My Security Planet » Items by Gunnar Peterson

Feeds

6078 items (0 unread) in 72 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by Gunnar Peterson

1 Raindrop

• 

  My Year in Cities

  Posted: December 30th, 2008, 3:48pm CST by Gunnar Peterson

  Tags:    [edit]

  I liked this list, so I made my own list of cities I visited in 2008, * means more than one trip
  
  New York, NY*San Jose, CA*San Francisco, CAChicago, ILWoods Hole, MAHartford, CTFort Myers Beach, FLBoston, MACypress, CAAlexandria, VAOmaha, NE*Anaheim, CATucson, AZKeystone, COBoulder, CODes Moines, IANorthampton, MASomerset, NJCook, MN
• 

  Trying out Twitter

  Posted: December 30th, 2008, 8:53am CST by Gunnar Peterson

  Tags:    [edit]

  here 

• 

  Driving Safely on Snow

  Posted: December 17th, 2008, 11:04pm CST by Gunnar Peterson

  Tags:    [edit]

  Probably the biggest problem in information security is that the people who work in information security are over focused on threats that they can do little about. So much money and resources are wasted by chasing a threat's tailights (usually aided and abetted by a vendor whose product supposedly helps you catch said taillights), a major portion of this energy and resources are better channeled into building more secure system in the first place - finding and fixing vulnerabilities. Rather than building systems that break when you look at them funny and then complaining about threats, build better stuff in the first place.

  
  Because they have a first class threat model, the automakers have figured this out for decades, outside of Microsoft we have not seen any large scale market forces in information security that has improved security in systems, but we sure have in cars.
  
  

  VOLVO’S new XC60 sport-utility vehicle comes, as you might expect of the safety-conscious Swedish carmaker, with a number of features designed to look after its occupants in the event of a collision. It has airbags, rollover and side-impact protection and so forth. But it is also fitted with mechanisms to help avoid a crash in the first place, including an automated braking system. As more cars acquire features that can assist a driver in a dangerous situation, or even take control, the rules of the road may need rethinking.

  
  The Volvo system, called City Safety, operates at up to 30kph (19mph). This speed range was chosen because it is when most collisions take place, especially rear-end shunts in slow-moving traffic. City Safety uses a laser sensor fitted behind the windscreen to scan the road ahead, calculating relative speeds and distances. It applies the brakes if a collision cannot be avoided. (The system switches off at very low speeds, so that drivers can park close to other vehicles.)
  
  

  A number of carmakers already have or are introducing automated-braking systems. Germany’s Daimler uses a radar-based one in some of its Mercedes-Benz vehicles. Called Distronic, it also operates at high speed and adjusts both braking and acceleration to maintain a constant distance from other cars. If a collision seems likely a warning is given. When the driver puts his foot on the brake pedal the system automatically applies the optimum pressure required to avoid hitting the car in front. If the driver fails to respond, the brakes come on automatically.

  There are a number of great concepts in here for infosec to learn from. Managing risks begins and ends with protecting assets, i.e. passengers. Sure threats are important, but they are not the main focus. You can easily imagine if infosec people were in charge of designing safer cars they would say things like "its snowing in Minnesota!" "people drive too fast in NYC!", instead of focusing on building better brakes, air bags, and safety systems, infosec gets wound around the threat axel far too often.

  Eventually these safety systems will make their way from expensive cars to most models, just as anti-lock brakes have. This will make cars much more “aware” of their surroundings. Even smarter stuff is coming. Jan Ivarsson, head of safety at Volvo, believes it should be possible to build a car in which people will not be killed or injured. The company is experimenting with devices that would automatically steer away from an oncoming vehicle. Such a car would also spot a pedestrian stepping into the road and brake.

  
  Walking the unbelievably large vendor floor at RSA this year I experienced fear and loathing at the lame solutions being offered. The excuse used to be that no one spent money on infosec, well the infosec budgets have been growing for years now, but you know what the problem is? Its being invested in the wrong places, instead of protecting assets, the vendors throw out some vague threat model show how their half baked product supposedly deals with it and then people actually buy this stuff. Amazing. 
  Whats exciting to me, is stuff that comprised less than 1% of the floor, actual security innovation like SAML, Cardspace, and static analysis. If we are ever going to get to something closer to safer cars these are tools that are going to get us there, not obsessing about threats of snow in Minneapolis.
• 

  Federated Guanxi

  Posted: December 16th, 2008, 11:30pm CST by Gunnar Peterson

  Tags:    [edit]

  One of the underexplored areas in Service Oriented Security is what types of federated relationships are valuable, and what new composite identity architectures emerge from these connections. In my view, the main weakness of security architectures is their limited scope and lack of flexibility. Most software is built using composition, but most security protocols do not compose and certainly most lack the ability to deal with multiple namespaces, domains, and symmetric/asymmetric relationships, at least until WS-Security, SAML and friends came along. Further, PKI and X.509 are fine, but most the data you need to assert and make authorization decision lives deep inside a directory or database not in a key store. So we need to be able to bring together multiple elements in security architecture.

  
  Consider the Chinese verb Guanxi:
  

  The Chinese web is notable for a large number of mutually linking web sites. We hypothesize that this is in part a manifestation of a social construct known as guanxi, which can be widely observed in Chinese culture. Guanxi has been described as “an informal … personal connection between two individuals who are bounded by an implicit psychological contract to [maintain] a long term relationship, mutual commitment, loyalty and obligation.” Dyadic relationships are the fundamental units of guanxi networks. To establish guanxi, two parties must first establish a guanxi base: a tie between two individuals, e.g., same birthplace, same workplace, same family, close friendship. Also, two individuals can claim to have guanxi by acquaintance through a third party with whom they both have guanxi. Once a guanxi base is formed, guanxi can be developed through the exchange of resources ranging from moral support and friendship to favors and material goods.

  
  Sure sounds like federation to me, a tie between two parties but not just a simple key exchange a la PKI, the relationship in federation is deeper, and agrees on schema, types, values, and resources (or at least resource identifiers).
  56minus1 goes on to look at strong and cheap guanxi based on how nodes are linked and who they are linked to. My guess is that something like is the logical next step for SAML, CBAC and other web facing identity protocols to help service providers distinguish the guanxi and better evaluate the identity claims.
• 

  Don't Give Money to Charities This Holiday Season - Loan it to a Business

  Posted: December 16th, 2008, 8:50am CST by Gunnar Peterson

  Tags:    [edit]

  No I am not talking about bailouts, and I am obviously not suggesting that you not support your favorite charity; microfinance is a way to lend money to entrepreneurs who have good ideas, energy, initiative, and a real business, but lack capital. A relatively small amount of capital can help these businesses grow and thrive. For example, let's say you are a rice farmer in a small village in Cambodia, if you had a motorcycle you could get to the nearest big town and get a much better price for your rice. Only thing missing is the banker to cover the loan for the motorcycle. 

