Friday, February 27, 2015

DeepViolet Improvements for Feb 2015

I checked in some minor improvements for DeepViolet.  DeepViolet is now packaged in a couple of different ways so you can quickly try it yourself.  One executable runs the DeepViolet from the UI for fast spot checks.  The other runs DeepViolet headless from the command line and useful in the *NIX script environment.

Executable to Run DeepViolet From UI (DOWNLOAD dvUI.jar)
A new jar archive has been added, dvUI.jar.  To get up and running quickly make sure you have Java 1.8 installed, download dvUI.jar to your desktop, double-click and the DeepViolet's interface will display.  Alternatively you can start DeepViolet UI from the command line like this...

java -jar dvUI.jar
Photo: DeepViolet UI example
Executable to Run DeepViolet form the Command Line (DOWNLOAD dvCMD.jar)
Don't care much for user interfaces, like to script everything you do, no problem.  DeepViolet can be run headless from the command line.  To run do something like this...


java -jar dvCMD.jar -serverurl https://test.com/
Photo:  DeepViolet command line example

Where the the value of the serverurl parameter is the server you want to test.

If anyone knows of any open source projects to process ASN.1 data types send me a note.  I rolled my own code to process the common object types I encountered mostly from reverse engineering and scarce documentation I could find.

For more information about DeepViolet refer to the original blog post or project code on GitHub.  Enjoy!


Wednesday, February 25, 2015

Security Leadership Vacuum at Lenovo

The February 2015 the Superfish security incident at Lenovo is evidence of the ever increasing vacuum in top executive security leadership.  A security leadership vacuum is important strategically since without proper leadership it's extremely difficult to effect a positive outcome, secure products and services.  If we are sick we would not dream of diagnosing our own medical conditions but this is exactly what is happening in security programs across the world.  Top leaders of corporations and governments are making decisions that are quite frankly - wrong.  Poor strategic decisions carry dire consequences for us all.  Unlike a software bug or poor tactical decision a poor strategic decision creates an unfavorable environment for security resulting in highly vulnerable products and services that are difficult to remedy.  Poor security strategy is a systemic industry problem and not unique to Lenovo.  But using Lenovo as a convenient example, let's examine the concerns more closely.

A quick check to Lenovo's management page reveals the company has no top security executive.  Consider this a subtle warning sign.  Security at Lenovo is one of the many responsibilities assigned to Chief Information Officer (CIO), Xiaoyan WANG.  We can learn much about a company's emphasis on security by reviewing it's leadership structure on it's web site or financial reports.  If you review Lenovo's management page one of the things you will notice is, 1) security is not the primary roles but instead one of many CIO responsibilities, 2) other responsibilities of the CIO present a direct conflict of interest to security.

First, let's look at security as a primary responsibility.  Security is like other areas of an organization, the more resources you invest the better results you can expect.  I don't mean to imply blindly pumping cash into your security program is helpful but understanding how to apply resources to the problem is where partnership between business and security executives is important.  A poor security leader or no leader at all is the surest way to kill a security effort before it even begins.  To be clear, no company says do a bad job on security.  The problem is without proper security leadership and resource allocation - a good job is next to impossible.  Company's with the best chance of success in their security programs place security on at least equal footing with other top business priorities.  In a security conscious company I expect to see at least one top security executive like Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  Ideally, I want to see others like a Chief Privacy Officer (CPO) as well. This tells me this company really understands the impact of digital age on our products and services.  Of course, Lenovo may have a CSO that reports to the CIO, or to a leader that reports to the CIO, and many companies do, but in the the end this is a conflict of interest because CIOs are focused on delivery.  Ultimately, product delivery may trump security but without an independent advocate to argue on the side of product quality productivity will win every time and this may not be best the organization.

