a hysterical state, we tried the obvious. Yes, we elevated Traceroute and non-ICMP-filtering issues to High Risk. Bad move – we’re losing credebility.

So, in what can only be considered a move of sheer genius, we turned up our timeout values on Nessus, told it to recurse more than 20 pages into the webserver, and let the scan run for a few hours. OMG! We found flaws. XSS? “Could this be a ‘High’ Risk?”, we whispered amongst ourselves. SQL Injection? Oh Yes! We were ecstatic. For the first time in years, my wife heard me hollering ‘I’ve got root…errr Admin’ from the downstairs office. Our plate was full. We were feasting on hearty portions of web flaws. The compliance team had to double-up in staff. The scan team started working 5 days a week from home during scan window. Looking back, I think of these times as our ‘Salad Days’. Our blood wasn’t cold but our judgement was surely green…and autumn was coming….

Source code redux

Building a static source code analyzer is a daunting task. I note that the latest edition of CSO has an ad for ouncelabs – I guess I should state that I don’t work for Ounce, don’t know anyone who does, and have never (never-ever-ever) used their stuff. And, having said that, I really want to see how they deal with variable state in their app. Give me a shout if you have any first-hand knowledge 😉

My problem can be best summarized with a simple example. I recently did a code audit of a banks web app which was handling incoming numeric data. Data came in as a verified Decimal, was converted to a string, and much later the string got converted to an integer without any exception handling. Easy to spot the flaw, right? Well, not for the static analyzer, as the conversions were spread across multiple files, multiple includes, multiple classes, etc. etc. The static code analyzer has to be smart enough to know variables, scope, conversions, mathematical operations, etc. etc. My source code analyzer didn’t flag on the true nature of the bug. Instead, my tool told me where all the data conversions were taking place without exception handling. I had to manually trace each of these variables back to it’s beginning and all the way through it’s handling, modifications, etc. to the point where it was de-referenced and used in business logic. Yes, I could have just generated an alert based on the fact that the conversion took place without any exception handling. However, this will generate false positives on programs where the data comes in as an integer, is converted to a string, and then later back to an integer. The source code analysis tool which has the smarts to automate all of that manual ‘tracing’ will be a valuable tool. I’d buy it. I’d be interested in hearing if such a tool exists.

Lastly, apologies for leaving CodeScout off my list of source code tools. It has a few built-in checks (like SWAAT) which can be extended fairly easily. However, the nicest features is a fully-compliant regex parser which you can run over your entire source tree. It is very fast and you can use it to very quickly identify flaws.


Getting out of the box : The problem of Babel

(in keeping with my ‘purging’ theme, I’m gonna release old blog posts that I meant to come back and clean up. These are just scattered remnants of long-gone ideas…)

A few years back, I worked for this company that subjected all their employees to ‘out-of-the-box’ training. It was a non-grueling, week-long seminar that was mandatory for all IT disciplines and included team-building exercises, personality inventories, group puzzles, creative-thinking exercises, etc. At the end of the week, we were supposed to be equipped to solve problems in creative ways. It was very lame.

In the beginning, Security groups were way out of the box. In fact, most didn’t even acknowledge the existence of a box. Over the years, they have not only invented the box – they have reverse-houdinied themselves into the box. How did that happen?

1) Security has become increasingly complex.

2) The single human brain can only master a finite amount of information.

3) Niche skills become the norm.

Add all this up and you get what I call “The problem of Babel”. We are creating (have created) a growth-limiting caste system. Instead of building a large Tower which would enhance our view of the landscape and feed our creativity, we have dotted the landscape with disjoint chimneys. The chimney’s rarely touch, have no solid base for high growth, are limited in size and scope, and end up trapping those inside.

And, one more



Take this silt

Happy New Year! It’s 2007 and one of my goals is to do less work and spend more time with my family. I think we all have things on our ‘TODO’ list that, at some point, we have to acknowledge we will never get around to. I keep a folder of interesting snippets that I always intended to come back to. In reviewing my ‘snippet’ list, I see things from 2001 and 2002 that I’m not even close to getting around to. I see applications that I downloaded in 1999 or 2000 that I never got around to breaking or even installing. And, worse, I’ve got other snippets that have been deposited that take precedence over these older snippets. Jeremiah Grossman blogged about something similar on his blog. To cut to the chase, I have some silt from the bottom of my TODO pool that is muddying the water of my brain…I’d like to give it to you. Maybe you’ll find some gold.

Wouldn’t it be cool if you could do a pen-test of a company and have the ability to root their internal machines? I’m talking about the machines that reside inside the network – behind all the DMZes, proxies, firewalls, policy routers, etc. A nice juicy machine sitting in the ripe delta of a virgin network. It’s do-able, but it’ll take a little work. Here are a few examples.

Web (and other) code cross-pollenation

I alluded to this in a previous post.

It’s trivial to spider a site, find all the .jpg|.gif|.bmp|.whatever images and then, if the file name is sufficiently random, google for other sites which may be using the same graphics file. Now, with the release of Google’s codesearch, I can take my searches to a new level. It is my opinion that webserver content has become quite cross-pollenated over the years. And, it’s not just limited to web content…