HD Moore, author of the Metasploit framework, and secappdev.org faculty member, is speaking at the seventh Free and Open source Software Developers' European Meeting (FOSDEM). Like the previous editions, FOSDEM 2007 takes place during the last weekend of February at the Université Libre de Bruxelles Solbosch campus.

Web sites

The Open Web Application Security Project runs a web site with a wealth of invaluable information on web application security.

The Build Security In portal is sponsored by the U.S. Dept. of Homeland Security. The two principal contributing organizations are Carnegie-Mellon University and Cigital. Secappdev faculty member Ken van Wyk is a main contributor to this site.

Recommended reading

Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson is a classic. Its scope is well beyond computer security, covering fields as diverse as security printing and e-policy, teasing out parallels between the respective fields. Of course, attackers are not constrained by the boundaries of a discipline. Anyone involved in secure system design can benefit from this work. The book is freely available online.

Secrets and Lies: Security in a Networked World by Bruce Schneier provides an excellent and accessible overview of concepts and issues.

Build Security In by Gary McGraw is a good introduction to building secure software.

Writing Secure Code by Michael Howard and David LeBlanc is the book that emerged from Microsoft's security push and reveals some of the insights gathered.

Secure Coding: Principles and Practices by Mark G. Graff and Kenneth R. Van Wyk explains how to address security concerns throughout the software development life cycle.

Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone contains all a developer may wish to know about cryptography. It is unlikely that anyone will read it from cover to cover. However, it is excellent as a reference. It is also available for download.

The Code Book: the Secret History of Codes and Codebreaking by Simon Singh is a lively, popular account of the history of cryptology. The book provides valuable insight into the subject without the formulae.

Mailing lists

The discussion on the Secure Coding list is of a high calibre.

Tools

There is a separate web page on tools.

Administrativia

secappdev.org is a not-for-profit organizations, registered in Belgium as a VZW/ASBL.

]]> yo 10 April 2007 12:01 GMT http://secappdev.org/2007/tool references.html 2007/tool references Tools

This page cannot begin to give a comprehensive overview of all the good security tools that are available. So, where possible, we list other sites that carry links to tools.

OWASP is an invaluable source, not only of information on web application security, but also of open source tools. WebScarab and JBroFuzz are but 2 examples.
WebScarab is an intercepting proxy for web applications and web services, allowing the developer or tester to review and modify HTTP and HTTPS requests and responses. JBroFuzz is a fuzzer.

Fuzz testing is a very powerful technique for uncovering potential vulnerabilities. Have a look at this snapshot of tools available in August 2006.

Automated static code analysis can take a lot of the drudgery out of manual code review and has made enormous progress in the last few years. Coverty, Ounce Labs and Fortify are the current market leaders.

Veracode offers an intriguing variant: a static binary code scanner. This also offers the opportunity of assessing the quality of closed source third party libraries that your application relies on.

Exception and error handling are difficult to get right, even in the absence of malicious users, hence the importance of verifying the system behaves as expected when exceptional conditions occur. This can be pretty difficult to set up. With tools such as Holodeck, the application runs in an emulated environment in which faults can be injected.

insecure.org, the web site of the people behind Nmap, holds an annual survey on security tools and yearly publishes the top 100. These are mostly tools for an infosecurity rather than application security audience. Many are used by penetration testers. Nonetheless, the list is definitely worth careful study by anyone interested in ICT security.

If you are developing on a Windows platform, Windows Sysinternals provides a set of tools to peer right inside a running system. Apart from general purpose tools for monitoring processes, network activity and file access, they also have security tools that, amongst other things, analyze the security configuration and detect spyware and rootkits.

Learning objectives

• Understand the range of tools available to the software security practitioner
• Demonstrate an ability to select the appropriate tools for a particular task
• Effectively integrate the tools into a software build process

Overview

Automated security tools are often used in software development, from static source code analysis tools to penetration testing tools. Unfortunately, due to a variety of reasons, many development organizations fail to get the maximum benefit from the tools. Worse, the way that many organizations use security tools may actually hamper effective development work. Penetration testing tools, for example, are commonly used for late life cycle “black box” testing. This forces, at best, knee jerk reactions to remediate any defects that are found, quite often at the expense of the application’s original design concepts. It also likely fails to find a great many security defects. To make matters worse, forced integration of tool technologies into existing workflows can be disruptive and counter productive.

