AppSec & Broken Window Theory: Why we are winning battles but losing the war

Recently I had the great fortune to present at BSidesSF 2014 where I presented my thoughts on how despite huge technology advancements in application security we are still very much failing to make software secure right out of the gate. This has lead me to start thinking of AppSec as just as much a sociological problem as a technology one. In my talk I proposed we take ideas from Broken Window Theory and apply them to AppSec and in true BSides fashion I was treated to a great discussion with an even greater audience. For those looking for the slides from my talk, i've published them here: Many thanks to all who came to hear my talk and I…

I hate Excel - Extracting a domain name from a hostname

Assuming that cell B2 has a hostname like foo.bar.baz.example.com the following will extract just the domain name form the hostname, e.g. "example.com" =CONCATENATE(RIGHT(LEFT(B2,LEN(B2)-4),LEN(LEFT(B2,LEN(B2)-4))-FIND("|",SUBSTITUTE(LEFT(B2,LEN(B2)-4),".","|",LEN(LEFT(B2,LEN(B2)-4))-LEN(SUBSTITUTE(LEFT(B2,LEN(B2)-4),".",""))))),RIGHT(B2,4)) Of course this doesn't work if you really care about supporting all the TLDs in the world but seriously, why was that so hard Excel? The same thing (with the same TLD issue), in Python (hat tip to StackOverflow): url = 'http://foo.bar.baz.example.com' '.'.join(urlparse.urlparse(url).netloc.split('.'…

Encrypting your data on Amazon EC2

Making sure your data is encrypted when it's being stored somewhere outside of your direct control is a good idea. When that system has your customers data on it, it's a requirement. Unfortunately when your data is in a cloud environment like Amazon EC2 your options can be limited, confusing, or both. Questions like where does one store your key (hint, not in the cloud), what encryption method should you use, what should I and can I encrypt and what happens when your EC2 instance reboots are important things to think about upfront. This guide hopes to cover all of those and if you are using an Amazon Linux AMI (basically Centos 5.6) I'll also describe the steps you…

The Comedy and Tragedy of Automated Security Source Code Analysis - Act III

ACT III: Reality Sinks In (Read Act I & Act II) THE SOUND of typing can be heard and then suddenly a loud groan of disappointment. DEV LEAD Argggggggggggggggg!!! FADE IN: INT. CORPORATE OFFICE THE DEV LEAD is looking at his bug queue in HP Quality Center, the bug count is 6,894 defects, all assigned to him. The DEV LEAD yells over the cube wall to one of his DEVELOPERS. DEV LEAD Hey you screwed up the bug triage again man, I’ve got 6,833 bugs that shouldn’t be there in my queue, what the heck man? DEVELOPER I didn’t do a thing! We did the triage just like you said and moved all those bugs…

The Comedy and Tragedy of Automated Security Source Code Analysis - Act II

ACT II: The Deception (Read Act I Here) FADE IN: WIDE SHOT -- The server room, filled with blinking lights and racks of servers. We PAN and FOCUS in on the back of the SALES ENGINEER who is typing away at a terminal. A DEV LEAD sits nearby, looking bored. SALES ENGINEER’S POV -- The computer screen shows lines of code, the SALES ENGINEER is writing scripts to integrate SourceSecure 4.0 into the companies source code repository. INT. SERVER ROOM THE SERVER ROOM is a more of a lab than the real server room, used only for development it contains the central build servers used by the entire dev team. A small desk with two monitors and two…

The Comedy & Tragedy of Automated Security Source Code Analysis - Act 1

The other day I was asked about how one might integrate Veracode's application security analysis solution into their nightly software build process. I get this question all the time because it is a popular idea among automated source code analysis tools and the common sense tells you that it's one of the best ways to go, but is it? When I was responsible for product strategy at SPI Dynamics and later for the HP Application Security Center, we had a product called DevInspect that was designed to bring security testing to the developers desktop. This product was an experiment and a incubator for new ideas and technologies like Hybrid Analysis (A concept I fleshed out in 2004, but didn't invent…