“It’s okay everyone sucks at security”

At the same time I am most willing to learn more about security in order to become a better developer. For the first time I am attending a security conference, the AppSecEU 2011 in Dublin, Ireland.

The day started out with double breakfast, first at the hotel, second at the venue. The conference is really nice and reminds me alot of the many YACP’s I have attended over the years. The attendees seem very much to be practitioners and people involved with all aspects of security in their day jobs.

These were the talks I had set out to attend:

- Keynote: Brad Arkin (@bradarkin), Adobe
- Building a robust security plan by Narainder Chandwani, Foundstone
- The Buzz about Fuzz by Joe Basirico, Security Innovation
- Keynote: Smart phones, app-stores and HTML5 (ENISA) by Dr. Giles Hogben
- Python Basics for Web App Pentesters by Justin Searle
- Secure Coding Practices Quick Reference Guide by Keith Turpin, project leader. OWASP/Boeing
- OWASP AppSensor Project by Colin Watson

Here follows selections of my notes and some reflections on the different presentations.

Keynote: Brad Arkin, Adobe

Brad presented the Adobe Secure Product Lifecycle (SPLC). He started out by talking a bit about attackers and motivations and categorizing these and comparing these to criminals. This was a bit fuzzy to me, but I think I got the picture, his conclusion was anyway that we need super heroes with green lasers – not really.

Instead we should focus on:
- Hard work
- Repeatable and verifiable processes
- Security must be a priority in all stages of development

He mentioned that Adobe produced popular products and therefor could popularity be of interest to exploring attack vectors and exploits in Adobe products. This is a pattern we have observed before in the industry and therefor is makes sense.

He then went on a described Adobe’s Security Strategy. Which consists of a lot of different practices, I am not going to go over all of them, but here is a basic and non-exhaustive listing:

- Keep customers up to date, by simplifying updating and installation of Adobe software
- Safe and secure code (Adobe SPLC)
- External engagement, industry, partnerships, threat landscape modeling etc.
- Swift and decisive responses to security incidents are important
- Defensive coding and security testing and should be a part of general processes
- Features should be scrutinized using thread modeling
- Use the tools like compiler flags
- Static and dynamic analysis

Brad talked a lot about training and Adobes approach to training and certification was quite interesting, in general however it seemed that security awareness throughout Adobe was the main thing.

In addition he provided these resources:

- Security: http://adobe.com/security
- ASSET: http://blogs.adobe.com/asset
- PSIRT: http://blogs.adobe.com/psirt
- Adobe security on twitter @adobesecurity

Next I move on to ‘Building a Robust Security Plan’ by Narainder Chandwani, Foundstone

He talked about outlining a security plan and a several other resources like:

- knowledge repository
- a security impact profile

He had an elaborate point system he referred to, but did not present directly. It should be represented in his paper. In general the idea was to create a database of all your applications and classify them together with a security impact profile based on some of the following metrics:

- classification of data
- possible compliance issues
- exposure

Again knowledge and information was key factors and in general I could agree with Narainder Chandwani’s idea, but his generalized approach to security impact profiling should preferably be something more along the lines of either OWASP top-10 or similar work from ENISA.

I missed out on the fuzzing presentation at my local OWASP chapter in Copenhagen, so I thought this was a good chance to get some education in fuzz, so I went to see: The Buzz about Fuzz by Joe Basirico from Security Innovation.

There is not much too fuzzing as such. Fuzzing is all about attempting to break or misuse applications using generated malformed values. You can divide fuzzing into three categories:

- random fuzzing
- seeded fuzzing
- format aware fuzzing (a variation of seeded fuzzing)

You send a request, process the response, fuzz and then repeat.

Joe Basirico emphasized that input validation is first line of defense and mentioned that input comes from everywhere, like filesystems, database. So the classical user facing input validation might not suffice – a very interesting and thought provoking idea, which got me thinking.

Things to be aware of when doing fuzzing are:

- Control characters
- Encoding
- Checksums and verification blocks
- Compression
- Order and required sections

One should consider blacklisting vs. whitelisting input data to tighten the security on the first line of defense. I might get back to this topic later since I am trying to collect all my notes on defensive programming in an article.

