WS-WorldSeries

My team won the World Series. How did your team do?

The key moment to me was Beckett coming out in game 5 against Cleveland, shutting the Indians down, getting the series to 3-2 and sending it back to the Fens. You didn't think the Sox would lose there did you?

Secure Coding Advocacy Group

This is very interesting:

A handful of major information technology companies announced in London today the formation of an industry organization to develop and share best practices for secure software development.

Many companies have internal programs to improve the quality of the code they are producing, but a lack of communication has limited their effectiveness, said former White House cybersecurity adviser Paul Kurtz, executive director at the Software Association Forum for Excellence in Code. SAFEcode will be a nonprofit technical organization that will develop best practices and draw parallels between practices at member companies. Founders also expect to help establish educational programs and curriculum for good coding, Kurtz said.

Founding members are Microsoft, Symantec, EMC, Juniper Networks and SAP.

Where are Sun, IBM, BEA, and Oracle. Do they like secure coding too?

It would be very interesting to see an equivalent initiative from the customer side (who are the lucky recipients who have to pay for all the security vulns created by the above). I know as a consultant there are many large companies struggling with similar secure coding issues exacerbated by outsourcing to some degree, and a lot could be gained by a shared effort. The analyst community like the vendors has more or less Fortune 500s out in the dark, so this may be an area where a half dozen or so motivated security architects and CISOs at Fortune 500s could band together to create a group to help drive change. None of the other big players (analysts, vendors, big consulting firms) seem to be doing it. Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

IT Security - an Industry Out of Control

Here is an interview I did last week on the current lack of alignment with IT Security (the People's Republic of IT Security) and business priorities, I would say that IT Security has achieved the $2,000 screwdriver:

< snip > Question: Is the realignment important? Peterson: I think it is a big deal. I really think IT security is out of control; in many cases, they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control, and you can use the investing habits of the business to improve the situation

This interview was prompted by an earlier post on network security budget cruft. Investment is a big deal. There is innovation in app and data security, but there could be more if IT security invested their money with the same priorities as their business instead of searching for the nth feature on their network firewall.

If a company is putting in SAP or Siebel or whatever, you can bet the folks who run apps and databases are spending their dollars in developing and supporting those languages and databases, because that's where their enterprise is going. Meanwhile in the People's Republic of IT Security, you can bet there is an effort underway to find some new cops and robbers tool that watches where employees surf or yet another network firewall feature.

Update: Hoff annotates and provides additional insight.

Learning from the Physical World - Case Study is Poor Security Engineering

I am on my third iPod. The previous two repeatedly got junk stuck under the click wheel that made it behave bizzarely. I also dropped one in a puddle and it worked fine for six months which still amazes me. Anyway, I got tired of the bizarre behavior from the click wheel (selecting different songs, getting stuck/non-responsive, changing volume, etc.) so when I got my third one I decided to get a case. I picked a Marware, which solves the first problem because it has a plastic barrier to keep gunk from getting in the click wheel and so on. And it might even help if dropped it or something. So far so good.

Here is the problem. There is a clear plastic window that gets stuck *on* the top of the clickwheel so as I am scrolling through artists and I attempt to click on Lee "Scratch" Perry, the plastic adheres to the click wheel and there is a 2 to 1 chance that it selects the artist above (in this case the Latin Playboys so not such a s big deal). Also the top half of the clickwheel is unusable for scrolling, turning the volume up or down.

Yes, my third iPod has been trouble free from a system standpoint, I have never had to clean gunk out of the clickwheel, but the point is that from a usage standpoint I would like to click on what I intended not where my output is re-directed by a malfunctioning protection device.

Upcoming Talks and Training

Here is a list of public talks and training sessions I am doing

Webinar: Web Services Security Design Patterns
Security Design Patterns using WS-Trust to Proxy, Delegate and Impersonate in Web Services
October 25, 2007 —11 AM U.S. EDT
This webinar will examine design patterns for security architecture that enable enterprise integration using WS-Trust in Web services for secure proxy, delegation, and impersonation

SECURITY: ARCHITECTURE & GOVERNANCE - Gunnar Peterson
Friday, November 2 8:30am - 10:30am
DoubleTree Hotel St. Louis Park, MN

As the enterprise is increasingly decentralized, with distributed data, outsourcing, and partner/channel integration - how does Information Security play a meaningful role? This talk explores how to govern through policy and runtime enforcement of those policies in today's hyperconnected enterprise. More info.

