InfoSec aXioms

In the last couple of weeks Saudi and Israeli hackers have been busy exchanging attacks on web sites in the respective counties and publishing personal information, including credit card numbers for citizens of the other side. This is far from the first time that the Arab Israeli conflict resulted in hacking contests, usually happening around periods of tension such as the Gaza invasion in 2009 or the Turkish Flotilla to Gaza in 2010. These incidents provide a very interesting insight into psychology of our reaction to violence in general and cyber violence in particular.

While we all chant a potential breach impact in a well-rehearsed manner, it is doubtful that we, as individuals or as a society, evaluate breach impact to its full extent. Why do we downplay breach impact and allow so many computers and even web servers to be infected?

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Last week I gave a presentation at Source Barcelona about security testing of RESTful Web Services. While the security aspects of RESTful Web Services are rather similar to normal web applications, testing them poses different challenges discussed in the presentation.

The presentation includes:

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.

Amichai Shulman, Imperva's CTO presented in Source Barcelona today an innovative solution for detecting men-in-the-browser attacks by the web server itself. The interesting aspect of the solution is that it relies on logic that goes unencrypted through the attacker code. As such, there is no way to prevent the attacker from interfering and therefore bypassing detection.

An interesting case study by Joshua Drummond from UC Irvine compares two open source WAFs, ModSecurity and WebKnight to an unnamed commercial WAF. The results shed light not just on the difference between open source and commercial solutions but also highlight key requirements from a WAF. It seems that the two issues Joshua finds with Open Source WAFs are manageability and positive security. It would be interesting to see if the two new Open Source WAFs on the block would address those shortcomings.

While the Cenzic and Sanctum pen testing patents discussed in an earlier blog article questions the value of information security patents to the society, the classic Sanctum web application firewall patent presents another risk brought on by information security patents: the risk of obscurity.

The social value or software patents and therefore their validity is long disputed. While the popular notion of patents is that they are a method to incentivize innovation, the social contract enacted by patents is more elaborate. Patents are a limited property right that a government offers to inventors in exchange for their agreement to share the details of their inventions with the public. The latter part, which is the value of patents to society at large, is often overlooked by the modern day patents mega industry.

While securing web applications is a well understood need, and while WAFs have clear advantages over code review and testing such as immediate mitigation and higher automation, the WAF market is still a small market. The attached presentation discusses and offers some explanations to this phenomenon.