Monday, April 28, 2008

Can Security be incorporated in the Computer Science & IT courses?

Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT software industry has recognized the importance of building secure software systems by incorporating security in their SDLC.

What amuses me is that the situation can be much better improved by integrating the basic security mantras in the graduate programs of Computer Science and Information Technology courses. The engineering courses for Computer Science and Information Technology at least can be sought to have the security touch points to enable the fresh candidates understand security implications while building software.

Currently, most security efforts at the university courses are in the form of specialized security classes which address particular topics in form of network security or cryptography. In contrast to the integrated approach currently being used in industry, education continues to handle security as an afterthought.

Something that everyone in the engineering courses would have learnt would be Database Management Systems (DBMS) and Web Technologies. Let’s take an example, we were taught that writing stored procedures are better compared to writing dynamic SQL because they are pre-compiled and hence better in terms of software performance. But we were not taught that stored procedures also helps protect you from a security threat called SQL Injection which is one of the most common attack.

My proposal is to plot security in the engineering curriculum with core courses. It just requires infusion as a subset in the main subjects. The concept of robust programming is native to secure coding. It is imperative to teach students that safe and reliable programs are inherently more secure.

The classic Software Development Lifecycle (SDLC) includes analysis, design, implementation, testing, and maintenance. Incorporating security into the SDLC yields the Secure Development Lifecycle. The touch points in the course should be Security Requirements and Analysis, Security Design, Security Implementation and Security Testing. Something that is fundamental to software programming and security assurance becomes the security coding mantras. A few are mentioned below.
• Principle of Defense in Depth
• Principle of Least Privilege
• Do not trust any user input
• By default Deny
• Assume the Impossible
• Graceful degradation on error

The idea is to make students aware of these small mantras while learning software programming. These small changes make a huge impact on the student who enters the industry and is already aware of security best practices if not all the attacks. It makes a great value add for the organizations too to hire a candidate with basic security knowledge. The ability to write secure code should be a fundamental to a university computer science as basic literacy. I am sure that the industry will also appreciate if the universities accept these changing demands.

Dharmesh Mehta
Technical Analyst, Mastek

Tuesday, April 08, 2008

Polymorphic Exploitation

The emerging attacks by attackers which is dynamically changing each time a potential victim visits the malicious page is defying the traditional regular-expression and heuristic-based protection that identifies Web exploits at the network or host.

The attacker are very effective in creating a unique exploit with each request and making it impossible for signature-based protection engines to uniquely detect each attack instance.

The major driving factor for the attacker still remains Financial gain. Stealing personal data, hijacking Web transactions, executing phishing scams and perpetrating corporate espionage
are all motivators.

Traditional security techniques focus on stopping file execution and viruses at the client’s operating system (OS) layer. Unfortunately, it is far more difficult to protect users at the browser level. While some signature-based protection is able to detect one layer of Web exploit obfuscation, polymorphic exploitation will pose a new problem.

Proposed countermeasures for Web 2.0 and client side attacks include:
• Educating Web developers on the need for secure coding throughout the development lifecycle, with emphasis on input validation.
• Transitioning from finger-print or pattern matching protection to heuristics or behavior-based protection.
• Enabling protection engines to understand JavaScript just as the browser does.
• Utilizing feedback networks to analyze malicious Web sites, encourage remediation and improve content filtering at the browser level.

Friday, April 04, 2008

Beyond Burp & Paros

Most of you in the world of Web Application Security would have heard about Burp, Paros, WebScarab and other proxy tools to intercept the web (HTTP/HTTPS) requests and able to fiddle around with the parameters.

Going beyond the normal web request proxy tools to intercept the request and fiddle around, what tools do we use to intercept Thick Client Applications?

I have come across the tools like
I think they have been useful, but it is really tedious to get in the relevant data for tampering and be successful. These tools are in fact information tanks where in one will need to mine out relevant things for attacks or testing. :)