This session delves into the automated tools associated with secure software development, and how they can be successfully integrated into a development workflow.

]]> yo 08 April 2007 16:14 GMT http://secappdev.org/2007/desiging-with-crypto-II.html 2007/desiging-with-crypto-II New developments in cryptology

Learning objectives

Be aware of the latest advances in cryptology that affect software developers.

Overview

In this lecture we present an overview of some recent advances in cryptology that affect software developers. First we discuss the modes of operation of a block cipher, and discuss the status of authenticated encryption modes. Subsequently we evaluate the impact of the hash function crisis of the last 3 years and we discuss the Bleichenbacher attacks on RSA PKCS#1 v1.5. Next we discuss the issues related to the standardization, selection and upgrade of algorithms. Finally we explain the principles of whitebox cryptography and explore how cryptography could offer a contribution in the fight against SPAM.

]]> yo 08 April 2007 16:13 GMT http://secappdev.org/2007/designing-with-crypto.html 2007/designing-with-crypto Using cryptography well

Learning objectives

• decide if and when cryptography should be used.
• make informed key architecture and management decisions.
• use appropriate algorithms and parameters.
• select an appropriate cryptographic library.
• choose network protocols for distributed applications.

Overview

Application architects need to make informed choices to use cryptography well:

• Alternative key architectures have their merits and drawbacks. PKIs, in particular, should be contrasted with symmetric key architectures such as Kerberos.
• Network protocol characteristics are pivotal in ensuring distributed applications meet security requirements. Key strength choices impact on security guarantees offered, as do cryptographic algorithm modes.
• While strong keys and wise use of cryptographic algorithms may thwart cryptanalytic attack, applications are insecure without prudent key management. In this context, key generation and key storage require particular attention.
• The selection of crypto-libraries requires awareness of inherent library qualities and failures. Application developers are advised not to implement their own.
• Cryptography is used innovatively in areas such as obfuscation and watermarking.

]]> yo 08 April 2007 16:12 GMT http://secappdev.org/2007/container.html 2007/container Real-world middleware

Learning objectives

Understand in how far current middleware products meet the security needs of distributed applications.

Overview

This session confronts the security needs of distributed applications with the reality of current middleware. J2EE application server implementations from Sun, IBM, JBoss and BEA Systems are used throughout the session as a case study.

J2EE is interesting for at least 2 reasons:

• J2EE is important in its own right, we expect that a significant number of the participants are using it;
• J2EE implementations are representative for state of the art middleware.

The dominant architectural pattern used with J2EE partitions the application over n tiers, where every tier often is scaled horizontally. We study where and how to place trust boundaries in such architecture. Fail-stop faults must not detract from availability guarantees.

State information can be maintained at the different tiers and must be replicated within the nodes in each of the tiers as required for scalability and availability. This requires replication of session state. The different options available for handling state replication are discussed.

]]> yo 08 April 2007 16:10 GMT http://secappdev.org/2007/evoting.html 2007/evoting Case study: electronic voting systems

- unfortunately, the recordings are not complete. The end is missing.]]> yo 08 April 2007 16:08 GMT http://secappdev.org/2007/threat.html 2007/threat Threat modeling

Learning objectives

• understand the key concepts: threat, vulnerability and countermeasure
• be familiar with the most important categories of threats
• understand the relation between threats and security requirements
• master the process of threat modeling

Overview

Security is about reducing the risk that an organization's assets are exposed to. Risk is reduced by countering the various threats to those assets. Hence, understanding the nature of the threats that a particular software system is subject to, is key to securing that software system. Threat modeling is an activity in the development process of a software system, that tries to systematically identify and document possible threats.

In this module we elaborate on the process of threat modeling. First we define the notion of threat and illustrate it with examples. We discuss the most important categories of threats in a software system, and discuss systematic techniques for discovering and documenting threats, leading to a threat model. Microsoft's STRIDE is discussed as a representative threat modeling methodology.