  
  This is where microfinance comes in.Kiva is a site that makes it easy to be a "banker to the poor" and there is even a Team OWASP on Kiva, which has 33 loans in process, note Kiva's repayment rate on loans is over 99%, so to paraphrase Tom Barnett-  you don't have to wait for change from above, just get your own foreign policy.
  
  
• 

  Know Your Customer

  Posted: December 10th, 2008, 4:50pm CST by Gunnar Peterson

  Tags:    [edit]

  iang:

  I think this is why the best engineers who've done great security things start from the top; from the customer, the product, the market. They know that in order to secure something, they had better know what the something is before even attempting to add a cryptosec layer over it.

  Which is to say, security cannot be a separate discipline. It can be a separate theory, a bit like statics is a theory from civil engineering, or triage is a part of medicine. You might study it in University, but you don't get a job in it; every practitioner needs some basic security. If you are a specialist in security, your job is more or less to teach it to practitioners. The alternate is to ask the practitioners to teach you about the product, which doesn't seem sensible.
  

  I could not agree more software security are not separate:

  Software development is its own culture discipline - processes, scripts, languages, and so on. Security is its own discipline and culture. As long as these remain separate disciplines, separate cultures, we'll see the same results we have seen so far - namely minimal to no security is software. On a basic level things are not going to improve until the practices, tools, and people are unified.

  If I were a CISO, I would structure the security team as Security Design & Development, Secure Deployment, and Secure Operations. You are either building something, deploying something, or operating something. Security is just an implicit part of doing one of those things. I would then train and out source as many of those activities outside of the security group as possible. Train developers to write secure code, train architects to design secure systems, and so on. Arm the designers, developers, deployers, and operations with security foo and get out of the way. Study Charlemagne and Garigue for more ideas.

  I think what Infosec needs to ask itself is where precisely are they adding the most value, and focus on getting better at those areas and get out of the way on the others.

• 

  Asset Focus

  Posted: December 9th, 2008, 7:05am CST by Gunnar Peterson

  Tags:    [edit]

  Several people emailed me about my talk on Finding and Fixing Vulnerabilities in Distributed Systems, basically commenting - "why do you assume you can fix all the vulns, don't you know threats are really bad, its all about threats," and so on. My answer is basically that no question - what I describe wrt finding and fixing vulnerabilities is not a complete solution. However, it is in my experience the best use of time and money to spend your time and money on the places where you have an unfair advantage. To get an unfair advantage over the attacker we need to play games that we can win.
  
  If we look at risk management as being comprised of threats that exploit some vulnerability against some asset, there is really only one area where the defender has an information advantage - assets. The attacker knows way more about threats than defenders, the attackers know way more about most vulnerabilities as well. The one area where the enterprise security person may have the advantage of more and better information is on the asset side. Hopefully you know your assets better than the attacker does, so how do you beat Garry Kasparov and Michael Jordan? You play basketball against Kasparov and chess against Michael Jordan. I have no idea how good they are at these sports, but I bet you have a better chance at beating them if you pick the game instead of them.

• 

  The Economist on Cyberattacks

  Posted: December 6th, 2008, 9:24am CST by Gunnar Peterson

  Tags:    [edit]

  For many topics, The Economist is my favorite news source. It was really cool to see this story on cyberattacks which quoted four of my favorite security writers all in the same story - Richard Bejtlich, Bruce Schneier, John Robb and Tom Barnett. The reporter picked a good mix because Bejtlich and Schneier come from the digital perspective and Robb and Barnett are more from "physical world" perspective, but the lines are increasingly blurred as the story points out. 

  
  Tom Barnett in particular is worth information security people's time to read because so much of the security industry obsesses about threats, but Barnett shows the importance of understanding the economics and system level concerns like resilience.
• 

  What chance do we have?

  Posted: December 6th, 2008, 9:13am CST by Gunnar Peterson

  Tags:    [edit]

  In the Twin Cities, there is not a lot of good barbecue, but there is one place that is fantastic, its called Big Daddy's barbecue (thanks Dara!) and its only open on Friday and Saturday afternoon, it operates out of a parking lot in St Paul. I try to get there as often as possible. 

  
  We just started to get some snow in Minnesota, and I was planning an outing to Big Daddy's with a fried who is doctor, a hand specialist. So I was asking him what time would work, he said "Well, I should be able to go but I am on call."
  So I said, "Well I hope no one hurts their hand on the weekend."
  He said,"It just started to snow, so people go out and use their snow blowers, then the snow blowers get jammed on the vent side and the motor is still running, but no snow is blowing out the side. So they stick there hand in the vent and gets chopped by the motor. It happens all the time. They think, well I am pretty quick I can get my hand in and out of there without getting chopped"
  
  To get more secure systems, we need people to understand the risks and then deal with the risks through reducing vulnerabilities, building better countermeasures and so on, but it all starts with some level of risk understanding. If people are willing to take these chances with snowblowers and the risk of losing hands, where does that leave us with communicating risks on something as abstract as software security?
  
• 

  Who do you train and how do you train them?

  Posted: December 4th, 2008, 1:45pm CST by Gunnar Peterson

  Tags:    [edit]

  The Motley Fool's Dave Gardner blogged about Drucker's approach to training:

  
  

  We've tried to manage our Motley Fool business the Drucker way for 15 years, too. Lemme ask you a question. I'm putting you in charge of your human resources group, in charge of your corporate culture, and you have two choices of how to spend $100,000 -- your call, here, Drucker or Anti-Drucker -- these are the two ways you can invest:

  
  (a) a program to try to get D- employees up to a C, people who have motivational and/or social problems, toxicly bring down the teams they're on, and clearly aren't fit to be hired even by weak competitors in your field, or
  
  

  (b) a program to invest in your stars -- invest in more training, outside experiences, and leadership opportunities for your best employees

  In my swamp of software security training, I have trained both an organization's average developers as well as their top people. I think there is validity to both, because security is a system problem, but the approaches you use are slightly different. In the case of getting the general developer population up to speed you usually want to aim for a checklist type approach and give the developers something like a cookbook full of recipes they can follow. So you are heavier on the prescription of what to do and less about the why.

