Sharon Besser: June 2008 Archives

I saw Karl Fisch's "Did You Know?" video few months ago and it had a huge impact on me. I think that it's a must see movie for everyone involved with corporate, business and product strategy. Change happens. Period. So when I read Forrester's Noel Yuhanna "A New Role Is Emerging Within IT: Database Security Analyst (DSA)" I could not avoid thinking about this movie. Noel is describing that enterprises take stronger measures around database security to meet compliance requirements and defend against attacks and as a result, the need for security support and administration becomes critical. This is part of a change that we are witnessing within the Information Security and Risk community in the past 2-3 years. It's all about the data. Traditional security and hence traditional security jobs, are no longer adequate and there's a need for database security.  There is a gap between security staff and Database Administrators. IT security groups focus primarily on creating information security polices and procedures and defining the approaches departments need to take when securing data. Typically, they are not responsible for implementing the controls themselves but often delegate them to various IT groups. That's all part of the change that drives a lot of our customers. I would like to think that our strategy and vision provide customers with the tools to bridge this gap. By providing the needed tools in the most efficient fashion, organizations that are using SecureSphere can survive the change. The ending sentence of Noel's executive summary speaks for itself:

This role does not currently exist in most organizations, and it might be difficult to fill because of its cross-disciplinary requirements. Faced with an essential need and challenging role requirements, IT security organizations should get ready to staff the database security analyst (DSA) position.




Movie linked from http://theclosetentrepreneur.com/karl-fischs-did-you-know-presentation-remix

Nik Cubrilovic at TechCrunchIT brings the story of how Opera Software is building a team of "web evangelists" whose job it is to find sites that do not display correctly in Opera and are not standards-compliant, and then email the site owners. Great. I'm enjoying everything that comes from this company (using Opera Mini with my BlackBerry ).
But what about security? Why can't we email site owners when we find vulnerabilities?

Here's a challenge for myself and the others. Let's see if I'm falling into the SANS statistics I wrote about earlier: Can the community write a browser extension that identifies web vulnerabilities (there are many open tools), finds the site owner (there are tools that can do this as well), suggests a fix (might be tricky) and emails the web owner? In theory, it can work.

Looks like SANS decided to take a side in the discussion that Amichai and I have Check out SANS NewsBites Vol. 10 Num. 49 (June 20, 2008).

"A surprising result appeared in the first large test of the secure coding assessment exams in Java and C: they found that programmers are exceptionally well versed in the types of vulnerabilities that may crop up, but shockingly unable to find and fix those vulnerabilities. Apparently security awareness classes do not solve the problem, but give false confidence."

If you are driving on highway 101 North from Sunnyvale to Redwood City you can see a billboard sign encouraging you not to serve alcohol to teens. Unfortunately, like thousands of  other commuters, I have plenty of time to stare at this sign every morning.

It's probably the security geek that lives in my head, but when I saw this sign, I was thinking about monitoring-only security solutions.  Any person using security solutions for monitoring only without enforcing blocking policies is unsafe and irresponsible. In some cases, I would go as far as considering security solutions that can't block major attack vectors (e.g. single packet attacks) as illegal. I truly believe that a security solution must be capable to prevent attacks in the first place. Please note that I'm making a distinguish between audit and security solutions. The former can be limited to monitoring only, but as we have learned, in many cases, audit leads to security, thus the right solution architecture must have prevention capabilities as well.

At Imperva, our philosophy (and products strategy) is the to provide granular prevention controls. Turning blocking is not like activating a big on/off switch. We provide granular controls using multiple methods allowing enterprise customers to prevent attacks. When I'm hearing that other vendors are not offering full enforcement or that customers are not using blocking at all, you can tell that I'm an orthodox. Don't get me wrong, monitoring web activity is very important. It is the first step, but it's not the destination. We need to PROTECT applications. Protection requires PREVENTION and prevention requires blocking. Of course, a product must be very accurate, able to handle the load, support enterprise requirements. but at the end of the day, WAF are a security tool. Customers should evaluate how WAF is blocking attacks, including the most sophisticated, single packet attacks.


At the SANS's Web Security Summit. One of the panelists was explaining how he is receiving SecureSphere real time blocking alert messages directly to his BlackBerry device. This panelist is the CISO of an organization that processes more than 70 billion financial transactions per year. SecureSphere is there, blocking attacks in production systems. My point here is that accuracy must be high in order to provide the CISO and of course IT, OPS and other parts of the organization the peace of mind when inspecting 70bn and more transactions per year in real time

I can't tell what other vendors are providing, but Imperva's customer survery statistics show that the vast majority of are running in block mode. Blocking attacks is cool, safe and responsible.