He mentioned the following tools and resources:

- peach (search for peach fuzz)
- SPIKE
- www.fuzzing.org
- fuzzdb
- Github: WebFuzzer by Joe Basirico (Security Innovation)

A lot of good and practical information, which could result on more work on my side, since there are a lof of aspects from Joe’s presentation I would like to dive into.

After a lunch break, where I walked into town to find the local Mac store another keynote was scheduled.

Smart phones, app-stores and HTML5 (ENISA) by Dr. Giles Hogben

Dr. Hogben presented some work being done by ENISA in the smartphone area. Smartphones are very interesting from a security perspective, since they have all sort of sensors, IP and a lot of CPU power. Issues in regard to smartphones are both related to security and to privacy and a lot of aspects of these new technologies are using best practices from other technologies, but at the same time the many features and opportunities open up for new potential threats.

ENISA has produced a smartphone report together with OWASP. It lists:
- top 10 risks
- opportunities
- recommendations

Of all the smartphone developing companies in the world only one had not participated – Apple, not surprisingly, but a bit disappointing. Because iOS devices are by no means securer than other smartphones and considering the point from Brads keynote on Adobe’s popularity being a challenge for Adobe, Apple should consider participating in projects like the one done by ENISA.

In addition ENISA is working on a report and several other deliverables on HTML5.

In addition to analyzing the HTML5 specifications, the specifications had also been compared against one another and they suffered severely from underspecification. A point, which seem very much to be in line with the presentation by Bruce Lawson from Opera I saw at GOTO Copenhagen.

The HTML5 work is very much in progress, but it is still possible to chip in, see also: http://www.enisa.europa.eu/act/application-security

I then went to see: Secure Coding Practices Quick Reference Guide by Keith Turpin, project leader, OWASP/Boeing.

The Quick reference guide is a 17 page document developed by OWASP, it originates from Boing who turned over the ownership and copyright to OWASP. It aims to be technology agnostic and focusses on what to do, not how to do it.

Some of the aspects Keith Turpin highlighted was intended (requirements) vs. unintended (what the application actually can accomplish) functionality. The concept of restraining the allowed unintended functionality, was similar to the problem described by Joe Basirico (see the earlier section) and again this is something I am going to revisit in my write-up on defensive programming.

Keith Turpin made a point that we have to evaluate the whole stack and the environment of the application and applications, since operations and application management might, change the context in which our application operates and therefor the security aspect and thread modeling might have to consider different factors.

The Quick reference guide is in checklist format and is currently being revised to be come even more technology agnostic and hopefully the points will be enumerated using and overall enumeration guideline from OWASP so it will be easier to cross-reference between OWASP documents and external resources.

As a developer I found this talk very interesting and I am looking forward to examining the Secure Coding Practices Quick Reference Guide. I moved on in development mode and went to see: Python Basics for Web App Pentesters by Justin Searle

I do not have many notes from this talk, the presenter Justin Searle dissed Perl for no apparent reason, something I thought we were over years ago. He described how he did pentesting using Python and then referenced to a Google code project with all his templates. The only thing that bothered me about apart from the Perl thing was that he kept saying templates when he meant boilerplates.

The last talk of the day was: OWASP AppSensor Project by Colin Watson. This talk was off to a bumpy start. First the Apple computer Colin was using had issues getting the right resolution needed for the presentation, then Colin stated the following:

“If we do not know if we are under attack or whether we are being exploited we are doing security wrong”

It took me some time to understand what he actually meant and as he went through the presentation it all of a sudden made a lot of sense. The idea behind the AppSensor project is to do more application aware monitoring of in our applications so we can take countermeasures when something unexpected happens. The idea is to put detection point in key points in our application and then monitor these and take action when something unexpected occurs.

The counter measures and actions can be anything based on our application, context and circumstances.

- locking down user, functionality or application
- limiting access
- blocking IP
- alerting user / admin

I did not get all of the points listed by Colin noted down, but you get the picture. Colin mentioned something that was in line with Joe Basirico’s presentation about input. So if we put a detection point in the between our database and the application we can also measure when a user is retrieving an unexpected high number of records from the database. Joe Basirico emphasized that data from a database is also just input and it should not necessarily be trusted as is.

All in all a very educational day and I am looking very much forward to day 2 of the AppSecEU 2011 conference.

Due to an engagement at work I now I had to leave before the conference would officially close, but I got a pretty wide ranging schedule laid out for myself, so I would get the most possible bang for the buck on this last day of an awesome conference.

