Friday, November 23, 2012

Know Your Tools!

There are several mantras when it comes to developing secure software. The most important and therefore the number one is: "Never ever trust the users input!" The second one would be: "Use as much privileges as necessary and as little as possible!" aka "Least Privileges". There are many more, but usually these two rules can be seen as "Catch-All" rules. As soon as you start to design, implement and test according to these rules, all the other rules seem to be commons sense. You don't start to argue why you should use prepared statements -> Rule 1! Always check buffer sizes? -> Rule 1! Use different users during installation and production? -> Rule 2!

Still, during my secure development classes I add one more: "Know your tools!" With tools I do not mean your favorite IDE or a text editor, but the programming language and frameworks in use.

While modern IDEs and frameworks suggest how easy programming nowadays is this easiness lulls the developer into a false sense of knowledge and security. This starts by not knowing which output methods are XSS safe (and why) and doesn’t stop at the ignorance against LINQ-Injections. This is security by luck. Sure, frameworks are complex and as a real hard-core programmer you write your own frameworks which you know by heart. This leads to the equally important question: “How good do you know the programming language you wrote your framework in?” Without excellent knowledge of the programming language you are bound to make mistakes because of assumptions. Assumptions you don’t even know you make.


Can you predict the result of the following statement?

Integer var1 = 0;
Integer var2 = 0;
System.out.println(“var1 == var2?+ (var1 == var2));
System.out.println(“var1.equals(var2)?+ (var1.equals(var2)));

Easy, isn’t it? Both times we get a “true” as result.

But what happens if we replace 0 with 128?

Integer var1 = 128;
Integer var2 = 128;
System.out.println(“var1 == var2?+ (var1 == var2));
System.out.println(“var1.equals(var2)?+ (var1.equals(var2)));

Now the world looks different. While the “equals” method still returns “true”, the “==” now returns “false”. Can you imagine how long it will take to find a bug which only occurs if a certain value is higher than 127?

While we are on it:

Integer var1 = 128;
long var2 = 128L;
System.out.println("var1 == var2? " + (var1 == var2));
System.out.println("var1.equals(var2)? " + (var1.equals(var2)));

This time “==” returns “true” while “.equals” returns “false”

There is always a reason why Java behaves like this. It might not always be a good one and some reasons are obsolete now, but these features are still there. It’s not only Java, other languages have features like this too.
With the introduction of reflection in modern languages it gets even weirder. In my whitepaper “The Source Is A Lie” I point out how to manipulate seemingly constant strings. This technique isn't only working for strings, it can be applied to almost any type which is auto-boxed. Can you imagine what happens if you change the value of the constant “Boolean.TRUE” to “false”?

The point is…

As captain obvious would say: “We are living in a fast paced world” For IT this world is blazingly fast. There is a new programming language popping up almost every month. Keeping up with the hype is required if you want to stay on top of the hiring pool (or learn ancient languages like Fortran and Cobol).  Yet, to write secure and bug free code one has to learn and understand the programming language and its environment. This isn't done within one month, or one year. Like everywhere and especially in security, you have to make some compromise and set your priorities to fit your needs.

Monday, November 19, 2012

Introducing: MVIS Security Center for WordPress

Hello WordPress Community,

I am excited to officially introduce the (Managed Vulnerability Information Service) MVIS Security Center, a plugin for your favorite Content Management System. Before explaining the functionality of the plugin, I want to share the story behind it with you.

Two friends of mine run a small online business which is their sole source of income and they rely on its uptime and integrity to earn their living. Their main website is build with WordPress and an e-commerce solution to allow their growing user base to read about the latest fashion trends and buy their imported products online. 

Unfortunately, one day they were hacked and their website was blacklisted for hosting malware, which reduced their earnings for that month significantly. They were desperate and asked me to help them with their problem at hands. It quickly became clear that the hackers got access to their site through a combination of insecure WordPress settings and outdated plugins and after cleaning everything up, one question remained.

How can we prevent this from ever happening again? 

Anyone who has ever spent some time on the WordPress forums will know that users get hacked every single day. The problem is that not everyone running a WordPress website is fortunate enough to have security savvy friends that can help and chances are that the majority of WordPress users won't be able to purchase professional security services either. This is where MVIS Security Center comes into play.

We analyzed the root causes of hacks for WordPress powered websites in order to figure out how these attacks can be efficiently countered, while at the same time keeping things simple enough to be followed and understood by everyone.

Knowledge Is Power - Arm Yourself! 

It is all about having the right information at the right time. MVIS Security Center will provide you with all the information you need to lock down your website. The plugin checks for most of the topics covered in the WordPress Security Codex and quite a few additional ones. You will see at a glance what needs to be done to make your site secure, because for each of the identified security problems, we provide detailed information on what the problem is and how to resolve it.

Understand, Evaluate, Resolve

One of the things that makes MVIS Security Center stand out is that it enables its users to understand the security risks of the identified problems as opposed to automatically "fixing" problems, which more often than not cause troubles with the site.

Each of the identified security issues are described in detail. This gives people the chance to actually understand the underlying problem and decide whether this specific insecurity is a real threat to their site or a risk that can be accepted. Every website is unique and so are their security requirements. MVIS Security Center is the tool that provides you with all the information needed to make educated decisions and eliminate the security risks that matter for your sites.

This way you will also know exactly what changes are being made to your websites and why they are made. You make the decisions and stay in full control!

The Game Changer

One of the most common reasons for successful attacks against WordPress powered sites are outdated plugins that contain publicly disclosed vulnerabilities. We have a dedicated team of security experts analysing all newly disclosed vulnerabilities, verifying them, rating their risk and entering them into our database. You can now subscribe to this professional vulnerability information feed from within the MVIS Security Center plugin. We will create an accurate profile for your site and send you alerts when a vulnerability in your installed software is found, along with instructions on how to make your system secure again. All installs, updates or removal of your WordPress components are tracked to ensure that you will always receive the most accurate information.

This is a subscribe and forget solution. You will be receiving an e-mail as soon as your interaction is required. Especially if you are responsible for multiple WordPress based sites, you will greatly benefit from the added convenience of getting the security relevant information to your inbox without needing to login and check multiple WordPress backends.

So who is this plugin for?

MVIS Security Center was created for everyone that loves WordPress and wants to enjoy it without loosing sleep at night, just like my friends who have an online business and anyone else that uses WordPress for commercial or non-commercial reasons and wants to become safe and secure.

Download MVIS Security Center here.
More information about the MVIS technology can be found here.