Image source: http://www.dontserveteens.org/materials/posters/14x48.pdf 

I am back from the HP Technology Forum & Expo 2008, taking place this year in Vegas. I was presenting in one of the breakout sessions after Howie Mandel's Thursday morning closing general session.

To be honest, my audience was a "little" smaller. Maybe it was the topic (or the presenter :-) but I was actually surprised from the number of attendees, all working for well known companies that are still in the process of compliance, determining the PCI scope or taking the risk of not being compliant. We are focusing on section 6.6 (and we should, just to remind you all, it goes into effect on June 30, 2008.), but there are plenty of organizations that are also trying to solve the other "challenging" topics. Here's the citation from the PR: 

The PCI Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process including preventing, detecting, and reacting to security incidents. However, several requirements mandated by the PCI DSS such as tracking and monitoring cardholder data, rendering stored cardholder data unreadable, and application security pose considerable challenges for most organizations. Mr. Besser will discuss the three most difficult PCI DSS requirements, the pitfalls to avoid in trying to meet them, and best practices for making sure you pass a PCI Audit. He will also cover the recently published PCI DSS update titled, Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, which goes into effect on June 30, 2008.

So, What have I learned: 

1. Many organizations are still not 6.6 compliant.
2. Some organizations continue to store sensitive authentication data such as PIN CVC2/ CVV2/ CID.
3. Few are still unaware of the full scope of PCI.

I guess that we still have a lot of work to do...

We can't write secure code - so let's give up keep tryin'

Last week, Mike Rothman (here http://securityincite.com/TDI-2008-06-05#TBP1) was commenting on Stuart Kings's blog claims (see http://www.computerweekly.com/blogs/stuart_king/2008/05/david-lacey-makes-the-importan.html):

Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough.

 Mike's answer:

Then Stuart basically falls back into the tried and true security mentality of throwing a box (a web app firewall) at the problem. That's a cop-out. First of all, a WAF is not a panacea for application security. And just because users want more and faster, doesn't mean they should get it. Everything gets back to a business decision. If the business decides it's worth the risk to roll an application that has holes, so be it. Just make sure they understand that when the dudes in the radioactive suits come in to clean up the mess. By the way, I'm all for WAF as a supplement to application security efforts, WHERE APPROPRIATE. But to give up the ghost on trying to write secure code because it's hard isn't the answer either.

First, I'd like to make it clear that in my opinion, WAF is the right first line of defense. In some cases, it will serve as the only line of defense. The questions should not be whether secure code is possible or when to fix versus using WAF. The question is how to provide continuous security while application problems are being fixed. There's always one more bug and the WAF will be there for you. Rain or shine it's there for you. And now comes the "but"...We should strive to write secure code and we need to fix the problems we had discovered and then fix the problems that the previous fixes created.   

The Verizon Business survey that was published yesterday offers many insights. It think that this is an important (and certainly not surprising)

In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study.

There are two eye opening charts in this reports, that highlight the importance of active security systems and the need to close (security) gaps as fast as possible. The first compares between the time it takes to penetrate a system and the time that it takes to discover and mitigate .

The Democrat Herald brings the story of the theft of personal information from as many as 4,700 online customers of the Oregon State University Bookstore who used credit cards to purchase items.

This attacks sounds like it was taken from a textbook. Below you can see an example of an SQL Injection on one of Imperva's demo application that's probably very similar to what happened at OSU.   (Hear the voice of Mr. Terry Ray). A WAF could have helped here.

Samy  Daniel Burd is my new hero. The Record brings the story of a young high school student that, as part of a school project, found a microbe that eats plastic and can be used to decompose plastic bags. This (very) young kid scientist showed that sometimes, different thinking is needed. While others claim that plastic doesn't biodegrade and plastics, like diamonds, are forever, Daniel proved that when it looks like you're facing a dead-end, different thinking is needed. There's always a way to solve a problem.

I'm back from SANS' Web Application Security Summit. As always, the guys at SANS put together a good agenda and managed the sessions very interactively. It was great to speak at this conference and watch two of our customers sharing their SecureSphere experience and best practices on stage.

Jeremiah Grossman's keynote speech was interesting and educational. Rich Mogull was referring to the statistics that Jeremiah presented:

"With WAFs, we are trying to block vulnerability classes instead of specific vulnerabilities".... [SNIP]....we need to change how we view WAFs. They can no longer be merely external boxes protecting against generic vulnerabilities; they need tighter integration into our applications".

Imperva was mentioned for tying together the WAF and database activity monitoring. Imperva was also the first to create a Data Security technology eco system.

Alongside other key statistics, Jeremiah was answering "how long does it takes to fix a vulnerability"