QCon: Practical Application Security & SOA and Web Services security talk
November 7 San Francisco
Hosting the application security track at QCon and presenting on SOA and Web Services security.

OWASP Web Services and XML Training
November 12-13 San Jose
Special two day training on Web services and XML security (read past attendees comments here)

November 14
hosting the OWASP Web services track

Sacred Cow Gored? Check.

As only a certified security high priest can do, Gene Spafford has started a linkfest o' love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senitments posited in Solving the Wrong Problems, this quote which several folks latched onto really gets me by the webgoat

We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.

We do know to prevents these things? Really? In a real world deployment? With real users? Real use cases? Real integration to an acutal business? Where are these examples exactly? I agree we know many of the pieces of the solution, but I would argue that in addition to focusing and investing in the wrong things, the real problem is security engineering is horrible. Principle of least privilege is exhibit a. Sure RHEL "supports" SELinux. How many times is it actually used? What is option B if the sys admin can't get through the config and so on...I know security people love to blame everyone else for security problems, but the state of usability and engineering in general on the security mechanisms themselves is a major contributing factor to the poor security posture we see in the real world. One of the sacred cows that need to gored is the notion that we in the People's Republic of IT Security have it all figured. We don't. We need to, but we have a looong way to go before your average security mechanism installs and configs as simply as say JBoss.

This is why federation has been so successful and why I look it as a reference model for how security mechanisms should be engineered. Let's review why..

1. It solves a real world problem
2. Does not require that you remap your entire organization, all business processes, and replace all technologies to function
3. Go production with browser based SSO on existing apps in 15 days or less.
4. Low cost
5. Enables business and work to get done

No matter how many times you want to quote Saltzer and Schroeder, there are very,very few security technologies in the real world that meet the above criteria. So while I am with Dr. Spafford in spirit, the security community has more work to do than anyone else to engineer from design time to run time. So I totally agree with the majority of Spafford's post, the industry is focusing on the wrong things, and people do get overly attached to our chosen solutions, the real security architects need to stand up and build better stuff. But a big part of this is admitting that a lot of the security sacred cows don't function well when they meet the real world. Napoleon mentioned that mud is the fifth element. You better account for it. If you don't have a security architecture strategy that can be deployed in the real world then you don't have a security architecture. Let's quit passing the buck on engineering and build and DEPLOY better stuff.

Web services security design patterns webinar

I am doing a webinar with my friends at Ping Identity:

Security Design Patterns using WS-Trust to Proxy, Delegate and Impersonate in Web Services October 11, 2007 —11 AM U.S. EDT (UTC/GMT-4 hours)

WS-Trust enables new design patterns for your security architecture. Instead of resorting to the dreaded lowest common denominator, you can use the highest possible security for each integration point, and do it in a policy based way.

This webinar will examine design patterns for security architecture that enable enterprise integration using WS-Trust in Web services for secure proxy, delegation, and impersonation.

We'll look at how to use a Security Token Server (STS) to build a consistent security model in an integrated system, so you can deal with the multitude of tokens (Kerberos, X.509, SAML) that you'll typically see in an enterprise.

Dinis Cruz Interview

Dr. Dobb's interviews Dinis Cruz on .Net security, OWASP, and other topics:

The main point that I would like to make is my wish that we would all take sandboxing -- most specifically, Partially Trust on ASP.NET -- much more seriously. At this moment, our main security model is one based on the nonexistence of malicious code and vulnerabilities in the applications and libraries used on our servers and desktops. I prefer the world where there WILL be vulnerabilities and malicious code in our servers and desktops that cannot be exploited (or are, at least, easy to identify when activated) due to the sandbox used to execute it.

Unfortunately, the big players who can move markets -- Microsoft and Sun, in this case -- don't view that as a priority and their paying clients are not being attacked enough to demand serious solutions from them.

Yup. Let's stop assuming a benign environment (what I call faith based security) and instead build our software so that it will stand up to abuse.

I have to say that I really have a problem with blaming the developers. I do a lot of security training for developers and, in most cases, those guys are much more intelligent and knowledgeable than me. The problem is that our current development models reward features, performance, reliability and speed to market with security being one of those "Oh yeah, and it has to be secure."

