I have been known to take the Web application security community to task for a myopic focus on Web and Web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking.

Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have talked about Web app security versus software security many times. Jeremiah is a great guy, and always willing to listen and think carefully. It was only natural that he would end up as a Silver Bullet victim.

Episode 32 of the Silver Bullet Security Podcast features a chat with Web security guru Jeremiah. Among other things, we talk about the relationship between Web app security and software security.

Near the end of our conversation, we raised the idea of whether all Web security problems have analogs in the software security space and what that might mean. After thinking more about that issue, I made it the subject of this month’s informIT column.

In the end, Web application security is important, but we must be careful not to overemphasize the solutions that work only for Web apps and forget about the rest of software out there. In the meantime, we have plenty to learn from each subdomain.

Brian Chess and I just published an article on the Software Security Framework displayed below.

Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.

As Justice League readers know, I have been writing a security column since October 2004. I started with Network Magazine, and stayed with CMP through the launch of darkreading.com. In April, I moved the column to informIT. All of the columns can be found here.

Many of my columns end up being about issues in software security. In particular, the articles I point to below may be of interest to blog readers. Note that some of them are appropriate for business leadership.

To make things easy going forward, we just set up an RSS feed set up for my writings. You can subscribe to that here.

Software Security Columns

Is Application Security Training Worth the Money? [2/06]

Want Turns to Need (software security market size 2006) [4/07]

JSON, Ajax & Web 2.0 [6/07]

Software Security Strategies (4 ways to start an enterprise program) [1/08]

Paying for Secure Software (using total cost of ownership for software projects) [4/08]

Application Assessment as a Factory [7/08]

Software Security Demand Rising (software security market size 2007) [8/08]

Getting Past the Bug Parade (the importance of addressing architecture) [9/08]

In April 2007, I published a darkreading article on the size of the software security space with some analysis of what was happening. It took me a bit longer to gather the numbers this year, but I finally got what I needed and published an informIT article recently explaining how software security is growing.

I am very optimistic about the growth of the software security field over the last few years. Things are certainly moving in the right direction (toward white box analysis instead of outside->in black box, out of the myopic focus on Web apps, and toward full-lifecycle programs based on the touchpoints). The numbers show this growth and these trends objectively.

On a top secret mailing list I participate in, there was some recent discussion about a recent article published by Fortify slamming the Open Source community for failing to adopt software security (you can find the article on the Fortify website). Here’s what I posted to the list (identities masked to preserve secret identities):

I just downloaded and read the Fortify study. It’s more of a white paper than it is science, but it is reasonably well presented and seems not to be too terribly fluffy. You can download a copy for yourself from the Fortify website. In the end what we have is some evidence that there are some open source projects that are behind the curve from a security perspective. I don’t think this should come as a surprise to anyone.

Some specifics based on other postings:

[DoD open source guy] sez>> First, it’s Java-heavy.

This is true. As far as I know, all of Fortify’s open source work has been Java-based (see the Java Open Review project). I don’t see why this impacts the results very much. Though open source Java projects may be a bit less responsive to security, the conclusions in the report are clear about just what set of projects were considered. Then again, I am not at all sure what methods were used to pick 11 out of 101 JOR projects.

[Apache leader] sez>> My experience on the security team at Apache…

Incidentally, when it comes to the results reported, Apache (Tomcat) is the only one of the eleven projects that is reported to have security-specific email, links to security info and access to security experts. One the other hand Apache (Struts) is reported not to have these things, which [DoD open source guy] argues is misleading since the Apache ASF page has these things.

[crypto open source guy] sez >> A better summary would have been “Many developers still don’t care about security.”

Sadly this is true. However as an evangelist in the space I will point out that the commercial world appears to be making much better headway in software security than the open source community (present company excepted of course but I am donning my asbestos suit anyway). I think many of the reasons why commercial software has an unfair advantage were covered in a panel on open source and security that Peter Neumann, Fred Schneider, and I all participated in at Oakland in 2000 (I can dig up e-copies if anybody cares).

One project was singled out for good software security practice: Mozilla. Should we all try to be more like Mozilla?

