AppSec USA 2017

AppSec USA 2017 lineup is looking promissing. I look forward to some of the keynotes too.

This year I'll be discussing bug bounty with a great team of panelists from companies such as GDS, PayPal, ITSP Magazine, and Baker McKenzie. Will I see you there?

Innovate Pasadena CyberSecurity

According to ITSP TV, the panel at ADP was extremely informative. Check out the video: Passwords, Password Management, and Two-Factor / Multi-Factor Authentication

Stroz Friedberg Blog

A short and yet informative blog post on Bug Bounty: Bug Bounty Programs: Good Preparation is Key to Success

ITSP Magazine

Honored to be listed as an Expert on ITSPmagazine.

My first blog contribution is the article: Dodging SHA-1’s Collision Course

AppSec Cali 2017

4th Annual AppSec California to Open the Year With a Must-Attend Powerhouse Application and Web Security Conference Full Agenda and Expert Speaking Panel Announced Full article

How to protect yourself online

With so many breaches out there, computer users often ask me how to protect their passwords. Here is a short blog article I wrote for Stroz Friedberge about the topic: Passwords: You think you know. But do you?

17th annual Cyber Security Symposium

UNC Charlotte 17th annual Cyber Security Symposium was a sold out event. Humbled with the opportunity to take the main stage. Although this is an academia event, there were more far more professionals than students. Kudos to the organization for a great event!

RSA Conference 2016 is starting today

Very excited to be speaking at RSA this year! The title of my talk is "Dissecting Bitcoin security". Bitcoin is a game changer invention and can be applied in various different systems. Unfortunately the media put a very bad spin on the crypto currency and made people shy away from the technology. I hope my talk help people understand what the technology is about and why it's so relevant for security pros.

OWASP Top 10 Proactive Controls 2016

Happy New year! OWASP Top 10 Proactive Controls 2016 is out. Enjoy!

RSA 2016

Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known and most respected security events of the year.

OWASP Top 10 proactive controls

Jim Manico is leading the upcoming release of OWASP Top 10 proactive controls. His approach this time was to make the document world editable on Google docs. I applaud Jim for leading this project in such an open manner. It’s both a pleausure and honor to work with him again! I look forward to sharing the end result with the rest of the world.

(ISC)2 Congress

(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday's lunch. I always wonder how the kitchen is able to serve everyone at the same time. One day I'll ask for a tour at the kitchen... It will make me a better man (and a better cook).

OWASP AppSec California 2015 videos are out!

Working with Jim Manico is a joy! I hope we can present again soon.

OWASP AppSec California 2015 Rocks!

Following the huge success of the previous event, OWASP AppSec California is promissing to be one of the hottest conferences in 2015. The line up of keynotes and speakers is top notch and the venue is truly unique. Seating is linmited so you really need to hurry up to get in!

FS-ISAC, here I come!

Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security threats facing the global financial services sector.

A good reason to upgrade to iOS 8

An integer overflow exists in the handling of PDF files that leads to arbitrary code execution. The vulnerability affects iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later and can be exploited remotely by simply viewing a malicious PDF file.

Technical Details: CVE Name: CVE-2014-4378

Apple CoreGraphics library fails to validate numerical input bounds when parsing the colorspace specification of a PDF XObject, resulting in a heap overflow condition. Exploitation is performed by corrupting data in specific ways to cause the application to overwrite the dynamic memory allocation linkage, using the resulting pointer exchange to overwrite a program function pointer.

Thanks to the unpatched vulnerability CVE-2014-4377 which leaks valuable information about memory layout to the browser Javascript interpreter, the combined usage of both flaws allow attackers to bypass Data Execution Protection (DEP), Address Space Layout Randomization (ASLR) and code signing. Fortunately Apple corrected CVE-2014-4377 in Apple OS X with Security Update 2014-004. The recommended solution of iPhone users is to upgrade to iOS 8.

Moral of the story for developers: DEP, ASLR and code signing are great defense in depth mechanisms that should be turned on when compiling C/C++ code but given the right conditions they can be bypassed.

The best time of DI year!

Really excited about today's talk at the Digital Insight Innovation Conference! Why? Because it's a departure from the talks I often do target to highly technical professionals. My DI talk covers how to deal with many of the issues financial institutions requested our assistance during the last year and it's based on a collection of free tools and best practices that users (and your customers or members) can adopt to improve their banking security.

Ransom attacks against Macs and iOS devices

Ransomware attacks are on the rise, and some emerging attacks are going beyond PCs to target mobile devices used by banking customers.

Ransomware is a kind of malware (malicious software) that criminals install on the victims computer, usually through a malicious email attachment or webpage link, and demand a ransom paid to the creator of the malware in order for the restriction to be removed.

A new type of Ransom exploitation against Apple devices has been reported in Australia but recently spread to the United States. This attack differs from previous Ransomware attacks because the attack is based on Apple’s Find My iPhone application so software needs to be installed on the device. Victims reported finding their phones suddenly locked, with a message from Find My iPhone saying that the device had been "hacked by Oleg Pliss.". The hackers then directed owners to pay up to $100 for a device unlock via PayPal.