- Keynote: Erlang the road movie by Kresten Krab Thorup
- Kanban Primer – a play
- Getting Things Done with REST by Ian Robinson
- The Zen of HTML 5 by Bruce Lawson

The Keynote was on Erlang and it’s merits, it’s place in history and the future.

Kresten described the history of Erlang from the perspective of the inventors doing Domain Driven Design, since Erlang was originally developed for developing phone switch software, wherekey requirements such as fault tolerance, quality of service and availability. He then went back to see why Erlang all of a sudden seemed to become such an important key player in modern computing. Erlang simply seems to be the perfect fit between the modern Internet, cloud computing and a programming language.

Kresten discussed the idea of scientific revolution, mentioning ‘The Structure of Scientific Revolution’ by Thomas Kuhn. First he
described the concept of paradigm shift and revolution, where we would be observing anomalies and the new paradigm would be able to explain these properly where the old paradigm would not suffice.

The keynote, even though on another topic, very much seemed to described the essence in many of the talks at the conference. We are currently observing anomalies in many places, especially in the field of agile methodology, not because there is something wrong with the concept of agility, but simply because the implementations are displaying the anomalies.

I do not know if Kresten’s definition of revolution was based on Kuhn’s book or whether it was his own definition, but I more regard revolution as a process or transition not a state in itself. This would mean that the shift of a paradigm is a product of a revolution. I would love to have this discussion with Kresten at some point, but perhaps I should just start by reading Kuhn’s book and do some investigation into this new and upcoming paradigm. Kresten’s talk really laid out the perspective and I got some pointers to things I would like to try out in Node.js, which I am using for a project currently.

Over the course of the conference OOP has most certainly got a beating, perhaps it is time we do something different or at least differently, since it might as for the Agile methodology discussion be a matter of implementation. I think OOP still has a place in your tool box, but often you see OOP used in the sense of a golden hammer.

After the keynote I moved close to the stage to see a play.

I really like the idea of alternative presentation methods and a play would really be something new and a play on Kanban really triggered my curiosity even though I was a tad sceptic.

This turned out to be most educational and a lot of fun. The presentation method was alternative, but for me it worked really well and I think I got the basics of Kanban, so here is my notes:

- the board reflects actual states (columns)
- the board changes to reflect the real world
- lanes can be used to isolate tickets, for example for quicker expedition (for example for hot fixes or other things of higher priority)
- cards are tickets, tickets are stories/issues they can be sub divided using other physical cards (use colors)
- you can have macro and micro presentation boards
- you can implement policies like, how many cards a given responsible can work on at a certain time
- pull (principle) depends on trust
- pull (volunteer taking of assignments) is the opposite of push (delegation)

In general Kanban is really interesting and I am seriously thinking about using Kanban in our development process. I am a very visual person and Kanban would really fit me well in getting an overview of what we are doing when or why not.

Some questions have however come up since I watched the play I am thinking about addressing these with some Kanban fora or similar.

- How do you do dependency handling?
- How do you visualize dependencies?

Recommendations on further reading in the field of Kanban is most welcome.

I then turned my attention to the REST track a track where I could have spent all day I guess, but I had decided to attend at least one talk, the one that seemed like it would give me the most basic information on REST and at the same time focus on pragmatism. My experience with REST is purely theoretical and not particularly well founded. I went to see the ‘Getting Things Done with REST’ by Ian Robinson. Ian is the author of REST In Practice, published by O’Reilly. A title I have promised myself to acquire after hearing his talk.

REST is pretty basic as is, but it really seems to fit in with my take on software service and software architecture and I most certainly going to apply some of the REST practices and philosophies in our system.

- REST encapsulates and hereby gives low coupling
- resources look after themselves (state)
- resources might be aware of other resources, but that is the only coupling
- resources != domain
- REST adapts the domain
- client applies resources to achieve goal
- mediatype specification is a contract
- clients are buckets of rules, used to define how to interact with resources

I have for long wanted to do a RESTful interface to a system I work with and this most certainly gave me the tools on how to approach this task.

The last talk I went to was: ‘The Zen of HTML 5’ with Bruce Lawson a very entertaining talk on HTML 5 and related. I did not take many notes, I guess I was sorted of filled up from the previous 3 sessions, but did pick up there is no reason in delaying adoption of HTML 5.

