SBN

Creating awereness on an hostile environment

With a colleague we were wondering about how much difficult is to create an
application security awareness climate in big corporate development team.
Please bear in mind that since I’m working in Italy my experience is very
narrowed to my country. If you have different stories to tell, please drop them
in this post comments area and share them.

Trying to make people aware about security risks they occur writing unsafe
code, will make yourself a friend or foe?

The harsh part of the story

Fact: software (most of it) is not secure and neither servers’ daemons nor
servers’ configuration is focused on security.

Fact: small teams (startups, small web agencies) actually do have developers
super stars. Some of them knows something about appsec but the time and the
market are their enemies. No time and no budget for security tests.

Fact: large teams (corporate) may have some skilled developers. Security is
seen as yet another compliance and boring test we are supposed to pass. If
our code won’t pass security checks, we will rely on firewalls, we don’t want
to spend our precious time in fixing the code for something is not a bug.

Fact: security costs. We assume you use a freelance application security expert
to engage your web application. The tests will cost you money either in terms
of freelance fee, than in terms of developers’ time to mitigate
vulnerabilities.

Fact: ignoring security costs in your budget will expose you to larger costs to
remediate a security breach in your database. Either in terms of fixing up the
code, than in refunding hungry customers. You may want also to consider the
costs you pay to build a trust relationship between you and your customers
during the startup period.

5 facts to draw the application security perimeter. When you will deploy any
awareness program into a big organization, you will fight at least those
misconceptions. All of them are leading to a pure and cost saving concept: I
don’t need security because it takes me money so I can ignore risks.

An hostile marketplace

Most of developers don’t trust security specialists. At least in Italy there is
the strong misconception that an application security specialist is not able to
code and that a developer is not able to understand security topics. Of course
both of those sentences are wrong (with some remarkable exceptions I won’t
discuss here) but the truth part is that finding a meeting point for those two
worlds (development and security) is a compelling task.

As a startupper creating a trustworthy relationship with their customer, an
application security specialist will be able to spend years in creating a
realation ship with a development team. It must be honest, competent and giving
the team something valuable to work over.

A security report saying “Fix this XSS because it’s security saying this” is
useless. You have to carefully explain what’s wrong with that code and how to
mitigate. They will be create software better than you will (most of times) but
you have to start talking to developers using source code if you want to create
a solid connection.

Creating awareness about security risks and make other people to trust you, it
is a process taking years in order to be successful. In my experience, you will
migrate from a not security aware development team to a Secure Software
Development Lifecycle ready team in 5 or 6 years.

During this period you will:

  • create secure coding guidelines and you will listen developers criticisms
    about them and you will iterate over and over
  • make them pleased to ask you for a web application penetration test and
    for code reviews. You will provide valuable reports containing ideas not
    impositions
  • meet developers and train them about secure coding and about new attacks

It’s impossible to complete this task without any programming background.

You can’t make code reviews or saying what’s wrong in other people code unless
you wrote code yourself as well. Every application security specialist must
write code and have worked with strict deadlines in order to understand how to
talk to developers.

Look at this very basic C snippet of code.

a reading experience
1
2
3
4
5
6
7
8
9
int fd;
char **buf = malloc(8192);

fd = open("myfile", O_RDWR);
// some instructions here
read(fd, buf, 8192);
// other instructions there

close(fd);

Imagine you never wrote a single line of C code in your life. How can your code
review be useful in this scenario? Are you a good security specialist just
because you ran
rats?

In my opinion you must be honest and saying you can make code review only if
you really can write it better:

a secure reading experience
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <sys/file.h>
#include <stdio.h>
#define BUF_SIZE 8192

int fd;
char **buf = malloc(BUF_SIZE);

fd = open("myfile", O_RDWR);
if (fd == -1) {
  perror("myapp");
  exit(-1);
}
if (flock(fd, LOCK_EX) == -1) {
  perror("myapp");
  exit(-1);
}

// you can now make something here without being worried about TOCTOU
// when you read... remember to leave a char for the end of line...
if (read(fd, buf, BUF_SIZE-1) == 1) {
  perror("myapp");
  exit(-1);
}

if (close(fd) == -1) {
  perror("myapp");
  exit(-1);
}

this example is taken from a real code review I made a couple of week ago.
Developers actually don’t care about TOCTOU because the read call was too much
call to the open to justify the lock… creating awareness is also force
yourself not to laugh so hard.

Tell me your now

I need your voice now… I create a
survey to ask people their position
about web application penetration test. I will use as slide number 2 or 3 in my
upcoming Railsberry 2013 talk.

Q: Why you don’t make any web application penetration test when I deploy a new
web application (or a new feature)?

  • You’re wrong. I do make a web application penetration test when I deploy
    a new web application or a new feature
  • No budget. Security costs are too high for us, we’re a startup and we’re
    focused on business first
  • No need to. We’re a big development team. Our code is robust and strong.
    We won’t occur in any security incident. Ever
  • No time. We are missing our deadlines. We don’t have time to spent in
    security tests. We are safe from risks. We have firewalls.
  • I don’t care. Seriously, security is a word spent by sales men to sell
    antivirus or similiar stuff. I don’t think my web application will be attacked
    by “so called” hackers.

What’s your positition? Do you ask a security guy to make a penetration test
over your code?

Image curtesy by Glyn Freeman

*** This is a Security Bloggers Network syndicated blog from armoredcode.com - the application security blog that gets the job done authored by Paolo Perego. Read the original post at: http://armoredcode.com/blog/creating-awereness-on-an-hostile-environment/