  When I am training the top architects, developers, and security people, then I usually aim to give more of a security architecture framework, so they can then apply the framework depending on the specific problem context.

  Developing and delivering training begins by understanding if its a raise the floor effort or a raise the ceiling effort. I think they are both very valid today, so many developers have not had one single day of software security training, and it shows all the way across the software development industry. I did a training class recently, about 15 people in the class at the beginning I asked how many people had been programming at least 5 years, all the hands went up but one. I asked how many people had ever had a single day of software security training. One hand went up. Of course, they had all had multiple week or months of training on j2EE, Weblogic, WAS, SAP, etc. but not a day on security. Software security is easily as complex as programming Weblogic. Would you turn a developer loose on your production Weblogic with no training?

  A funny postscript walking out of the room there was one person who had been programming a short time, like 18 months, another had almost 20 years, by the end of the day they both had the same amount of software security training

• 

  Even in DC, Authentication is a Guess

  Posted: December 4th, 2008, 10:11am CST by Gunnar Peterson

  Tags:    [edit]

  Florida Congresswoman hangs up on Obama twice (story):

  
  

  For Florida Republican Rep. Ileana Ros-Lehtinen, the voice on her cell phone sounded eerily familiar.

  
  “He sounded just like Obama,” she said on Thursday, referring to President-elect Barack Obama.
  Sensing she was the victim of a spoof by a South Florida radio station, she promptly disconnected the call.

  Trouble was, it was Obama.

  A chagrined Ros-Lehtinen told the Fox News Channel that she also hung up on Obama’s chief of staff, Rahm Emanuel, when he called her back to explain it really was the next president on the line.

  Both Emanuel and Obama tried to convince her the call was for real.

  “Guys, it’s a great prank, really,” she said she told them.

  It took a subsequent call from California Democratic Rep. Howard Berman, chairman of the House Foreign Affairs Committee, to finally convince Ros-Lehtinen to talk to Obama.

  To convince her that it really was Berman, she said she told him, “Give me the private joke that we share.”

  
  

  This underscores a point that I make in training, which is that at design time you must separate your authentication logic from your authorization logic. At runtime they are frequently combined, but at design time its crucial to realize that authentication is a guess, and authorization is a memory; or if you prefer you can think of it as authentication is a mystery and authorization is a puzzle. 
  In the authorization case you have all the assertions at hand and need to render a decision, in the authentication case you need to piece together your guess at the reality of the situation and then bind to the principal (which becomes the assertion). Confusing or conflating the two separate functions leads to all sorts of problems.
• 

  Tom Barnett Speaking in Minnesota

  Posted: December 3rd, 2008, 7:02pm CST by Gunnar Peterson

  Tags:    [edit]

  A couple of years ago, I saw Tom Friedman talk in Minneapolis. It was around the 3rd edition of World is Flat, so he did a brief talk on that and then launched into what became his focus on green which he has been writing on for the last few years. It was a great talk and afterwards I remember asking the people who put it on if they did another series they should consider bringing in Tom Barnett.

  
  Well I had to wait a couple of years, and its a different organization, but Tom Barnett is speaking in MN in January and it should be great. I think if you want to understand globalization, how people and businesses are connected and what the security implications of this are (hint - its about federation and distribution not centralization), then Friedman and Barnett are two of the best people at articulating what's going on now and looking out to the horizon of what's coming next.
  Too bad with all the colleges in the Twin Cities, that we have to go all the way to Mankato, but props to Minnesota State for making this happen!
• 

  SOA Security in Real Life

  Posted: November 30th, 2008, 5:29pm CST by Gunnar Peterson

  Tags:    [edit]

  I started off my last article on SOA Security this way:

  
  

  When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move. 

  Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

  
  Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).
  The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.
  Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which  were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.
  For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.
• 

  Is That a Coffee Table or a Munition?

  Posted: November 25th, 2008, 12:40pm CST by Gunnar Peterson

  Tags:    [edit]

  One of the standard software security prescriptions for the SDLC is to data classification and enforce least privilege. From a security perspective this sounds fantastic, especially on a whiteboard. When the rubber meets the real world road, things often turn out slightly different. 

  
  It turns out that it is hard to conduct business with excessive granularity.
  
  Here is an article from The Economist on the challenges of space technology, commercialization and information sharing. This is widely applicable to corporate information security policies:
  

  Gravity is not the main obstacle for America’s space business. Government is

  IN THE spring of 2006 Robert Bigelow needed to take a stand on a trip to Russia to keep a satellite off the floor. The stand was made of aluminium. It had a circular base and legs. It was, says the entrepreneur and head of Bigelow Aerospace in Nevada, “indistinguishable from a common coffee table”. Nonetheless, the American authorities told Mr Bigelow that this coffee table was part of a satellite assembly and so counted as a munition. During the trip it would have to be guarded by two security officers at all times.

  
  Exporting technology has always presented a dilemma for America. The country leads the world in most technologies and some of these give it a military advantage. If export rules are too lax, foreign powers will be able to put American technology in their systems, or copy it. But if the rules are too tight, then it will stifle the industries that depend upon sales to create the next generation of technology.
  
  

  It is a difficult balance to strike and critics charge that America has erred on the side of stifling. They claim that overly strict export controls have so damaged the space industry that America’s national security is now threatened by its dwindling leadership in space technology. The system, they complain, fails to distinguish between militarily sensitive hardware that should be controlled and widely available commercial technologies, such as lithium-ion batteries and solar cells. The zealous application of the export rules is the American space industry’s biggest handicap.

  
  Read the whole thing its fascinating. So what started off as well intentioned asset protection eventually compromised the most important asset of all - strategic advantage.
  So what's a better model? I am partial to think about these sorts of problems as free trade agreements. Each integration point should have a set of policies, and enforcement mechanisms that also include compensating transactions.
  For example, did you know that in the US you can buy companies that trade on other exchanges through ADRs? You buy the ADR of say a French Telco which trades on a European exchange only you buy the ADR on the NYSE or Nasdaq. Then the French Telco issues you a dividend because you are a shareholder, but the French government withholds the dividend for foreign owners. Yet because there is a free trade agreement between the two countries, the US lets you write off the unreceived portion of the dividend on your taxes. (this may or may not be the case in US-France just an example). Anyway, its not a silver bullet but its an interesting strategy.
  