Totally agree, IT security blaming security problems on developers is weak, instead we need sane, business focues investment by IT Security in application security (instead of the next nth firewall feature).

OWASP App Sec San Jose

The ever diligent Dave Wichers has updated the current agenda for OWASP App Sec which Nov. 12-15 in San Jose at eBay. I have blogged before that OWASP conferences are my favorite security conferences, because you get a good mix of developers, security people, and its very technical.

I am doing Web services security training on Nov. 12 and 13 - this is a two day training covering how web services are attacked and defended, message level encryption and signatures, security token servers - the full details are here.

The conference has perhaps the best lineup of any AppSec so far (not surprising given the area code), for all you web services security fans - I am chairing a web service security track which includes some very interesting speakers - Mark O'Neill, Rich Salz, Brad Hill, Sheeraj Shah, and Anoop Singhal (NIST).

Network Security Budget Cruft - Why you are probably spending waaayyy too much on network security

Awhile back, Dan Geer posed the following questions

How secure am I?

Am I better than this time last year?

Am I spending the right amount of $$?

How do I compare to my peers?

What risk transfer options do I have?

Dan asserted, and I agree, that these are perfectly reasonable for senior management to ask, virtually any part of a business can provide some enlightenment on them, and the exception is infosec which has virtually no way to answer any of these today.

So anyway, following up on Mike Rothman's tip on surviving budget season, let's drill down on the question - Am I spending the right amount of $? And examine for the $ I have am I spending it on the right things?

Let's assume you have fictional infosec budget of $100, where should you focus your spend? One good thing about budget numbers is that they are generally readily available. This is an exercise I have done for a number of clients, it can be done by an outside consultant even in a very large organization in about two weeks, an employee who knows where to look can probably get it done in half that.

One thing I learned from Pete Lindstrom is that an asset can be valued as being worth "no less than what you pay to develop, own, and operate it." Hopefully it is worth more (if you like profits) but it is worth at least what you paid for it. This is the floor.

Now to apply the budget to layers that are useful to security, we will break up the overall IT budget into Network spend (what do you spend to operate your network), Host spend (sys admin, OS, licenses, and so on), Application spend (What do you spend on app dev, app servers, and so on), and Data spend (DBAs, database licenses and so on). Let's assume ABC Ice Cream Co spends the following

IT Budget

Network 2,000,000

Host 8,000,000

Applications 32,000,000

Data 12,000,000

It sure looks to me like the business values - apps, data, hosts, and network - in that order. Again these are big numbers, but big companies are good at some things - one of these things is assigning spend and cost centers, so for decision support purposes you can find "good enough" numbers in a relatively short amount of time. Now let's look at the same categories for IT security spend - network security (firewall, IDS, and so on), host security (VM, hardening, and so on), app security (static analysis, SDLC, web services security, and so on), and data security (xml security, data encryption, backups, and so on)

IT Security Budget

Network 750,000

Host 400,000

Applications 250,000

Data 100,000

It looks to me like IT security thinks the most important areas are - network, host, apps, and data. We can compare these two budget priorities thusly

Now there are a couple of possible takeaways here. One is that the People's Republic of IT Security is just waaaayyyy smarter than the business folks, if we just gave IT Security control over all business strategy the stock price would go right to $120. Another view is that IT Security is completely out of alignment with how and where the business invests its dollars. Run the numbers using the above breakdowns on your organizations and see what you come up with. These are fictional, but I bet the priorities are pretty similar in your shop.

Now I am not in any way suggesting that IT Security just parrot back and copy the budget percentage spends, but what I am saying is that 1) there should be some alignment of priorities and 2) the alignment should be the starting point of IT Security investment instead of "hey we have all these network security licenses/people/devices". The starting point is aligning security investment with the business and assets, not investing in network security because that was a good idea in 1997 and hey that's how we've always done it - doing so is pure budget cruft.

So if we rebalance the IT Security spend we can arrive at something that reflects IT Security's competencies and aligns better with what the business values.

Obviously taking into account the business' priorities adds additional constraints, but delivering in the face of constraints is what separates engineers from apes.

Update: Mark Curphey takes a look at the budget issue from another perspective.

Update 2: Interview on out of control IT Security budgets