]]> yo 08 April 2007 16:06 GMT http://secappdev.org/2007/distr1.html 2007/distr1 Secure distributed system architectures 1

Learning objectives

• understand the strengths and weaknesses of P2P,
• identify where and how P2P can be used appropriately.

Overview

We discuss how the database can be split up and scaled beyond a handful of systems.

Security threats and risks of homogeneous systems are identified.

P2P techniques can be used on traditional clusters. In the case where we try to convince people to contribute their resources, the large issue is how to avoid freeloading behavior.

]]> yo 08 April 2007 16:04 GMT http://secappdev.org/2007/smartcards.html 2007/smartcards Smartcards

Learning objectives

Appreciate the benefits and challenges of using smart cards

Overview

Smartcards are a secure store for sensitive data, such as credentials. In addition to a secure store, a smartcard implements a crypto-coprocessor that can be contacted over a contact interface, or over a contactless interface (RFID), or both. Decrypting and signing data are only two of the popular smartcard applications.

Large scale smartcard deployments require full control over the phases of the life cycle:

• production,
• pre-personalization,
• personalization and
• use.

]]> yo 08 April 2007 16:02 GMT http://secappdev.org/2007/distr0.html 2007/distr0 Secure distributed system architectures 0

Learning objectives

• failure in distributed architectures,
• measures to improve robustness,
• load-balancing,
• scalability.

Overview

Modern application development needs to be aware of the network and will inevitably include a networked component. Many of these applications will have all the application logic on one host, but many more will need to scale to multiple server hosts, thus requiring replication. Participants will gain familiarity with Byzantine failures, but the main concern will be fail-stop scenarios and how to build systems to be robust when parts of them will fail. P2P techniques, also called overlay network techniques, are a general purpose mechanism for replicating state to gain robustness and scalability in the face of fail-stop.

- unfortunately, the recordings are not complete. The end is missing.]]> yo 08 April 2007 16:00 GMT http://secappdev.org/2007/testing.html 2007/testing Security testing

Learning objectives

• design and implement application security testing campaigns
• describe methods and tools used for security testing
• understand the benefits and limitations of black- and white-box testing
• perform basic penetration tests

Overview

This session covers the slew of testing practices specific to software security, applied through the different phases of a typical SDLC process. The strengths and weaknesses of different test practices are discussed in depth, along with a discussion of how to get the most out of these practices.

]]> yo 08 April 2007 15:59 GMT http://secappdev.org/2007/language.html 2007/language Software integrity 2: security architectures inside the programming language

Learning objectives

Characterize security mechanisms of the CLR and Java virtual machines.

Overview

The programming language used can strongly influence the security properties of applications. Modern programming languages such as Java or C# are favored because they have been designed with security requirements in mind. The notions of safety and type soundness, and their implications for security are discussed. Language based mechanisms for sandboxing partially trusted components are introduced and illustrated for both Java and .NET platforms.

]]> yo 08 April 2007 15:58 GMT http://secappdev.org/2007/network.html 2007/network Network protocols

Learning objectives

• gain an overview of secure network protocols.

Overview

As well as being important practical examples of the use of PKIs, networking protocols such as SSL/TLS, HTTPS, SSH and IPsec are also of great interest to the designer of secure systems in their own right. Participants gain an appreciation of how security requirements influence the choice of network technology.

]]> yo 08 April 2007 15:56 GMT http://secappdev.org/2007/access.html 2007/access Access control

Learning objectives

Understand

• the model underlying common access control techniques
• the best-known access control policy models such as Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role Based Access Control (RBAC)
• the implementation mechanisms for access control, such as Access Control Lists (ACL) and Capabilities.

Overview

This module starts with the detailed description of the goals of an access contol system. The concepts fundamental to the model common to most access control techniques are discussed:

• object,
• subject,
• reference monitor,
• protection domain,
• policy.

• Discretionary Access Control (DAC),
• Mandatory Access Control (MAC) and
• Role Based Access Control (RBAC) .

• Access Control Lists (ACL) and
• capabilities.

Learning objectives

• learn the components of a public key infrastructure.
• understand key delivery and management mechanisms.

Overview

The function of a public key infrastructure (PKI) is to ensure secure delivery and management of public keys. Alternative trust models lead to different key architectures.