• 

  Confidentiality, Integrity, Availability - Pick Any Two

  Posted: November 21st, 2008, 9:50am CST by Gunnar Peterson

  Tags:    [edit]

  Under Worm Assault, Military Bans Disks, USB Drives

  
  

  The Defense Department's geeks are spooked by a rapidly spreading worm crawling across their networks. So they've suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

  
  The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to "floppy disks," is supposed to take effect "immediately." Similar notices went out to the other military services.
  
  

  In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute.
  

  
  

  Its almost like we built out a bunch of systems and then connected them to huge networks without building security into the software or something.
• 

  Not Your Father's Data Breach

  Posted: November 20th, 2008, 9:37am CST by Gunnar Peterson

  Tags:    [edit]

  I am surprised this doesn't happen more often, or become public when it does happen, and I suspect it will:

  
  

  Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

  
  Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.
  
  

  The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

  Last week, the criminal activity expanded: Express Scripts said that individual clients had received extortion letters directly.

  Express Scripts is cooperating with the FBI in the case. It issued a statement saying it would not pay any extortion demands. The company is offering a $1 million reward for information leading to the arrest and conviction of the extortionist or extortionists.

  Beyond the scale of the problem for Express Scripts — and the potential impact on the company is enormous — the issue extends well beyond the mounting concerns about identity theft, a phenomenon with which most people have become at least somewhat familiar.

  
  The greater problem is the unique nature of personal medical records, the importance of moving to computerization of such records to improve health safety and reduce costs and the irreversibility of the damage people can suffer if confidential medical information becomes public. The stakes are so high that a federal law establishes strict standards for maintaining the privacy of medical information and stiff fines for failing to do so.

  
  Medical records of all kinds — paper and, especially, electronic — must be protected with the most sophisticated kinds of security systems available, including backup protections and automatic alerts of security violations. Yet Express Scripts learned of this breach in the “worst way,” as InformationWeek.com security correspondent George Hulme put it in an online report: “via an extortion letter.”

  
  The Express Scripts breach raises many questions for all elements of the health industry: hospitals, clinics and doctors’ practices, benefits management firms, insurance companies, pharmacies, employers and government agencies:
  Are they using the most advanced information security technology possible? Do they minimize the amount of data they collect and keep it only as long as necessary? Do they have strict protocols governing access to personal and medical data — and systems to enforce those protocols? If criminals were to hack into their systems, how would the companies know? How soon? And are the systems capable of instantly cutting off illegal access as soon as a breach is discovered?

  
  Confronted with a grave breach of electronic security, Express Scripts has responded by contacting law enforcement, establishing an informational website, offering a substantial reward and hiring a private consulting firm to help clients who have privacy concerns and investigate situations that “appear to be tied to identity theft” and provide “identity restoration services.” There is no question that the company is taking the situation extremely seriously.
  Given the ongoing criminal situation, information about how Express Scripts’ data systems were compromised — and whether it could have been avoided — has yet to be disclosed. But the American people have the right to expect that their sensitive personal and medical information is zealously protected and kept secure — not only by Express Scripts but also by every person or company entrusted with it.
  

  
  The reason I am surprised this doesn't happen more often is that many Fortune 500 companies have oceans and oceans of personal data. Almost the only companies that have even tried to get to a medium level assurance are financial companies, yet many of the other companies have as much or even more data, with lower assurance. All that was lacking in the mix was an incentive and a bit of creativity and risk taking by the bad guys.

  
  I posted this to the security metrics list and Andy Jaquith quoted it in his great book Security Metrics:
  

  "Customers and customer relationships...have tangible measurable value to businesses, and their value is much easier to communicate to those who fund projects. So in an enterprise risk management scenario, their vlaue informs the risk management process...[For example, consider] a farmer deciding which crop to grow. A farmer interested in short term profits may grow the same high yield crop every year, but over time this would burn the fields out. The long term focused farmer would rotate the crops and invest in things that build the value of the farm and soil over time. Investing in security on behalf of your customers is like this. The investment made in securing your customer's data build current and future value for them. Measuring the value of the customer and relationships helps to target where to allocate security resources."

  
  Of course this is the opposite of how most organizations do risk management and security architecture, and now, the fields have turned brown.
  
  I was teaching a training class on App Sec and someone asked how do you get developers to care about security. One technique I use when a developer is saying "well this is not great but its good enough to pass this sensitive data over the wire unencrypted or store it in the clear", I simply ask, "well can we use your Mom's SSN to test this then?" its works more often than you might think.
  (Thanks to Chris for pointing me to this story)
• 

  The Economics of Finding and Fixing Vulnerabilities in Distributed Systems

  Posted: November 18th, 2008, 10:47pm CST by Gunnar Peterson

  Tags:    [edit]