It’s not immediately clear how attackers are gaining access to the Apple IDs to take over the devices. One possible explanation is that criminals have obtained access to a leaked list of email addresses and passwords, exploiting the fact that many individuals will reuse the same account details for their Apple ID.

This attack can be proactively avoided by following some security best practices:

• Set an access passcode on all your devices
• Enable two-factor authentication
• Use of a strong and unique password for each account on the web

CIO Event North America

The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los Angeles. The event's mission is to create a world-class platform of end-user driven academia to help executives make the right decisions for their organization. I'll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTO​, Carefusion CIO and LA Unified School District CIO.

Black Hat Brazil - part II

Wow! The organization committee highlighted my talk as one of the exciting conference briefings! Pressure is on! Better to brush up my Portuguese for next week!

OWASP LA Rules!!!

I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!

Speaking of OWASP AppSec USA 2013, let me take a momento to plug this excellent conference and the impressive line up of speakers. If you never been to a Global AppSec (USA, Europe, Latin America or Asia) before, I highly recommend to check it out!

Black Hat Brazil

The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the the most prestigious names from the full spectrum of security thinkers. The conference organization does a suberb job staying on the leading edge of new security trends as they emerge.

I was thirlled with the announcement of the first Black hat briefing in Brazil and even more thirlled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local informaiton security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.

Hot Topics in Security

Wow! My roundtable session "Hot Topics in Security" at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.

Android Master Key Attack explained

The Bluebox research team recently pre-announced an Android vulnerability that allows an attacker to inject malicious code to an application. Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

The Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu. Simply put, APK files are zip files that could contain files with duplicate filenames inside. Unfortunately when duplicate names exist, the entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all.

The solution to this issue involves the device manufacturer to provide an OS patch that will check for APK files with duplicate file names. Reputable app stores are already doing the same to ensure no malicious code is available for download. End users should avoid downloading applications from questionable sites. Users who wonder if their devices were compromised should download and run the Blue Box Security Scanner.

Free online training

SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.

If you are looking for this type of material, also consider Jerry Hoff’s excellent OWASP AppSec Tutorial Series

Lastly, my good friend Zully released a number of good videos about bitcoin security at Khan Academy.

Another Pleasant Surprise!

This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I'm truly honored to be among the finalists.

Kate Hartmann, one of the few OWASP full time employees, once told me that babies are the number one project killer in the community, something I can now testify... As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don't believe my words, listen to Ivan Ristic's interview in the OWASP podcast when he talks about OWASP!

I really cannot count how many individuals I met and I come to admire and built a friendship. OWASP not only made me a better professional but also a better person.

I'm sincerely touched with this nomination. Thanks OWASP! See you in Austin!

Can you Spot the Flaw?

Here is a function with a single line of code:

char check_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2)
{
…
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}

memcmp returns an integer which is implicitly casted to char. If memcmp happens to return a non-zero number that has a zero last byte, check_scramble will return 0 (password was ok), despite the fact that the password was incorrect.

One line of incorrect code resulted in this: CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL

This is extremely hard for someone doing coding reviews of 1,000s of lines of code to spot or to find during a pen test. On the other hand it’s trivial for a static source code analysis tool (or even a good compiler) to find.

Moral of the story:

1. Check your compiler warning. In Visual Studio set your compiler warning to level 4.
2. Use a static source code analysis tool. If you have Visual Studio Team Edition, enable the code analysis option.

Global OWASP AppSec LatAm 2011 videos are out

Global OWASP AppSec LatAm 2011 videos are now available on YouTube! I had the pleasure of acting as the host from beginning to end. Here are some of my favorite presentations:

In English:

• Bryan Sullivan - You Are Not Amy Winehouse: A New Plan for Reaching the Developer Community
• Michael Craigue - Security Development Lifecycle - A History in 3 Acts
• Chris Evans - Dosh4vulns -- Google's vulnerability reward programs
• Rob Rachwald - How Security Researchers Are Hurting the Business of Hacking
• Dinis Cruz - Making Security Invisible by Becoming the Developer's Best Friends
• Maximiliano Soler Mantra - The Security Framework Slides

In Portuguese:

• Alexandre Braga - Como não escolher a sua senha! Será a senha gráfica o futuro das senhas?
• Rodrigo Montoro - HTTP Header Hunter: Looking for malicious behavior into your http header traffic
• Magno Logan - Segurança em Sites de Compras Coletivas: Economizando dor de cabeça!
• Wagner Elias - Automatizando análise passiva de aplicações web

The Great Cypher, Mightier than the Sword

David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled "Making Sense of Software Security Advice: Best vs. Practiced Practices". Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.

Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:

My personal discount registration code: ZSPDdJaIoqK

This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: http://www.rsaconference.com/events/2012/usa/index.htm. Be sure to register using the discount registration code above to receive the $200 savings.

