Editor's note: Information security expert Chris Wysopal, co-founder and chief technology officer of security firm Veracode Inc., is contributing to SearchSecurity.com's special coverage of RSA Conference 2007. He is a founder of the Organization for Internet Safety, an industry group that has published guidelines for responsible vulnerability disclosure. While vice president of research and development for security consultancy @stake, he provided expert testimony before Congress on the subject of vulnerability research. His column will appear daily throughout the conference .
Chris Eng, director of security services at Veracode weighs in with a Daily Dose -- Feb. 8, 2007
Chris Wysopal asked me to step in and write up some thoughts since he had to catch a plane back to Boston today.
CyberDefender's raffle for one of the coveted LED Mooninite signs was a very clever promotion idea, but if you think about it, the concept of how people perceive risk (or lack thereof) carries over nicely to the digital space. With all the hype around NAC and storage security products this year, many people still aren't focusing enough on application layer risks. For example, disk-level encryption is great for protecting against someone who steals your backup tapes, but the application still has a way to access that data.
Speaking of web application security, I dropped by the WASC Meetup yesterday, hosted by Jeremiah Grossman of WhiteHat. He
I also had an interesting conversation today with a gentleman from PreEmptive Solutions. They do code obfuscation for Java and .NET, raising the bar for someone trying to reverse engineer programs that typically aren't very well-obfuscated by bytecode. It's well-understood that obfuscation doesn't prevent reverse engineering but rather raises the bar, requiring more effort for an attacker trying to decipher how the program actually works. It's also an alternative way to protect intellectual property without actually turning to cryptographic techniques.
Finally, there didn't seem to be any crypto breakthroughs this year. RSA used to be so heavily crypto-focused and there have historically been major announcements around cipher weaknesses -- AES side-channel attacks last year, SHA-1 hash weaknesses in 2005, etc. Not really much buzz around crypto this year, though I did read on Bruce Schneier's blog that the NIST is taking submissions for a new hash standard, so maybe things will heat up again in the next few years.
Debating vulnerability disclosure; emerging Web technogies -- Feb. 7, 2007
Today I was on a panel discussion with John Viega, Pete Lindstrom, and Steve Wu on the subject of vulnerability disclosure. This is a constantly debated topic that some may think is old news, but there are some new developments we covered. The subjects of third-party patching, the "month of bugs" phenomenon, and the issues of security research in a Web 2.0 world were discussed. The debate was fairly heated as the panelists all had different viewpoints. It definitely wasn't a 'Barney' panel where everyone is agreeing and coming from the same viewpoint.
Overall, there have been plenty of presentations during the last two days on software security and Web application vulnerabilities; I counted 10 presentations. This mirrors the growth rate of vulnerabilities found in software, with over 8,000 found last year alone. The Web application vulnerabilities of SQL injection and XSS overtook buffer overflows as the most common vulnerability class. I predict they will keep rising and we will see other Web application vulnerabilities join the top ranks. I don't think we are done finding new vulnerability classes on the Web, and Web 2.0 is just getting started.
Caleb Sima and Bryan Sullivan talked about injection attacks beyond SQL. They described two lesser known attacks, XPath and LDAP injection, which will be sure to rise as people understand how to look for them.
Billy Hoffman talked about Ajax attacks. With an Ajax application, the attack surface of the application is much wider. There are more points to defend with input validation and authorization checks.
The trend with these new technologies is for developers to create and start using them, and for security researchers to figure out what the attacks are and then how to defend them. This unfortunately will always be the case, and why we keep seeing new classes of vulnerabilities as technology marches on.
Security SaaS struts its stuff -- Feb. 6, 2007
Today I took some time to look at the different vendor booths on the expo floor. One thing I noticed was software as a service (SaaS) has made its way to the security world at RSA this year. (Disclosure: my company, Veracode Inc., offers on-demand automated application security reviews over the Web.) Qualys is promoting its SaaS model, which it have been at for a while, but now there are some new players in different fields.
Voltage Security is offering software-as-a-service email encryption. I have been disappointed at the uptake of email encryption, which has been around for ages, by the average user. The SaaS model makes many types of software easier to use and it looks like this may be a solution to the usability problem surrounding email encryption.
Qualys CEO Philippe Courtot spoke earlier this week extolling the virtues of SaaS in the security domain, and I agree. Much of security technology is unnecessarily complex and SaaS is a way to keep the complexity away from the user. Customers want simple interfaces and they don't want to install a lot of software.
The other big benefit of SaaS in the security space that I see is the way a customer can get value out of the anonymized data that other customers create in the system. When I was a consultant, customers would always ask me, "How am I doing compared to my peers or the world as a whole?" With the shared infrastructure of a SaaS provider, those questions can be answered. Increased data sharing helps everyone.