  The Economics of Finding and Fixing Vulnerabilities in Distributed Systems Quality of Protection KeynoteAlexandria, VAOctober 27. 2008
  Gunnar PetersonManaging Principal, Arctec GroupBlog: http://1raindrop.typepad.com
  When Andy Ozment asked me over the summer to do this talk at QoP, I knew back in August that the topic I wanted to address was security and economics. So to that end I would like to start by thanking all of our friends on Wall Street and here in Washington DC for providing such a rich tapestry of recent events that I can speak to.
  Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is"[1], there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management.
  Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter [2] talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.
  So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation - "All these people are talking about risk, but they don't have any assets." You can't do risk management if you don't know your assets.
  Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.
  Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.
  Warren Buffett's evolution as an investor can be broken up into two parts. He began his career very much influenced by Ben Graham, who sought to buy "cheap stocks", comparing the price of the stock to value of the company's assets, and placing many, diversified bets on companies whose share price was below the total assets. Note that the businesses may have been of unremarkable quality, but when the price was right Graham would buy in, wait for it to rise and then sell. This was the dawn of value investing.
  Buffett's later career departed from Graham's strict, statistical measures, where he sought to buy into companies that were selling at a fair price, but were also high quality businesses. We will examine high quality in Part 2 of this talk, but first we go to Part 1 which is asset value.
  Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to.  You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.
  When Warren Buffett was 19 years old studying at the University of Nebraska, he read Ben Graham's book "The Intelligent Investor", Buffett said he thought it was the best book on investing he has ever read and still feels that way today. In the Intelligent Investor Graham lays out the framework of value investing. Specifically, Graham talks about three concepts - Mr. Market, a stock is a piece of a business, and Margin of Safety.
  Mr. Market is a fictional, teaching device invented by Graham. You imagine that you have a somewhat manic depressive business partner called Mr. Market. Every day, Mr. Market comes into the office and offers you quotes on companies, some days he is in a good mood and the prices are high, other days he is gloomy and prices are low. The market is a quote machine, for quoting prices, not a value assessment machine. Your job is to wait for the right price, and you are free to take as many passes and be as patient as you would like, Mr. Market will just show up the next day and throw out a new price. 
  Graham used Mr. Market to teach us the separation between a price of a stock, and the value of a company. The second big concept from Intelligent Investor is that buying a stock is buying a small piece of the underlying business. You are not buying a roulette chip, or a number that fluctuates in the newspaper every day, rather you are buying a piece of the company's existing and future cash flow. What the stock market says General Electric is worth yesterday, today or tomorrow is separate from GE's actual ability to generate cash flow.
  The last big concept in "The Intelligent Investor" and the one seemingly most applicable to information security is the Margin of Safety. Graham's margin of safety involved calculating the intrinsic value of a business and then buying stock where the market cap of a company is less than its intrinsic value. So if a company has $100 million in assets and a market capitalization of $75 million, then an investor would get a 25% margin of safety. Ideally, Graham wanted to buy stocks that were selling for one half of their book value, i.e. with a 50% margin of safety. Graham said that buying stocks without a margin of safety, above their book value, speculation, not investing.
  So price is readily available, but how do we calculate intrinsic value so that we can ascertain the margin of safety? Graham used quantitative statistical measures, relying heavily on the company's book value, like its hard assets. What would it take for a competitor to reproduce the company's assets - its factories, distribution system, and so on. The difference between the book value of the assets and market cap is the margin of safety.
  What can we learn in information security from this quantitative approach? Where price and value are readily ascertainable we should build countermeasures and eliminate on vulnerabilities that give our assets a wide margin of safety. Since budgets are not unlimited we should prefer vulnerabilities that are cheap to find, cheap to fix.
  First to the asset question, information security budgets like all IT budgets are crufty, they are not a reflection of today's top issues and priorities so much as an accumulating snowball of decisions, legacy contracts, and solution attempts to yesteryear's problems. Today the normal Information Security budget is just a legacy artifact from bygone years when the network was the purported greatest vulnerability. If you were around in 1995, you remember the great gnashing of gears as the enterprises opened up their networks, connected their back ends to the Web and began to transact business in the giant virtual space.
  The security people huffed and puffed that it was dangerous but there was simply too much money to be made, so businesses went ahead. The security people would not go down without a fight and insisted on countermeasures. They got two - the network firewall and SSL. The firewall was used to separate the average Fortune 500s network of hundreds of thousands of machines, employees, consultants, and partners from the web at large. SSL was used to protect the network channel between the web server and the client browser. so the network firewall separated the network segments, and SSL in effect encrypted the last mile of many million complex transactions and computations.
  In 1995, this seemed like a good security architecture. When we built out these security architectures, the eCommerce market was derided as a toy. Amazon famously lost money for years - losing a little on every transaction but making it up in volume. When the market is nascent, a quaint security architecture offers cost effective protection. But what about 2008? Those cute little eCommerce buggers have grown they even make profits now - market caps measured in the tens of billions, accumulating large cash hordes, no debt, and the largest ones are in better financial shape than the financial services players that kicked sand in their face in the dotcom era. 
  And its not just eCommerce, the "real" economy Fortune 500 types are all connected as well. Directly and indirectly the Web is seeping into all businesses. Major changes from when the security architecture of the web was built out. But has the security architecture changed to reflect these new business realities? Not a bit of it!
  We can use the book value of the IT budget investments and the book value of the Information Security investments to see what kind of Margins of Safety Information Security groups are engineering.
  Let's look at some market data, Gary McGraw reviewed the numbers [2] in software security for 2007, breaking down software security sectors like tools and services. Here is a summary of his findings on software security tools:
  "One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).
  ...
  The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.
  
