Cassio Goldschmidt
On Information and Application Security

Blog

Click here to subcribe to this blog (RSS)

Black Hat Brazil - part II

Wow! The organization committee highlighted my talk as one of the exciting conference briefings! Pressure is on! Better to brush up my Portuguese for next week!

Black Hat Sao Paulo Logo

OWASP LA Rules!!!

I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!

Speaking of OWASP AppSec USA 2013, let me take a momento to plug this excellent conference and the impressive line up of speakers. If you never been to a Global AppSec (USA, Europe, Latin America or Asia) before, I highly recommend to check it out!

Black Hat Brazil

The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the the most prestigious names from the full spectrum of security thinkers. The conference organization does a suberb job staying on the leading edge of new security trends as they emerge.

I was thirlled with the announcement of the first Black hat briefing in Brazil and even more thirlled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local informaiton security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.

Black Hat Sao Paulo Logo

Hot Topics in Security

Innovation Conference Logo

Wow! My roundtable session "Hot Topics in Security" at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.

Android Master Key Attack explained

The Bluebox research team recently pre-announced an Android vulnerability that allows an attacker to inject malicious code to an application. Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

The Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu. Simply put, APK files are zip files that could contain files with duplicate filenames inside. Unfortunately when duplicate names exist, the entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all.

The solution to this issue involves the device manufacturer to provide an OS patch that will check for APK files with duplicate file names. Reputable app stores are already doing the same to ensure no malicious code is available for download. End users should avoid downloading applications from questionable sites. Users who wonder if their devices were compromised should download and run the Blue Box Security Scanner.

Free online training

SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.

If you are looking for this type of material, also consider Jerry Hoff’s excellent OWASP AppSec Tutorial Series

Lastly, my good friend Zully released a number of good videos about bitcoin security at Khan Academy.

Another Pleasant Surprise!

This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I'm truly honored to be among the finalists.

Kate Hartmann, one of the few OWASP full time employees, once told me that babies are the number one project killer in the community, something I can now testify... As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don't believe my words, listen to Ivan Ristic's interview in the OWASP podcast when he talks about OWASP!

I really cannot count how many individuals I met and I come to admire and built a friendship. OWASP not only made me a better professional but also a better person.

I'm sincerely touched with this nomination. Thanks OWASP! See you in Austin!

Can you Spot the Flaw?

Here is a function with a single line of code:


char check_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2)
{

return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}

memcmp returns an integer which is implicitly casted to char. If memcmp happens to return a non-zero number that has a zero last byte, check_scramble will return 0 (password was ok), despite the fact that the password was incorrect.

One line of incorrect code resulted in this: CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL

This is extremely hard for someone doing coding reviews of 1,000s of lines of code to spot or to find during a pen test. On the other hand it’s trivial for a static source code analysis tool (or even a good compiler) to find.

Moral of the story:

  1. Check your compiler warning. In Visual Studio set your compiler warning to level 4.
  2. Use a static source code analysis tool. If you have Visual Studio Team Edition, enable the code analysis option.

Global OWASP AppSec LatAm 2011 videos are out

Global OWASP AppSec LatAm 2011 videos are now available on YouTube! I had the pleasure of acting as the host from beginning to end. Here are some of my favorite presentations:

In English:

In Portuguese:

Into New Adventures

After almost 10 year at Symantec leading the company’s global application security initiative, I decided it was time for a change. Today I’m thrilled to announce that I joined Intuit’s Corporate Information Security Team as a security Business Partner working with Intuit Financial Services (IFS) and Intuit’s Payment Solutions Division (PSD).

Why Intuit? To answer this questions, I'd lke to steal the quote attributed to Willie Sutton, the prolific bank robber: “because that's where the money is”. Intuit owns 79% of all the retail tax preparation software market. If all customers that use Intuit Financial Services (IFS)  solutions were added up, Intuit would be the 5th largest bank in the nation. Securing such solutions is fundamental to the company success. Defending small business against targeted attacks is a task we don’t take lightly.

Speaking of company success, Forbes recently ranked Intuit as the most admired software company in the world, making the top rank position on Innovation, corporate responsibility and management, three areas I’m very passionate about. Also in 2012, Forbes ranked Intuit the 19th best company to work for and one of the 9 top tech companies with the best reputation.

Intuit Logo

The Great Cypher, Mightier than the Sword

Speaking at RSAC 2012

David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled "Making Sense of Software Security Advice: Best vs. Practiced Practices". Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.

Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:

My personal discount registration code: ZSPDdJaIoqK

This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: http://www.rsaconference.com/events/2012/usa/index.htm. Be sure to register using the discount registration code above to receive the $200 savings.

Secure Software Programming: One of the Three Best Security Career Bets

SC Magazine logo

SC Magazine published a really nice article about the need for security last month. According to the latest edition of Foote Partners, developers who posses security certifications can earn pay premiums averaging eight to 12 percent of base pay and even more with additional experience.