Next, the conflict of interest issue.  It may not be obvious but WANG's many responsibilities include, "information service delivery and security".  For years, IT organizations and software developers are accustomed to the idea of a Test group that performs independent quality assessments of products and services before customer delivery. Independent assessment is an essential quality control measure for producing consistent high quality products and services.  All too often security lump into the same bucket as other technical product quality review.  I believe this is a mistake.  Placing application security responsibility into the same group responsible for product delivery is like placing the fox in charge of the hen house.  Security product quality is a business concern not a concern for a technology group.  Few CEO's were ever fired over a software bug but many more CEO's will be fired in the future over software vulnerabilities.  Additionally, vulnerabilities are unique among bugs since they can shake the very foundations of your organizations credibility with customers which may take years to reestablish.  In today's highly optimized world of software development, leaders often don't have the necessary resources to deliver products on time and schedule.  In such a climate, it's too tempting to focus limited resources on tangible features customers to can see.  However, with security it's far to easy to make bold claims of a strong security posture.  Without specialized tools and testing security posture claims must be accepted at face value.  I see security differently, security is a top business concern not a technology concern.  As a top business concern, security must answer through it's own leadership which ideally terminates at the security executive that answers with accountability to the board.  This will allow security to be considered on equal footing with other business priorities and risks.

A final note on security responsibility for C-level readers.  The days of blaming breaches on the ingenuity of hackers is coming to an end.  Overesteeming hacker abilities to infiltrate systems is a convenient way of shifting public scrutiny away from poor leadership and security practices back to attackers.  Increasingly the broader public and regulatory agencies are becoming less accepting of such excuses.  If you don't make security a top priority in your board room, with all due proper funding, with security leaders leveled like other leaders - you will be accountable on breach day.  Leaders of America's largest corporations are learning painful lessons security responsibility can be delegated but blame cannot see, Target CEO Fired - Can You Be Fired If Your Company Is Hacked?

For those interested in a previous post, So You Want to be a Security Professional, I cover some background on security positions and ways to organize security duties.  For full background on the Lenovo's incident, I refer readers to Bruce Schneier's article, Man-in-the-Middle Attacks on Lenovo Computers.

[1] Superfish cover by Anelis, DeviantArt

Wednesday, February 11, 2015

JavaOne 2014 Security Presentations

The following URLs are security content from Oracle's JavaOne 2014 software developers conference in San Francisco California.  My list is not entirely comprehensive and more sessions become available, I will update the list.

Security Testing for Developers using OWASP ZAP, Simon Bennetts

Put a "Firewall in Your JVM Securing Java Applications, Debbie Fuller

Understanding the New JDK 8 Security Features, Sean Mullan

Securing Against Cross-Site Request Forgery, Aaron Hurst

Security Solutions for Java Distributed Architectures: A Smart Grid Use Case, Frederic Vaute

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together, Dan Cornell

Java Secure Coding Guidelines, Andrew Gross

Building Secure Applications with Java EE, Patrycia Wegrzynowicz

Security Starts in the Head(er), Dominik Schadow

RESTing on Your Laurels Will Get You Pwned, Abraham Kang, Dinis Cruz, Alvaro Munoz Sanchez

Security with Java Deployment, Chris Bensen

Code-Level Security Games And Puzzles in Java, Brenton Phillips

Seven Security Tools and Libraries Every Developer Should Know About, Dominik Schadow

Applying Java's Cryptography, Erik Costlow

High Security for the Internet of Things with Java and a Secure Element, Anne-Laure Sixou, Thierry Bousquet, Frederic Vaute

Retrofitting OAuth 2.0 Security into Existing REST Services, Irena Shaigorodsky

Anatomy of Another Java Zero-Day Exploit, David Svoboda, Yozo Toda

Securing JAX-RS Services with OAuth 2, Miroslav Fuksa

Securing RESTful Resources with OAuth2, Rodrigo Condido da Silva

Five Keys for Securing Java Web Apps, Frank Kim

Leveraging Open Source for Secure Java Website Construction, Jim Manico

The Anatomy of a Secure Web Application Using Java, John Field, Shawn McKinney

Securing Java: Track Opening Presentation, Milton Smith

Share It!