  On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million."
  These are very nice growth numbers, what company doesn't want 83% growth? However, the let's look at the total picture and compare the software security countermeasures against other security mechanisms. Gary McGraw's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space, in what alternate universe does this make sense?
  This is where we begin to see that decisions in the People's Republic of Information Security have no real risk management thinking, they truly are swimming naked and hoping the tide doesn't go out.
  Let's look at network assets. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.
  Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion in just three vendors and you are going to "defend" that with allocating $150 Million worth of software security tools?
  On the network side we are buying $900 million of security countermeasures (Checkpoint firewalls) to protect $39.5 billion worth of Cisco gear, about 2.3% of the network investment goes to security.
  On the software side, we are buying $150 million of security countermeasures (like static analysis and black box scanners) to protect $98 billion of software (you know the stuff that runs the whole business), roughly coming to about 0.2% of the software budget goes to security.
  This is very disturbing. From a prioritization standpoint The People's Republic of Information Security is misaligned by an order of magnitude at least. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball, it invests in network security not because those controls have greater efficacy (the whole point of networks is they are dumb), no, they invest in network firewalls because they bought a bunch in 1995, some more in 1998, and heck they just kept buying them, the Checkpoint rep kept showing up and taking CISOs out to play golf, contracts got renewed, and poof - there goes the security budget.
  Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today.
  The optimistic way of looking at all this data is that there is major room for growth for software security, if you take network security as a target for a mature industry and assume that 2.3% is a reasonable margin of safety, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.
  My friend Brian Chess has a nice way of looking at this he says 2007 was the turning point - "the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists."
  Now I am not suggesting that Information Security budgets have to be aligned with IT budget one for one, but I do think that looking at the overall IT budget is the starting point. If Information Security has a more cost effective security mechanism they should deploy it, but the starting point should be aligned to the business. Businesses spend most of their money on software, and there are very good reasons - competitive advantage, increased revenues and lower costs. Information Security spends most of its money on network security, and there is no good reason why, except that it was a seemingly good idea in 1995. You really don't have to go beyond the book value of IT investment as a whole versus Information Security to see a stunning disparity. Information Security's job is to deliver a Margin of Safety to the business, but they are not. 
  To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:
  - Network: all the resources invested in Cisco, network admins, etc.- Host: all the resources invested in Unix, Windows, sys admins, etc.- Applications: all the resources invested in developers, CRM, ERP, etc.- Data: all the resources invested in databases, DBAs, etc.
  Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.
  Then do the same exercise for the Information Security budget:
  - Network: all the resources invested in network firewalls, firewall admins, etc.- Host: all the resources invested in Vulnerability management, patching, etc.- Applications: all the resources invested in static analysis, black box scanning etc.- Data: all the resources invested in database encryption, database monitoring, etc.
  Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!
  Its not just about alignment for alignment's sake, its about applying controls as a way to have a Margin of Safety properly placed so that when not if there is a failure on a higher value asset you are relatively better positioned to deal with it. 
  The pure statistical approach can only take us so far. Buffett said he would be a lot poorer if all he did was listen to Ben Graham. Book value is great to see the diametric opposition mentioned above, but it doesn't really tell us much about the efficacy of the security mechanisms.
  What we do get out of this statistical approach is a screen. The asset value screen filters out subjective opinion and narrows the field for where we need to dig in to do the high value, time consuming analytical work.
  The second part of Warren Buffett's career and the second part of this talk leave behind pure statistical measures. In Warren Buffett's case he was joined by a guy named Charlie Munger who talked him out of the pure Ben Graham approach. Charlie Munger has a saying - "a great business at a fair price beats a fair business at a great price." Where Graham was focused on price and margin of safety, Munger wants a fair price but also a high quality business. This lead to Warren Buffett's company Berkshire Hathaway investing in companies like Coca Cola, Wells Fargo, and American Express, where the prices were far from dirt cheap (as Graham would have wanted), but the long term returns were outstanding.
  In our world of Information Security, we start by aligning our priorities with the business using the thumbnail defense in depth approach, but then we would like to invest in high quality, effective controls.
  To get at the notion of control quality and effectiveness, I am going to start part 2 of this talk with a brief history of software. The first web software was just static HTML, but web software really got interesting when developers started creating dynamic websites using CGI an PERL.
  Once websites were hooked up to company databases and were not just serving static content, the security people realized they needed a security architecture, and they sprung into action. What they came up was was model that divided the world into "good stuff" which was comprised of all their networks, systems, and data; and then there was everything else the "bad stuff" on the Internet. So job one of the early days Internet security architecture was to separate all your good stuff (i.e. your network) for the bad stuff (the Internet). To do this the security people used a sophisticated tool called Visio to draw a flaming brick wall on the network diagram, and this flaming brick wall was supposed to keep the good stuff and the bad stuff separate.
  The security people also realized that the data and session tokens that they served up from their Web server would have to traverse the "bad" neighborhood called the Internet, so they added one more security mechanism to secure the last mile of the transaction - SSL between the browser and the Web server.
  And this was the state of the art security architecture used circa 1995 to protect the earliest dynamic web applications.
  What happened next was that the dotcom boom started to happen and businesses realized they could make some real money on the Web, the web apps started to get more sophisticated, more personalization, richer session experiences and so on. This led the Java people to create JSP and the Microsoft people to create ASP, and of course the PERL people to create even greasier PERL scripts, all of this in the effort to pooling resources and sessions on the Web server. The security people defended this new application programming model with network firewall and SSL.
  Around 1998, developers began building out more distributed N tier or 3 tier applications that separated the business logic layer, the presentation layer and the data access layer. Among other things, your web application could seamlessly integrate data from multiple back ends systems. Let's say you have pricing data in Oracle, order data in SAP, and customer data in a Mainframe. You write separate data access objects, apply business logic in the middle tier and then you tie it all together in a friendly user interface. At this point the web applications are beginning to integrate across departments and geographic boundaries, huge critical chunks of the business are now connected to the web. How did the security people defend this part of the business? They applied the same 1995 security architecture - network firewall and SSL.
  Around 1999-2000 timeframe businesses relied on web applications for major parts of the revenue, and the apps were built in different technologies like Java and Microsoft technologies, but the customer didn't care (still doesn't), the customer wanted (and still wants) data access and functionality. So to integrate the disparate technologies, SOAP and XML were deployed so that Microsoft could talk to Java and so Websphere could talk to Weblogic and so on. And, oh yes, SOAP and XML were used to connect B2B networks so partners in a supply chain and business process can exchange data and interoperate.  SOAP and XML present a fundamentally new programming model based on a message document style integration, where XML is used to mesh together data and functionality across platforms. SOAP and XML have no security model by default for authentication, authorization, and confidentiality. How did the security people deal with this? They kept the security architecture the same as they had in 1995 - network firewalls and SSL.
  The software world did not stop innovating in 2000 of course, in the last few years we have seen Web services and XML form the basis of baroque and powerful SOAs and simple REST applications. We have seen Web 2.0 come on the scene, and entirely new networked applications built on top of that.
  What we have not seen, is a single meaningful change in security architecture in 13 years. Developers have evolved, businesses have increasingly bet their entire business models on the web and they have increased security budgets. But what has the security architecture as its deployed in the field got to show for all of this? More firewalls and more SSL connections.
  Since Information Security has proven incapable of evolving, it is time to learn from a discipline that has mastered innovation - software development, and yes, I will step back in case the lightning bolts hits.
  What does software development focus on these days? Well, let's look at Service Oriented Architecture (SOA), all hype aside I look at SOA as a set of technologies that delivers three things:
  Virtualization: we want Beijing, Bangalore and Boston to communicate.
  Interoperability: we want our .Net stuff to talk to our java stuff.
  Reusability: how many order/claim/pricing/customer systems does one company need?
  To build out their SOA, developers separated the application interface from its implementation. So you can host the interface in a variety of locations, but its separate from the application logic and data.
  This is also a useful trick for putting services like SOAP through the firewall. SOAP was designed as a firewall friendly protocol. When SOAP first came out, Bruce Schneier said calling SOAP a firewall friendly protocol is like having a skull friendly bullet. Which is a great line and explains why his books fly off the shelves, it does not explain, why security people think an architecture designed in 1995 is the one we should be using today. Maybe the problem is not that the developers figured out how to go through the firewall to get the data their customers want, maybe the problem is that the firewall is the sum total of the security architecture, and it never adapted.
  A big part of this problem is that we have left Newton's world behind and entered Einstein's universe. Mainframes are Newton’s world, we have THE computer, THE price, THE record and so on.
  As Pat Helland explained [4,5], Mainframes are Newton's world, but Distributed computing is Einstein’s world. More specifically in the Einstein world of distributed computing - "Computers don’t make decisions, computers try  to make decisions." Our computers don't really make a decision, they say you can buy this book from Amazon at this price, we have it in stock and will deliver on such and such a date. But the warehouse runs out, the pallet gets dropped in the warehouse, your boo is crushed, and the package is stolen off your front step. The computer confirmed your transaction, but the real world intervened.
  So we don't have iron clad decisions, instead its all about Memories (last time I checked your book was in stock), Guesses (we should be able to ship on this date) and Apologies (sorry the forklift ran over your book)
  Translating this into security, security mechanisms don’t make policy-based decisions, security mechanisms try to make policy-based decisions
  Some examples of memories, guesses and apologies in security
  MemoriesSecurity Policies - for example Triple A policyTriple A policies can memorize a map of subjects, objects, and roles. They can even replicate these memories and play them back at runtime to try to make policy enforcement decisions.
  GuessesSecurity Policy Enforcement DecisionUnfortunately, while the policy enforcement decisions can be based on memorized logic, the decision itself is still a guess, even in the case of Triple A. Any guesses why? Because, the authentication process itself is a guess. It happens to be a guess that you then bind to a principal so it looks very official once you bind your guess to a Kerberos ticket or SAML assertion, but it still a guess.
  ApologiesGiant Global Bank is sorry your account was compromised!And this leads to lots and lots of apologies by companies with poor access control models.
  Some additional examples of information security memories, guesses and apologies.
  Example Memories - Triple A Security Policies, Audit logs, User account information , Authorization Logic - concrete mapping Subject, Resource, Condition, Action
  Example Guesses - Security Policy Enforcement Decision Points, Authentication Logic, Monitoring, detection, fraud response
  Example Apologies - Identity Management tools - provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction - Giant Global Bank is still sorry your account was compromised!
  The point of this is that security memories, guesses and apologies utilize different processes, different people, and different capabilities to be effective.
  What trends can we identify to lead us toward better qualitative analysis based on the best practices of virtualization, interoperability and reusability.
  VirtualizationFinding Vulnerabilities in a Virtualized World is a problem because applications are more configured than coded. Runtime behavior and structure not apparent due to weak typing and inversion of control.
  Result - finding bugs becomes harder. Action - use screens to target finding time and resources
  Fixing Vulnerabilities in a Virtualized World is a problem because how do I locate the controls when interfaces run in Beijing, Bangalore and Boston?
  Result - synchronization and/or replication of security policy is problematic. Action - decentralized policy enforcement points and policy decision points.  
  InteroperabilityFinding interoperable vulnerabilitiesXSS - Javascript is an equal opportunity offender - interoperability for developers and attackers alike.
  Fixing interoperable vulnerabilitiesApp servers, ESBs, and services are the attacker’s red carpet to your enterprise, right into your book of business. Interoperable access control can be leveraged across the enterprise.
  Use XML signature for authentication and integrity 
  <SOAP:Envelope> <SOAP:Header> <WSSE:Security> <ds:Signature> <ds:Reference URI=‘#body’> WSSE:Security> </SOAP:Header>