I would really like to thanks the organizers, speakers and sponsors of Goto Copenhagen 2011, I am most certainly coming back if given the opportunity. Now it is time to process, evaluate, investigate, read, write, think, hack. code and implement based all of that marvelous information, education and advice offered at GOTO Copenhagen 2011…

Also this post is a mix of impressions, notes and links from the GOTO Copenhagen conference.

I did not pay much attention to the introduction or the keynote – I was hacking. I had not brought a laptop on day 1. I had just brought an iPad and I think this was a really good thing. Anyway I had a bug I really needed to squash.

After the bug fix, I could direct all my attention to the conference and here is the list of talks I attended.

- Intro to iOS development by Patrick Linskey
- What Happened to People over Process? by Sarah Taraporewalla (@sarahtarap)
- Where is the Quality in Agikity? by Dan North (@tastapod)
- Programming Ruby Kata
- Lessons for Lean and Agile Software Management by Dave Thomas

I started out in the Mobile track. I am pretty familiar with iOS development, but there was no other talks, which really caught my attention at this time and I thought, it is one of my primary interests and perhaps I could learn something, this proved to be quite right. Patrick gave a nice overview of iOS development focussing a lot on Objective-C and he even dug into memory management instead of just doing all fancy stuff. A very insightful presentation with lot of good pointers to key parts in the iOS tool chain. Among other things he mentioned that garbage collection might be coming to iOS soon, based on a blog post describing some interesting discoveries. He also mentioned TestFlight, which looks like an interesting alternative way to do beta evaluation of iOS applications.

After this I moved down to the ‘Agile from the outside’ track where Sarah Taraporewalla (@sarahtarap) was going to give a talk on the ‘People over Process’ practice from the agile manifesto. This showed to be quite a journey and trying to recap the talk here would probably not do Sarah’s presentation justice, so instead I will try to pinpoint some of the aspects that I got me thinking in relation to the contents of GOTO Copenhagen 2011 and my job in general.

- Communication over observation
- Respect is of outmost importance, respect colleagues, opinions and beliefs
- Openness is important, provide your peers with data and information so they can form own opinion
- Equality is important
- Generalization can be dangerous
- Personality over skills in team environment, when assembling a team
- Trust is important
- Selfishness can be dangerous

Sarah mentioned the psychology model transactional analysis, I am by no means an expert or even a novice in this field, but it triggered one thought. In transactional analysis there are 3 different states your personality switches between depending on a lot of factors:

- Parent, the educating and often condescending
- Adult, the voice of reason
- Child, the defensive, overeager or feelings based response

The adult state is the preferred state in a workplace where decisions have to be made and interaction and communication with peers is commonplace.

I often here the term: “we are all adults here” or “we are all professionals”. This got me thinking that sometimes we mistake the Adult state for Parent state. So all of a sudden we ignore equality and respect goes down the drain and we might force our peer into a Child state. Communication is hard and working with people is hard, especially in stressful situations. So Sarah’s advice on spending time and effort into getting to now yourself is not bad advice.

Following Sarah was Dan North, with a presentation entitled “Where is the Quality in Agility?”. This talk was on quality and Dan started by tearing apart the concept of quality, concluding that we cannot say anything about quality in the general sense we use it in software development. Dan then provided an alternative way to regard quality, which was quite compelling, but not necessarily easy to handle, but what we already have and the metrics we use say nothing qualitative about quality and is therefor somewhat useless. Again I do not do this talk justice. Dan ended his talk by concluding that the way we do agile to day is not agility as described in the original manifesto and we therefor should strife to get back to get back on track with agile development and it’s core values.

After these very abstract presentations I went to see the Programming Ruby Kata in the ‘Programming with the Stars’. Here two people paired and implemented a tennis game in Ruby. It was fun and I enjoyed it very much. I have just discovered that the TextMate editor for OSX can be extended using Ruby, so I might have to get into some Ruby coding for some minor things.

The last but not least presentation for the day was Dave Thomas with a presentation on Lessons for Lean and Agile Software Management.

Dave talked a lot about metrics and measuring what you do so you can improve. He emphasized practices such as:

- portfolio management
- continuous integration
- automated tests
- automated measurement

We are well underway with some of these practices, but there room for improvement and I think I need to read up on portfolio management in order to address whether is is something we can use or learn from.