Public keys are published by means of digitally signed certificates.

A private key may be compromised, in which case the certificate containing the corresponding public key must be revoked. Many revocation methods are in current use. Publication of Certificate Revocation Lists (CRLs) and checking with an Online Certificate Status Protocol (OCSP) responder are best established.

]]> yo 08 April 2007 15:52 GMT http://secappdev.org/2007/aa.html 2007/aa Auditability and accountability

Learning objectives

• understand what traceability good incident handling needs from an application,
• be familiar with some strategies for fulfilling this need.

Overview

When applications are compromised by attackers, often times the Computer Security Incident Response Team (CSIRT) organization is called in to assist in cleaning up the mess. A key concern of the CSIRT is to determine how the application was compromised as well as to assess the extent of the damage to the business that owns or operates the compromised application. Turning to the system's event logging is frequently the only course of action that can be taken after the compromise has occurred, making it particularly vital to ensure that all components of an application are logging the right information.

This module describes the issues faced by the CSIRT and presents various recommendations for deciding how to build a robust event logging system.

]]> yo 08 April 2007 15:46 GMT http://secappdev.org/2007/authentication.html 2007/authentication Entity authentication

Learning objectives

Gain insight into

• entity authentication protocols,
• the benefits and limitations of authentication factors,
• key establishment protocols,
• why and how to use authentication servers.

Overview

Authentication methods are based on something known, owned, biometric, location or evidence of trusted third party authentication.

• A password is a case of something known. Passwords are a vulnerable, but cheap and convenient way of authenticating an entity. Several techniques to augment their effectiveness are in use including challenge-response and one-time passwords.
• Secure devices such as smart cards and USB tokens often combine the 'owned' with the 'known', since secret keys are locked in the token with a password or PIN code. However, within the broad category of secure tokens, trustworthiness is variable, depending on whether keys can be extracted, passwords can be eavesdropped or the device can be tampered with.
• Biometry identifies a person via physical characteristics.
• Location is often used as the sole authentication factor, but is insecure given the relative ease of spoofing IP or MAC addresses.
• Multi-factor authentication is stronger than single-factor.
• The Kerberos protocol uses a key distribution-based authentication server. Service consumers must authenticate with a central server to obtain a secret session key with service providers. Such schemes require a single sign-on to access servers across a trust domain.

Entity authentication :

Key establishment: ]]> yo 08 April 2007 15:38 GMT http://secappdev.org/2007/crypto.html 2007/crypto Cryptographic algorithms

Learning objectives

• understand the security guarantees offered by the different types of cryptographic algorithms;
• understand the APIs offered by libraries in popular programming languages that give access to these algorithms;

Overview

Cryptography is the scientific study of mathematical techniques relating to information security. In the field of cryptography, a wide variety of types of algorithms is studied. The most important types of algorithms include symmetric encryption, asymmetric encryption, hash functions, Message Authentication Codes (MAC's), digital signatures and secure random number generation. We discuss each of these types of algorithms, by defining in a precise way what security guarantees they offer, and by giving examples of applications. The emphasis is on the "black-box" behaviour of the algorithms, not on how they are implemented, or on the mathematical principles that they are based on.

A fair amount of attention is given to software libraries that implement cryptographic algorithms. Modern cryptographic libraries are often based on a pluggable provider model, supporting so-called Cryptographic Service Providers (CSP's). We discuss the rationale behind this design, and the implications it has on developing software that uses CSP-based libraries.

]]> yo 08 April 2007 15:35 GMT http://secappdev.org/2007/exploits.html 2007/exploits Exploiting vulnerabilities

Learning objectives

• Know the different classes of vulnerabilities.
• Understand the structure of exploit code.
• Understand how common exploits work.
• Be aware of impact of working exploit code.
• Know how to use the Metasploit Framework.

Overview

Exploits are the reason that vulnerabilities matter. This session will discuss how exploits are created and used against real-world targets. Attendees will become familiar with the different classes of vulnerabilities, the structure of exploit code, and the post-exploit processes that can occur on a compromised system. The freely-available Metasploit Framework will be used to demonstrate the process of creating and using a new exploit.

]]>