  wsu:Id=‘body’>

  … </SOAP:Body><SOAP:Envelope>
  Use XML encryption to protect sensitive data, don't pass sensitive data in the clear
  xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body><ns1:echo xmlns:ns1="http://sample01.samples.rampart.apache.org">
  <param0>My Credit Card Numberparam0>ns1:echo>soapenv:Body>soapenv:Envelope>
  Encrypt the data
   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">…            <xenc:EncryptedKey Id="EncKeyId-3020592">               <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <xenc:CipherValue>XNQ0a4legiie5mWFxO6CQkk2hhldYNnKroObue/LXS/VYtvaTgMbCujhGExDi+vlkU//Qc2/T6mx0WVTmBMT3z8rogha8jD+nS9Zr2Bc3CwoTh2lh8wL3D0DEu91iwJT9JByLGXvt7v9lyuxK0ooDOYEClsH974CPmTs3tBC+GQ= xenc:CipherValue>               xenc:CipherData>
  To ensure that these controls are applied use automated tools like static analysis to scan for security mechanism use and coverage.
  In terms of reusability findings and fixes consider two bug findings
  Session management bug: session state is passed around to every component, service and user. Makes for many high priority findings in audit report, also the fix is required on virtually every program
  Data validation bug: Data access object (DAO) has a SQL injection hole. One major high priority finding in report. DAO used by many business logic classes, one fix location serves many classes 
  To bring these factors together, I generally use a scorecard index [6], so you can measure such things as transport security, message security, threat protection and so on. The hard work in developing the index is developing a useful scale. A scale for XML tokens could use the following
  0: no token1: hashed token2: hashed and signed token3: hashed and signed token from standard authoritative source
  An example scale for XML validation could use:
  0: no validation1: schema validation2: schema validation against hardened schema3: schema validation against standard, hardened schema
  These indexed scales are used to show maturity across the factors in the scorecard. The first part of the talk described value, the value assessment is used to focus time and effort on high value assets. The value assessment can be determined quantitatively. There is hard analytical work to qualitatively determine the scorecard, index, and scales, the quantitative value assessment is used to screen out high value targets for these endeavors. The scoring index is used to track progress and improve quality over time. In the best case scenario, automated tools are used to perform the checks described in the index, and once security is automated just like software developers we may see security innovation make progress in years not decades.
  Thank you for your time.
  1 "Risk Management is where the Money Is" by Dan Geer, [catless.ncl.ac.uk]
  2 Berkshire Hathaway 2007 Shareholder Letter by Warren Buffett, [www.berkshirehathaway.com]
  3 "Software [In]security: Software Security Demand Rising, by Gary McGraw[www.informit.com]
  4 "SOA and Newton's Universe" by Pat Helland, [blogs.msdn.com]
  5 "Memories, Guesses and Apologies" by Pat Helland, [blogs.msdn.com]
  6 "Web Services Security Checklist" by Gunnar Peterson, [arctecgroup.net]
• 

  America's CTO

  Posted: November 8th, 2008, 4:08pm CST by Gunnar Peterson

  Tags:    [edit]

  I hope this message gets through to the Obama people - Bill Joy would be an amazingly good pick for the newly created CTO cabinet post. A grand slam to the upper deck. You can count the people with as a good a track record in technology on one hand.

  
  Also, I could not agree more with John Doerr on these points:
  

  The next question from the president-elect was what single policy issue he could focus on that would most help entrepreneurs.

  
  “The most important thing he’s got to do is kick-start a huge amount of research and innovation in energy,” said Mr. Doerr, who backed Google and Amazon.com and has invested heavily in clean energy technology for the last few years.
  
  

  The nation now invests less than $1 billion a year in renewable energy versus $32 billion a year in health care, Mr. Doerr said. “I think we’ve just scratched the surface in terms of clean ways to use energy, to produce energy. It’s the challenge of our generation.”
  