The debate did not rage on on the top secret list, but it must be raging on somewhere, because Roger Thornton just posted a response to the Fortify blog which you cab read here.

Frankly I was hoping that we killed this thing dead at Oakland in 2000. Guess again!

I’ve written before about how useful comics can be in security training. See a previous blog entry here.

In that brief article, I called out some of Markus Schumacher’s training animations. I’m pleased to report that Markus has asked Cigital to host some of his material. Here are some links:

Example 1: Car Auction

Example 2: Online Application

Cross Site Request Forgery

Forceful Browsing

You can also find these links together in one place on our resources page.

At RSA this year, I did a quick video interview with Dennis Fisher an old friend who is now the lead editor of Search Security. The resulting video is here

Here are the questions I answered during the interview (along with some bonus pointers that I’ll include in this posting). As you can see, we mostly talked about software security:

• Let’s talk about where things stand with the state of software security in the industry today. Are you optimistic?
• I’ve heard a lot of people say that solving the software security problem is going to cost a lot of time and money in the development process. Is that true?

  See this informIT article.

• I know there’s a lot of training that goes on in the professional world in terms of software security for developers, but is that happening more in colleges and universities right now compared to five years ago?

  See this IT Architect article.

• What about the commercial software vendors. How much progress are they making on this problem?
• Are there one or two problems that really worry you in software security right now?

  See this IEEE S&P article.

If you like this video, please let the Search Security people know so they feel compelled to do more.

There are three new books (recently released) that are worth a look. Once is an absolute necessity for any security practitioner. The others may be interesting for some readers of the blog.

The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson’s Security Engineering book. Ross did a complete pass on his classic tome and somehow made it even better. It also comes in handy as a weapon as it is so heavy. Books like Ross’s are a refreshing reality check from the usual pablum published in computer security.

Simply put, this is a must read book for every security professional. I don’t have my real copy yet from the publisher (but they say one is on the way), but I did take a close look through the manuscript. Ross retains his number one slot on my list of top 5 things every software security person should read.

Incidentally, I interviewed Ross for Silver Bullet last year (in April). Ross’s episode is the most popular of all 24 episodes released to date with over 18,000 downloads. You might want to give that a listen as well.

The other two books that are worth a look are Crimeware and The New School of Information Security. Lets cover them in reverse.

The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book.

Crimeware is an academic tome written by my friend Markus Jakobsson. I contributed a chapter on software security bug taxonomy. My copy showed up last night, and I have earmarked more time to read it thoroughly. The enemy has changed over the last decade, and criminals are bringing the game to a new level.

Spring may not be the best reading time, but it does appear to be the best time for a crop of interesting new security books!

I have been writing a monthly column on computer security and software security since October 2004. In the beginning, the column appeared in Network magazine. Later, that magazine was eaten by IT Architect. Here’s a set of pointers to those early articles:

• Who Should Do Security? (October 2004)
• Application Security Testing Tools: Worth the Money? (November 2004)
• How Do Real Bad Guys Break Software? (December 2004)
• Innovative Rootkits: The Ultimate Weapon? (January 2005)
• Are We In a Computer Security Renaissance? (February 2005)
• Where Does Trust Come From? (March 2005)
• Is Your Mac Really More Secure? (April 2005)
• How Does Security Fit With Engineering? (May 2005)
• Are Cell Phones the Next Target? (June 2005)
• Is Penetration Testing a Good Idea? (July 2005)
• Is VoIP Secure Enough For Prime Time? (August 2005)
• Is Cisco Naked? (September 2005)
• How Bad Is Intrusion Detection? (October 2005)
• Is Security Really About Getting Nothing Done? (November 2005)
• When Does Security Cross the Line? (December 2005)
• Is Sony BMG Run By Malicious Hackers? (January 2006)
• Is Application Security Training Worth the Money? (February 2006)
• How Flawed Is Microsoft? (March 2006)

We all know what’s happening to magazines and newspapers, though, don’t we–they’re turning to bits. When CMP killed IT Architect magazine (along with most of the rest of their paper publications), they repurposed much of the content into websites. I started writing for darkreading.com from the very beginning. Here’s a set of pointers to the darkreading articles:

• Microsoft’s Missed Opportunity (May 3, 2006)
• New Terrorist Profile: Phone Users (June 13, 2006)
• If You Build It, They’ll Crash It (July 7, 2006)
• Google is Evil (August 4, 2006)
• Keep Your Laws Off My Security (September 7, 2006)
• Diebold Disses Democracy (October 9, 2006)
• Boarding-Pass Brouhaha (November 2, 2006)
• Foxy Vista Henhouse (December 11, 2006)
• Hurray for Hollywood!? (January 12, 2007)
• Security’s Symbiosis (February 27, 2007)
• Compliance As Kick-Starter (March 12, 2007)
• Want Turns to Need (April 20, 2007)
• Certifiable (May 9, 2007)
• JSON, Ajax & Web 2.0 (June 7, 2007)
• Consolidate This (July 12, 2007)
• The Ultimate Insider (August 14, 2007)
• Mobile Insecurity (September 14, 2007)
• Online Games & the Law (October 11, 2007)
• Beyond the PCI Band-Aid (December 10, 2007)
• Software Security Strategies (January 9, 2008)
• The Truth Behind Code Analysis (February 13, 2008)

Just recently, I decided to move my monthly column to informIT. The readership is much larger, and I like the affiliation with the company who publishes my books. As part of that move, you can also expect to see Silver Bullet syndicated through informIT as well. You can help me make the move a success by keeping up with my column through informIT. (We’re also planning an RSS feed for articles too, so watch for that as well.)

The first column for informIT is just as much about business as it is about technology. One of the issues we constantly face at Cigital is the problem of helping our customers sell the idea of software security best practices up the chain. A common (and misguided) view is that software security best practices increase development time and add cost. As you can see in my first column, that’s simply not true. Here’s a pointer:

Software [In]security: Paying for Secure Software

I’m very much interested in your feedback on my column and any suggestions you have for topics. Feel free to use the forum below to get in touch. Thanks for reading!

There has been a recent flurry of activity regarding security assurance on a hush-hush open source mailing list I lurk on. The debate recently has to do with formal methods versus code scanning… apples and oranges in my view. However, there’s a new flurry of press over Coverity’s use of their tool to analyze well-known globs of open source. (One poster suggested that passing a scan like this with flying colors means security has been attained… argh!)

Some pointers:

From Slashdot
Posted by: kdawson, on 2008-01-09 01:20:00

Stony Stevenson alerts us to a US Department of Homeland Security program in which subcontractors have been examining FOSS source code for security vulnerabilities. InformationWeek.com takes a glass-half-empty approach to reporting the story, saying that for FOSS code [1]on average 1 line in 1000 contains a security bug. From the article: ‘A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006…’ ZDNet Australia prefers to emphasize those FOSS projects that [2]fixed every reported bug, thus achieving a clean bill of health according to DHS. These include PHP, Perl, Python, Postfix, and Samba.

Firstly, I am a big fan of code scanning and believe that use of static analysis tools should always be one of the basic security steps integrated into every SDLC. However, there are huge problems with declaring security after passing a code scan with an arbitrary tool and a random set of rules. The most obvious issue is that security defects come in two flavors—bugs and flaws—each accounting for roughly 50% of defects in practice. Code scanning tools can only find bugs. Here are two stupid examples for effect: can a code scanning tool determine that no user authentication was performed? How about whether or not a playback attack will work?

The second most obvious problem is that the list of rules enforced by a static analysis engine can never be complete. Discussion about this is left as an exercise for the reader.

Architectural risk analysis (crazily called “threat modeling” by Microsofties) is, like code scanning, an essential software security best practice. Formal methods are one way to go about attacking the flaw problem. In the US we rely on flakier heuristic-based approaches such as the one we use at Cigital. But no matter the approach, we can’t ignore the architecture.

References

1. http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All
2. http://www.zdnet.com.au/news/security/soa/11-open-source-projects-pass-security-health-check/0,130061744,339284949,00.htm