Dave also mentioned some mantras, which can be important. His examples and general approach was taken from large organizations changing paradigm towards agility, but they are most certainly applicable in other situations also.

- work with vs. work for
- nothing interesting happens without leadership
- pick the best of the wrong answers since there is no right answer

Dave mentioned code review as a good practice, I do not understand has not been emphasized more on the conference in general, but perhaps next year.

I have attended many Perl conferences over the years, primarily YAPCs. I have not attended a professional conference since I attended OSCON back in 2001. To begin with it was a somewhat surreal experience, I saw absolutely no familiar faces. After a cup of coffee the conference kicked off.

Through out the day I attended the following talks:

- Innovation at Google by Patrick Copeland
- Remediation Patterns by Jez Humble
- When the fur flies, Michael T. Nygaard
- Why Modern Application Development Sucks by Dave Thomas
- Frameworks? The Devil’s Works! by John Nolan
- a rant by James Coplien, I cannot remember the title

Patrick Copeland from Google was talking about innovation and ideas. He mentioned pretotyping and Androgen a preto/prototype building framework for Android. He also mentioned an article by the magnificent Paul Graham about time management, which I will have to dig into later. In general the whole pretotype concept is great fun and probably incredibly useful, but I am not sure it as easy to implement as a technique as it sounds. The presentation gave a lot of food for thought and I am doing a lot of thinking about how to go about preto/prototyping our potential work packages before actual implementation. Boiled down what Google does is being able to separate potentially good projects from bad projects very early, so least time is wasted, time is essential, hence the reference to the Paul Graham piece.

After the keynote I started out in the Dev/Ops track. This was quite interesting and very educational. I took immense amount of notes on my iPad. I then moved on to the Iconoclasts track were a bunch of rants where going on. All of the talks are by incredibly skillful and clever people and it had been hard laying out a personal schedule without missing out on too much good stuff, but first things first, two talks from the Dev/Ops tracks.

Jez Humble is the author of the book Continuous Delivery. His presentation gave a lot of interesting insides and put words and terms on some of the aspects of testing I have been meaning to get into, without really knowing there was a term for. This talk gave a lot of practical advice, which I cannot wait to implement and evaluate when the conference is over. I am seriously considering buying the previously mentioned book. We might not agree on the use of branches under the strategy of continuously delivering, but in general an incredibly educational presentation giving a lot of good information and not to forget new acronyms like: TTD, TTR and TBF. I might get back to the issue of branches and continuous delivery in a post later, when it has had time time to sink in.

Michael T. Nygaard, the author of ‘Release it!’, a book I have been meaning to read for a long time. Michael gave a war-story presentation. We can learn a lot from war stories and they are entertaining. Michael mentioned the book: The 5th. Discipline, which sounds really interesting. Again an educational presentation with a high level of entertainment.

This brings me to the other track I hereafter moved into, the Iconoclasts track. Dave Thomas gave a talk on why modern application development sucks. I took no notes during his talk, but I was most certainly entertained and many of the reflections by Dave Thomas were quite interesting.

Following Dave Thomas was John Nolan with a talk entitled ‘Frameworks? The Devil’s Works!’ John Nolan made a great analogy between programming and cooking, which ended up with a hypothesis describing frameworks as fast food franchises. Very beautiful and entertaining presentation.

The last presentation was by James Coplien, this was indeed a rant. Coplien simply stated that unit-tests and in particular TDD was bad for your code base. The problem raised by Coplien is quite interesting, but I am not sure the message got totally through, at times the presentation seemed more like a praise of SCRUM. Coplien was scrutinizing the data and statements behind the agile movement and at the same time he mentioned IEEE papers being critical of unit-tests and TDD, without applying the same critical view. Coplien had a strong case, but did not really back it up. I agree with Coplien that we should be critical towards the tools we use, same point stated by John Nolan about Frameworks, but SCRUM and other agile methods have serious issues I learned on day 2, but more on that in a upcoming post.

The GOTO Copenhagen conference is absolutely super and I am sure I will attend again if I get the chance again, it felt good to be educated, entertained and provoked.

See: http://yapceurope2009.org/ye2009/

The conference it the annual european Perl grass-roots conference and we are happy to be able to support this event. The next thing to find out is whether we will be to attend.