  

  How to do that? Double the number of engineers who graduate from American universities each year to 60,000, Mr. Doerr said. Bring more women into the field, and encourage foreigners who study engineering here to stay here.
  
  

  “What we do is bring foreign nationals to the world’s greatest universities. We train them, invest in them and make them go home,” he said. “What kind of national strategy is that? So I would staple a green card to the diploma.”

  
  

  While it is amazing that it took until 2009 for the US to have a CTO as a cabinet level position, it is very cool to think about all the things that could happen going forward. As Neal Stephenson said the US is only world class at three things - 1. Movies, 2. High speed pizza delivery and 3. Software development.
  If you read your John Hagel and JSB, then you know that innovation is the only sustainable edge. Luckily its hard wired into our system, but it will be helpful to have a seat at the table for certain things.  
• 

  When Markets Collide

  Posted: November 8th, 2008, 11:29am CST by Gunnar Peterson

  Tags:    [edit]

  One of my favorite Motley Fool analysts is Bill Mann, yesterday he wrote an article on China that re-set a number of the investing thesis themes in the current global situation:

  
  

  Things are so bad in China that its gross domestic product growth rate may fall from double digits to the dowdy level of 8%. Eight percent, by the way, is a level at which the United States is unlikely to ever grow again. It can't. Our economy is simply fully developed. Thus the sobriquet "developed economy." I know, not exactly catchy.
  

  ..

  
  

  All of the headlines show China sitting at a crossroads. But the reason I have faith in China is that it has historical proxies. Since 1970, with the exception of a few OPEC members, only four economies have made the transition from emerging to developed markets (meaning their per-capita incomes exceed $15,000 per year): Taiwan, Singapore, Hong Kong, and South Korea.

  These four economies have two things in common. First, they have few natural resources; and second, they are dominated by Chinese values and the traditional Chinese work ethic. Mainland China is different only because it got a later start.

  
  

  Also, China reportedly has currency reserves $1.6 trillion. That means that China has a better balance sheet than the US, plus 1.6 trillion beats minus 12 trillion if you are scoring at home.
  Given that the Chinese stock market is down 70% in the last year, its an interesting time to look at Chinese stocks. A few weeks back Mohamed El-Erian made the bull case for buying the MCSI Emerging Markets index which gives you exposure to the BRICs plus a lot of other countries.
  Speaking of El-Erian, his book "When Markets Collide" was just voted Best Business Book of the Year. If we could have voted for a book that we wished everyone had read in 2007 he would have won that too, he said 
  

  “When I wrote the book, I thought I was writing about the future. When it was going to press, I thought it was about current affairs. Now I wish it was about history.”
  

  
  

  This part below reminds me a lot of 1995 security architectures used to defend 2008 integrated applications

  
  

  The present crisis had been triggered because the international financial system had undertaken activities that had “far outpaced the ability of the infrastructure to sustain them”, said El-Erian.

  
  And it was not just the markets that could not cope with their own changes, but governments as well. Significant weaknesses had been exposed “from the firms, to the regulatory agencies, to governments, to multilateral oversight”.
  
  

  “Turbocharge that with financial innovations, which history tells us we tend to overproduce and overconsume, and it’s inevitable that you will get a series of market accidents,” he said.
  

  
  

  In a Robert Garigue sense, in computer security our infostructure (users, apps and data)  are outpacing our infrastructure-centric security models
  
  
• 

  VC and IPO Outlook

  Posted: November 7th, 2008, 9:07am CST by Gunnar Peterson

  Tags:    [edit]

  Forbes interviews venture capitalist Charlie Harris. He is the Chairman of Harris and Harris (NASDAQ:TINY) a venture capital fund which is focused on funding nanotech companies. He is bullish looking forward from today for a couple of reasons

  
  1. We have an eight year back log of good companies and ideas due to a poor IPO environment, we have had an eight year drought in IPOs but still lots of good ideas out there.
  2. Clean tech theme has a lot of room left to grow
  3. The recent financial crisis has revealed and removed a lot of risks
  4. The best businesses are started in times of economic distress. Dislocation equals opportunity. Companies that start during financial distress have tremendous discipline to survive.
  Somewhat surprisingly for a person with 100% of his fund invested in nanotech, he does not see nanotech as the leader of a next IPO bookm. He seems to see nanotech as an enabling technology (my words not his) so you will see nanotech enabling clean fuel, cancer drugs and so on, and these individual spaces could boom, but not an "all things nanotech" type boom.
• 

  Stop Me if This Sounds Familiar

  Posted: November 2nd, 2008, 10:30pm CST by Gunnar Peterson

  Tags:    [edit]

  My favorite book from last year was Charlie Munger's "Poor Charlie's Almanack", there are so many fascinating parts in the book I can't go into them all here. Charlie Munger is Warren Buffett's partner at Berkshire Hathaway (BRK.A, BRK.B), the book is a collection of a number of his speeches, and serves as a great backdrop for today's events, an  investing education, and a way to think through complex problems ("invert! always invert!"). It goes without saying that I think you should buy this book. 

  
  Chapter Three is a collection of Munger's unscripted remarks at Berkshire Hathaway and Wesco annual meetings. The below sections were transcribed by Whitney Tilson,  from annual meetings around the 2003-4 time period, and are pretty interesting given our current financial predicament.
  

  Warnings About Financial Institutions and Derivatives

  Risks of Financial Institutions
  The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].

  Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.

  We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.

  We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.

  Derivatives
  The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.

  People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.

  Somebody has to step in and say, "We're not going to do it - it's just too hard."

  I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

  It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.

  Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system. 

  In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.

  Accounting for Derivatives
  I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.

  It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.

  It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.

  Likelihood of a Derivatives Blowup
  We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.

  I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.

  I think we're he only big corporation in America to be running off its derivative book.

  It's a crazy idea for people who are already rich -  like Berkshire - to be in this business. It's a crazy business for big banks to be in.

  You would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

  
  These are very blunt warnings from a legendary investor over many years, yet no one listened. It does explain why it is so hard for Infosec to make its case for building margins of safety into the system.

  
  Speaking of Infosec, the biggest break through idea I have found in the second edition of Ross Anderson's Security Engineering is his focus on incentives. We have traditionally modeled Infosec as a set of policies, mechanisms, and assurance. Anderson introduces the concept of incentives which explains a lot of what we see in terms of Infosec decision making on a day to day basis. Echoing Mr. Munger

  
  

  You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear....This happens to vast, sophisticated corporations.

  
  
  
• 

  What's Happiness Got to Do With It?