Secure coding (and security testing) are hard to do, and market demand far exceeds the available talent supply. It takes years of hands-on practice, as well as training, to develop the skills.

The right tool for the right job (SAFECode and BSIMM)

After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.

This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.

The Gold Standard

Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.

Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.

Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the (ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one day event.

OWASP AppSec LatAm 2011

It took more than a year to organize OWASP AppSec LatAm 2011 but the results worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world class infrastructure. The variety and quality of PUC-RS’s main restaurant is comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.

Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue conversational style and candidness made his presentation a must see for everyone who wants to jump start a security initiative at an enterprise. I highly recommend both.

The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!

OWASP AppSec LatAm 2011

BSIMM 3 is out

Every craftsman needs a set of tools to perform its duties and security practitioners are no different. Released this past Tuesday, the Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is one of the essential tools security professionals need to know about. BSIMM is an inventory of existing security practices from over forty large-scale, IT dependent organizations across seven business vertical categories.

Reviewing BSIMM data over the years is a great way to compare and contrast how the industry is evolving. In addition, BSIMM provides a considerable list of activities organizations with an established security initiative should consider to adopt next.

A Pleasant Surprise!

(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?

There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.

Unfortunately sometimes I see people leaving not for profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that this community services and work for an enterprise is symbiotic. In fact all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business and the community. I hope other companies start to see things this way.

Protect The Stuff That Matters

Symantec released Norton Internet Security 2012 (NIS 2012) this week. According to independent research, the product is both the fastest antivirus solution and the product with the highest detection rate on the market.

Be sure to check the new product advertisement campaign titled "Protect The Stuff That Matters". In my opinion this is hands down the best marketing campaign the company ever did.

An Interview with Cassio Goldschmidt

Interview

The Pontifícia Universidade Católica do Rio Grande do Sul's (Pontifical Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I'm an alumnus of the school of Informatica and a big fan of the university.

As of 2009 the university had 10 courses with 5 stars, computer science being one of them.  There are also 21 courses with 4 stars according to the the Guia do Estudante: Computing and Mathematical sciences and Engineering and Production.

The magazine is in Portuguese. Click on the picture to download and read the article on page 40.

Registrations for OWASP Global AppSec Latin America are now open!

The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in the conference visitor's guide.

(ISC)2 Americas Information Security Leadership Award 2011

I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium's ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.

If you attend the conference, don't miss Richard Tychansky, Hart Rossman and Symantec's Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.

ISLA Logo

OWASP Global AppSec Asia 2011

Sebastien Deleersnyder, Mano Paul and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. Major news media will be covering the event.

There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in People’s Republic of China I respect so much their technical knowledge, work ethics and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.

Beijing International Conference Center

2011 CWE/SANS Top 25 Most Dangerous Software Errors

SANS and MITRE released today the "Top 25 Most Dangerous Software Errors". This list ranks the most widespread and critical errors that can lead to serious vulnerabilities in software and is a great educational tool to help programmers to prevent the kinds of vulnerabilities that plague the software industry.

I've been a contributor of this list since the first release in 2009. It amazes me to see vulnerabilities such as CWE-120 ('Classic Buffer Overflow') still on the top of list for the following reasons:

  1. Programmers really have to go out of their way to create classic buffer overflows in modern languages such as C# and Java. These languages, not C/C++, are the language of choice for many developers nowadays creating new systems.
  2. Static code analysis tools do an excellent job finding instances of buffer overflows.
  3. Modern compilers offer several ways to prevent exploitation of this type of flaw without changing a single line of code.
  4. Some companies did an outstanding job bringing awarness to this issue and providing great security training to their development teams, including QA.

Without necessarily producing better software, the industry in general found a way to innovated itself out of a widespread problem. Buffer overflow flaws are still prevalent out there because we use a lot of legacy systems. I just don't find a lot of new instances being discovered, at least in our tests. If anything, this type of flaw is identified and fixed during the development phase using static source code analysis tools that are integrated to build systems.

ISSA Los Angeles 2011 Security Summit

I just came back from the ISSA speaker dinner and I'm really excited about tomorrow's event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital) and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.

Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).

Better Software 2011

As much as I love to manage a global team that is as passionate about Software Security as Symantec's Product Security, I'm still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. "Cosmic Truths about Software Quality" by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.

According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don't care about security?

Better Software Conference 2009

Valentine's day

Valentine's this year will be a bit different... I'm returning to Berkeley to present a talk about my book, this time to the NetEcon group. Next, I'll head to RSA Conference and finally end the day at a business dinner with my boss and a Symantec business partner.

Black Hat

One of the best things about being one of the first speakers to present at a conference is that it's possible to actually pay attention to the the other talks. ;-)

While there were several good talks, I highly recommend watching two: Bryan Sullivan's "Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era" and Tom Brennan, Ryan Barnett's "Checkmate with Denial of Service".