Archive for March 6th, 2008

6
Mar

Security and Vendor Companies

   Posted by: Joshbw    in Secure Development

Many, many companies rely on vendors to do some level of development for them.  Even Microsoft, with its 50,000 someodd full time development staff (probably larger now) and equally large number of contingent staff, ends up outsourcing certain development projects to third party companies (in the case of MS, the reason for this is myriad; for one shot projects it makes no sense to form a team that will be disbanded in a couple months.  For established teams, due to the corporate structure, it is actually easier to get millions of dollars more in a budget than a couple more full time employees, so vendor development ends up being a practical way of filling a manpower gap).  For non-software companies vendors play an even larger role.

In my experience with vendor developed code, from a security standpoint it has largely been absolute crap, with few exceptions (just ask the TSA with their recent disclosure fiasco because of a vendor developed website).  The implementation is a mess, and during pentesting the hardest part is documenting all of the myriad of flaws found.  The cause of this seems to be two fold.  First, most vendor companies have no security mindset to speak of and second, the hiring company didn’t make security a requirement during negotiations (though it is sad that security needs to be an explicit requirement but such is the sad state of software development).

To increase the quality of vendor developed code I have a couple practices.  To begin with, anyone interfacing with a vendor should have a degree of expertise in doing so or be accompanied by someone who does.  Having a marketing guy with no product development knowledge to speak of being the sole liaison with a particular vendor is a really bad idea.  You don’t send an accountant to interview potential pilots, so why send a marketing person to interview potential developers?  They are not going to know the correct questions to ask when determining which vendor company to employ.

Speaking of which, one of the correct questions to ask is “Describe your secure engineering practices and policies”.  A vendor that knows anything about security will immediately start citing policy. “At design time we do this, at implementation time this, at test time this” and so forth.  If they hesitate, have very vague or uncertain answers, or just start talking BS, your conversation should be done.  What they mean to say is that they have no secure engineering plan.  As a followup question, assuming they answered positively to the first question, ask them about the security training their developers and testers have.  What percentage have had training, who gave the training, what sort of training was it, how often do they receive followup training?

As fair warning, Vendor companies that can adequately answer such questions are few and far between.  Companies have to search these vendors out, and those vendors rightly charge more than their competitors.  This premium is money saved in the long run.  Insecure implementations by vendors typically need to be heavily modified if not out right discarded to fix the vulnerabilities, and if exploited in the interim often times the cost of the exploit  is many many times the cost of competent engineers.  Choosing a security ignorant vendor will simply lead to needing to hire the competent vendor three months after the project is done (or alternatively hire another security incompetent vendor and repeat ad nauseam until you learn your lesson). 

Security standards need to be part of vendor requirements as much as any other development standards should be (you do have dev standards you give vendors, right?).  The level of security you expect in the finished product is a feature as much as any other functionality that you want the vendor to implement.  The standards should be thorough and often time explicit: stored passwords should be hashed, sensitive data protected, input verified, output sanitized, authorization and authentication requirements should be specific, windows client side apps should enable ASLR and NX (if getting binaries instead of source) for C++ as well as pass prefast, .Net client side apps should pass fxcop, etc.  The vendor’s paycheck should be as contigent on these things as the implementation of any other functionality.

Ideally, you would get the vendor to agree to some sort of maintenance contract, and if so, security issues need to be called out along with every other bug.  In fact, ideally you would make the contract contingent on the vendor being responsible for fixing vulnerabilities regardless of whether there is a maintenance contract in place or not.  Vendor companies pick up secure practices real fast after the execution of such a support clause a couple hundred times, destroying any profit they might make many times over.

If you do these things you will go a long way to improving the security of code you receive from a vendor.  In the end they should be held to standards at least as high as any internal developer.  You are paying through the teeth (or what ever the saying is; I am unclear wear exactly you should pay through) for their time.  It might as well be worth it.

~ Joshbw 

No Comments
6
Mar

Feature Request for IE 8

   Posted by: Joshbw    in Browser/Web Security

Hey MS, back in the day I used to be able turn javascript off, but IE 7 certainly doesn’t have that feature and I didn’t see it in my look through IE 8.  It would be great if there was a “Paranoid” mode in IE 8, similar to the great NoScript plugin for firefox, that allows me to selectively enable javascript for sites that make heavy use of it (”Paranoid mode” might not be an overly marketable name, so feel free to change the terminology).  You could expand the functionality to granularly block other potentially dangerous functionality, like images and other requests made for offsite resources (in blog comments and forum posts I have seen plenty of XSS attacks based on this), as well as disabling ActiveX controls and other <object> tags on certain websites (considering the number of quicktime/PDF remote exploits I don’t really like the idea of autoloading media in third party players for example).  It would be even better if I could enable this functionality with either a whitelist or blacklist of sites.

In other news, kudos on finally having a decent DOM inspector and javascript debugger!

~ Joshbw

 Update: Yeah, security zones can allow me to do this sort of thing, but it is a pain in the ass.  If I want to lock down my default internet zone to disallow javascript, and then find a website that I want to enable javascript support for, I have to go through tools->internet options->security->sites and add the site to a trusted zone, which isn’t anywhere near as easy as NoScript enabling script for a certain website in FireFox.  It also changes my definition of “trusted site” from one that I trust implicitly with just about any action, including running ActiveX objects unsafe for scripting, to sites I trust to have basic JavaScript support.  I’m not saying Security Zones can’t be modified into something that fulfills this functionality and makes such use practical, but they were not designed for it originally, and would need to be heavily modified with such use in mind.

No Comments
6
Mar

XDomainRequest in IE 8 - no cookies, Yay!

   Posted by: Joshbw    in Browser/Web Security

I’ve only spent an hour or two now with the IE 8 beta, not really enough time to get a real impression of it (there seems to be some nice GUI functionality changes, not much to say on the “standards” compliance yet).  I was happy to see that the new cross domain version of XMLHttpRequest (XDomainRequest) doesn’t send cookies.  When MS first hinted at this feature I was pretty wary.  There is already an XSS method to steal cookies even when HttpOnly is set on the cookie, you essentially make an XMLHttpRequest to the site and read the response headers, but the limitation of this is that you really need to embed this on a web page hosted on the same domain as the source you are making the XMLHttpRequest to (since XMLHttpRequest doesn’t really function all that well across domains).

My concern with cross domain requests was that it would be possible for random attacker Bob (in my world Bob is the generic nefarious individual, much to the consternation of Melinda Gates) to use this same sort of attack, but embedded on completely unrelated webpages.  Cursory examination seems to suggest it won’t be that easy.  There actually seems to be some sort of negotiation necessary just to receive any content.  I’m waiting to see the official MS documentation so I have a better idea what I am doing with the API (more specifically, so I know enough to then try and break the safeguards, because I would rather report a break now and get MS to fix it before they exit beta).  It seems someone else has the same idea, which is good.  I could see a lot of room for abuse if a flaw is found in this scheme so hopefully the security community will do a good job pounding on this functionality before release.

~ Joshbw

UPDATE: for those who want to play around with IE 8 but don’t want to overwrite IE 7 (or 6… please upgrade if you are on 6), MS has free virtual PC images available that already include IE 8. Virtual PC 2007 is needed to run them, but it is also available as a free download and completely rocks as a workstation VM.

1 Comment
Back to top