A new year started and why change good habits? I’m just back from the first OWASP Belgium Chapter meeting of 2012. Here is my quick wrap-up. The organization remains the same, the first few minutes were dedicated to some news from the OWASP organization given by Seba. A survey was organized by the Belgium chapter about the attendees and their expectations. Some results were presented. Most part of the members define their knowledge between “security aware” and “experienced“. Good news, lot of people are ready to participate and submit talk ideas! What’s on their wishlist for 2012? Mobile security, HTML5, SDLC, SAP and more demos/hands-on sessions. One recommendation for this year: more interaction between the chapter meetings (via forums, mailing lists?).
The first speaker was Kris Buytaert about “Devops, secops, devsec or *ops ? A gentle introduction to Devops“. Based on his professional experience, Kris had the opportunity to work as a developer and later to move to the other side: system administration. With his knowledge of both worlds, he is an active member of the “devops” movement. What is “devops“? There are multiple definitions. It started in Belgium with a first meeting in October 2009 and a basic question: “How to go from source to production?“. This is now a growing movement which cannot (still) answer all the issues but which tries to reach different communities. The real problem is to deploy better applications at less costs in less time at lower risks. How? A good principle is CAMS (“Culture, Automation, Measurement and Sharing“). In the old days, deployment of an application could be resumed like this: “Here is a tarball, put it in production now!“. But what about security, dependencies, performance impacts? And such deployments were blocked by other system or security constraints. That’s why people hate sysadmins and security officers!
How to address this problem? By talking about non functional requirements like backup procedures, high-availability, upgrade path, scalability, etc. Try to break the silos between developers and sysadmins. Put people together in the same room. If you successfully address all those issues, you will be able to deploy quickly and safely at any time without the fear of “breaking something“. What’s also important? Make all environments the same, define good set of test data, put configurations in revision control systems. A golden rule is to automate as much as possible. A manual deployment will certainly introduce typo errors in configuration files. There are very powerful tools to implement this (like Puppet). Don’t forget to monitor your applications/systems. Events are organized worldwide to discuss about this topic, have a look at devopdays.org. Some people started to think of a broaden “devops” which could integrate security guys. That’s why other names were introduced like “secops” or “*ops“. If you are interesting on this topic follow Kris and the hashtag #devops on Twitter.
After a short break, the second speaker, Erwin Geirnaert from ZionSecurity, talked about “Hardening web applications against malware attacks“. Erwin presented his personal definition of a “malware“: This is some piece of code which is non destructive, steals information, hijacks credentials and injects fraudulent transactions into applications (like e-banking). Funny remark: they are state of the art devops 🙂 Indeed they are deployed automatically, they are extensively tested. Some well-known malwares are Zeus or SpyEye. Malwares do not only target financial applications. Some of them attacks social network and, this is the Erwin’s prediction, they could attack cloud applications like SalesForce or Google Apps!
They are really evil pieces of software and can defeat classic protections. They perform fake web content injections, they can bypass two-factors authentication, inject or remove HTML code to hide information (like hiding the stolen money by displaying the old bank account summary). They can bypass VPN and virtual keyboards (by taking screenshots after each mouse click to “see” your passwords). Finally they are always optimized to be undetectable. Example: they introduce timeouts during the data input to prevent a too quick transaction (which could be detected as suspicious). They simulate the human behavior.
To protect against those attack, applications hardening is mandatory. How?
- By reduce attack surface
- By eliminating vulnerabilities
- By mitigating the impact of vulnerabilities
Unfortunately, it’s not always easy to find documentation how to harden a web application. Erwin made some queries on Google to search for “<product> hardening guide“. There is clearly a lack of resources. But hardening must occur at all layers: Not only switches, firewalls, operating systems and webservers configuration must be reviewed but developers have to build and maintain secure code. This is a very good example of devops implementation as explained just before by Kris. Unused features must be disabled, access to console must be limited and admin access, content management systems access must be prohibited from non secure networks.
What about core review? It became more and more difficult to perform a complete code review due to the size and complexity of modern applications. So, why not install a WAF (“Web Application Firewall“) say companies! Good idea but it must be properly implemented. Most WAF’s are left running in non-blocking mode. If you are interested in WAF’s, have a look at the tests performed by Larry Suto in November 2011. A WAF will never make your application bullet-proof!
Ok, you hardened your servers and applications. But what about the weakest link,just after the user of course, the end point or… the browser! Browsers became a nice target for hackers because they are easy to hack. Hackers will always use the easiest way to perform their malicious activities. Browsers must also be hardened by patching them and using sandbox mechanisms. The next step? Our mobile devices. According to Erwin, “2012 will be Android hell!“
To conclude, he gave some malware attack examples against e-banking applications and lot of interesting questions raised about the security of bank operations on mobile devices. My point of view is very simple: Do you really need to perform financial transactions while on the road? Personally when I’m doing my homework (like paying my bills), I do this from home with all the required documents near me.
The next chapter meeting will be scheduled around the 6th or March… See you there!