So the Security Summit 2010 has come to an end. Featuring speakers such as Moxie Marlinspike, Joe Grand and Jeremiah Grossman (again), it’s a pity to say that there wasn’t much new that was presented. With repeated concerns about input- and output-validation, as the OWASP Top 10 for 2010 highlight and were used as a repeated example, and a call for a holistic approach to a company’s security posture, the idea of making the thought (and practice) of security part of the organisation’s culture came through over and over again.If you don’t have the OWASP Top 10 for 2010 to hand:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
Implementation of consistent security approach and framework (like ESAPI) for input and output checking and validation covers 8 of the 10 issues identified above; the rest are typically configuration issues… You can also use a programing framework basis (like a Zend Framework implementation). So that’s the code side of things…
From a business perspective, basic compliance with King III, the Privacy ofPersonal Information Bill (PPI), the National Consumer Act, the PCI DSS and others were re-iterated, with a solid view and understanding of the organisational risk and threat profile of the business in question being paramount in complying both on system and business level.
The scary thing in the conference was two-fold:
- For one, the issue of simple code injection from passed GET variable directly into SQL string should long be a thing of the past, SQL-injection having been raised years ago (about 10 years, to be specific), and lack of input variable checking which SensePost did a full (good but basic) presentation on and gave as repeated real-world current examples was surprising. Surprising, as you’d think common sense would have been employed by now, and this wouldn’t really be done anymore!? Really!? Am I just being naïve? I guess this comes back to the threat posture and security-based thinking of the programmer, and the basic training in place. Oh yes, as an aside, the focus generally was on application and software security as so many examples proved that the bypass of hardware security via the ports that are allowed through the firewalls etc is trivial in most cases. By the exploit of software.
- The second (worrying) point was the surprise visible and audible in the auditorium while Moxie showed his SSL bypass (as presented at BlackHat DC), or by Joe Grand when he gave his San Fransisco Parking Meter example. Or the iPhone p0wning. Really? Why was this surprising to the audience which was — as the demographic suggests — made up mainly of security professionals? Why was this new or surprising?Moxie presented his SSL bypass using
sslsniffin February 2009. August 2009 saw the presentation of the C-String NULL-character SSL security bypass that resulted in the multiple browser-updates in September 2009… Kingpin’s presentation on the decompile and exploit of San Fransisco parking meters was in July 2009. Surely, this is common knowledge by now already, by anyone in the industry? Surely, the fact that jailbreaking your phone breaks open the security of the iPhone means that the jailbroken phone is a sitting duck was already known, as Charlie Miller (“the former NSA guy who one p0wn2own”) presented this early November 2009?
Shouldn’t industry specialists know this already?
So overall, while it was good to see the overseas speakers in person, and while the Sensepost presentation by Nick and Ian was a good quick summary (though some of the demos didn’t not quite want to co-operate — as presentation demos tend to do), some presentations left a lot to be desired. Once all presentations are made available, I hope that the balnce of the presentations make up for the overall quality of the conference. Sigh…
I give it 68% – I think that’s a C 🙂