Secure Software Programming: One of the Three Best Security Career Bets

SC Magazine published a really nice article about the need for security last month. According to the latest edition of Foote Partners, developers who posses security certifications can earn pay premiums averaging eight to 12 percent of base pay and even more with additional experience.

Secure coding (and security testing) are hard to do, and market demand far exceeds the available talent supply. It takes years of hands-on practice, as well as training, to develop the skills.

The right tool for the right job (SAFECode and BSIMM)

After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.

This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.

The Gold Standard

Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.

Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.

Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the (ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one day event.

OWASP AppSec LatAm 2011

It took more than a year to organize OWASP AppSec LatAm 2011 but the results worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world class infrastructure. The variety and quality of PUC-RS’s main restaurant is comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.

Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue conversational style and candidness made his presentation a must see for everyone who wants to jump start a security initiative at an enterprise. I highly recommend both.

The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!

BSIMM 3 is out

Every craftsman needs a set of tools to perform its duties and security practitioners are no different. Released this past Tuesday, the Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is one of the essential tools security professionals need to know about. BSIMM is an inventory of existing security practices from over forty large-scale, IT dependent organizations across seven business vertical categories.

Reviewing BSIMM data over the years is a great way to compare and contrast how the industry is evolving. In addition, BSIMM provides a considerable list of activities organizations with an established security initiative should consider to adopt next.

A Pleasant Surprise!

(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?

There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.

Unfortunately sometimes I see people leaving not for profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that this community services and work for an enterprise is symbiotic. In fact all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business and the community. I hope other companies start to see things this way.

Protect The Stuff That Matters

Symantec released Norton Internet Security 2012 (NIS 2012) this week. According to independent research, the product is both the fastest antivirus solution and the product with the highest detection rate on the market.

Be sure to check the new product advertisement campaign titled "Protect The Stuff That Matters". In my opinion this is hands down the best marketing campaign the company ever did.

An Interview with Cassio Goldschmidt

The Pontifícia Universidade Católica do Rio Grande do Sul's (Pontifical Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I'm an alumnus of the school of Informatica and a big fan of the university.

As of 2009 the university had 10 courses with 5 stars, computer science being one of them.  There are also 21 courses with 4 stars according to the the Guia do Estudante: Computing and Mathematical sciences and Engineering and Production.

The magazine is in Portuguese. Click on the picture to download and read the article on page 40.

Registrations for OWASP Global AppSec Latin America are now open!

The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in the conference visitor's guide.

(ISC)2 Americas Information Security Leadership Award 2011

I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium's ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.

If you attend the conference, don't miss Richard Tychansky, Hart Rossman and Symantec's Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.

OWASP Global AppSec Asia 2011

Sebastien Deleersnyder, Mano Paul and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. Major news media will be covering the event.

There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in People’s Republic of China I respect so much their technical knowledge, work ethics and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.

2011 CWE/SANS Top 25 Most Dangerous Software Errors

SANS and MITRE released today the "Top 25 Most Dangerous Software Errors". This list ranks the most widespread and critical errors that can lead to serious vulnerabilities in software and is a great educational tool to help programmers to prevent the kinds of vulnerabilities that plague the software industry.

I've been a contributor of this list since the first release in 2009. It amazes me to see vulnerabilities such as CWE-120 ('Classic Buffer Overflow') still on the top of list for the following reasons:

1. Programmers really have to go out of their way to create classic buffer overflows in modern languages such as C# and Java. These languages, not C/C++, are the language of choice for many developers nowadays creating new systems.
2. Static code analysis tools do an excellent job finding instances of buffer overflows.
3. Modern compilers offer several ways to prevent exploitation of this type of flaw without changing a single line of code.
4. Some companies did an outstanding job bringing awarness to this issue and providing great security training to their development teams, including QA.

Without necessarily producing better software, the industry in general found a way to innovated itself out of a widespread problem. Buffer overflow flaws are still prevalent out there because we use a lot of legacy systems. I just don't find a lot of new instances being discovered, at least in our tests. If anything, this type of flaw is identified and fixed during the development phase using static source code analysis tools that are integrated to build systems.

ISSA Los Angeles 2011 Security Summit

I just came back from the ISSA speaker dinner and I'm really excited about tomorrow's event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital) and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.

Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).

Better Software 2011

As much as I love to manage a global team that is as passionate about Software Security as Symantec's Product Security, I'm still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. "Cosmic Truths about Software Quality" by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.

According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don't care about security?

Valentine's day

Valentine's this year will be a bit different... I'm returning to Berkeley to present a talk about my book, this time to the NetEcon group. Next, I'll head to RSA Conference and finally end the day at a business dinner with my boss and a Symantec business partner.

Black Hat

One of the best things about being one of the first speakers to present at a conference is that it's possible to actually pay attention to the the other talks. ;-)

While there were several good talks, I highly recommend watching two: Bryan Sullivan's "Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era" and Tom Brennan, Ryan Barnett's "Checkmate with Denial of Service".