3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Thought Leaders

Table of Contents

Dinis Cruz, Director of Advanced Technology, Ounce Labs

Stephen Northcutt - June 11th, 2007

Dinis Cruz, Director of Advanced Technology, Ounce Labs, has agreed to be interviewed for the security lab for this special series in web app security and we certainly thank him for his time.

Dinis, can you tell us something about yourself, what do you like to do when you are not in front of a computer, Apple or Microsoft, favorite language to code it?

I’m a Portuguese security guy from the ‘Spectrum 48k’ generation who discovered that application security was a perfect match for my weird and mixed skill set. I use both Apple and Windows and prefer to program in C#. When I am not in front of a computer, I like to spend time with my family, play football, golf, guitar and drums.

It seems that leadership in Owasp .Net[1] has resulted in thought leadership in the industry, can you tell us a bit about how you got involved in Open Web Application Security Project (OWASP)[2]?

OWASP (http://www.owasp.org) is a worldwide open community of security professionals who care about web application security. My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on the security implications of running ASP.NET code in Full Trust. Mark replied with the challenge "Hey!, why don’t you publish this material on OWASP and manage the OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find their place and shine. OWASP was a perfect match for my values and professional objectives.

In OWASP I found a place where I could publish my research and ideas to a like-minded community, develop open source tools, participate in conferences and meet potential employees.

Talking about financial return, a lot of people think that I am employed and paid by OWASP. That is not accurate because all OWASP yearly profits are injected into OWASP for projects like the Autumn of Code (36,000 USD invested) and Spring of Code (125,000 USD invested). That said, I can claim that 100% of my paid consulting projects done during the last 3 years were directly related to people I met via OWASP.

So, currently I am on the OWASP board (together with Jeff, Dave and Andrew) and take the role of "Chief OWASP evangelist"; I don’t like the "evangelist" title, but it gives me a lot of flexibility in OWASP to create new projects and initiatives.

What do you think the next frontier is for the OWASP .Net project?

I think OWASP is on a tipping point where it needs to make the transition to a much more professional organization whereby the quality of OWASP projects is significantly increased together with the value delivered to OWASP community (members, users and project/chapter leaders, etc.).

I do think that OWASP is part of a new generation of Open Source projects that is focused on quality and value, and doesn’t spend much time talking about and defending its Open Source roots.

The bottom line is the fact that OWASP tools and documents are (and always will be) available for free is not an excuse to accept low quality deliverables in certain areas. For example, one of the "services" that OWASP wants to provide is security reviews and guidance to software developed and published by OWASP members. At the moment, no one knows how many security vulnerabilities exist in OWASP tools; and, the fact that they are open source doesn’t make a difference since the number of application security professionals with the skills and time to review those tools is just about zero (as it is in most Open Source projects).

One of the biggest news flashes I remember was Jeff Williams presentation for ISSA when he said Visa was requiring adherence to the OWASP Top Ten[3]. Now it is over a year later; how much impact do you believe that has had, and what do you think we will see in the coming year?

There is no doubt that it was great exposure for OWASP to have such a powerful organization refer to the OWASP Top Ten and recommend that people use it. The problem was that they were using the OWASP Top Ten in a way that it was never designed to be used. The OWASP Top Ten was an awareness document, whose objective was (and still is) to say "If you want to protect your web application, and are not sure where to start, here are the first 10 issues that you should address". That document was never designed to be used as a "Standard" or for compliance.

We have just released the updated version of the owasp top ten 2007, which is fully revised and contains a couple of new issues. And, although we added a section on how to test for each issue, it is still not a "Standards" document.

Back to Visa, I think that the PCI was a great first step and I hope that they continue their efforts to increase the security of the companies that handle our credit cards.

On the video of you at Blackhat 2006[4] you were saying that vendors wanted to avoid standards since it takes away some of the differentiation of their products. Now that you are working for a vendor, what do you feel and what is the most promising standards effort in the industry for software security?

Well, I still strongly believe that we need industry wide standards, and I think that the most promising efforts are currently happening at OWASP, WASC[5] and CVE[6]. Ultimately, all vendors must stop reinventing the wheel and use common ways to describe vulnerabilities, exploits, remediation techniques, etc…

What clients (and users) want are solutions for their problems that are cost effective, open, reliable and (very important) secure. The world that most software companies (and several open source projects) live in - which is based on complex, interconnected and opaque blocks - will not last for much longer.

The problem is that the customers are still okay with the low quality software products (both commercial and Open Source) that they use on critical systems, and the fact that the attacker’s business model has not evolved where they make money exploiting those environments. We are still in a phase where software vendors really get away with murder and ironically, from a security point of view, Microsoft is becoming one of the least offenders.

What can you share about the web app security market segment, growing, shrinking, becoming more sophisticated? How would you describe the typical customer for the Ounce Labs product mix?

I usually view the web application security market in five big blocks:
  • black-box testers (SPI Dynamics, Cenzic)
  • white-box testers (Ounce Labs, Fortify)
  • grey-box testers (security consulting companies like IOActive or Foundstone)
  • Web Application Firewalls (Breach, Imperva)
  • Security Products (SSL accelerators, Anti-Virus, IPS, IDS, etc.)
I think some of those markets are growing and some are shrinking. Not coincidentally, the one that I believe is just about to explode is the source code scanning tools (the white-box testers) since the potential to add real value to the end consumer is enormous, and the new generation of these tools will make such a positive difference that they will become a vital tool for developers and security consultants.

Regarding the typical Ounce Labs customers, they usually fall into two categories. There are the ones who just want to run the tool in their code base to see how bad it is and give the results to the developers (or security consultants), and then there are the security consultants (or security focused developers) who use the tool to become more productive and to be able to efficiently cover the entire code base of the application being tested.

We usually call the first group the "Big Red Button crowd" (since they just want to press one button or a single mouse click) and the second group, the "App Security Consultant/Developer crowd".

There is a strong need for both approaches, but we must be aware that there are big limitations on how much the discovery process can be automated. So, my focus is on the second group where I am working to create an environment where they (the knowledgeable security professional) can be hyper effective and accurate. I like the analogy of a plane’s cockpit, where a huge amount of data and complexity are filtered into graphically displayed, easy to readunderstand information (well, easy to understand for the pilot *smile*, and, in our case, for the security consultant/developer.)

This is a question I like to ask everyone in this space, one of the unique things about web applications is that one programming error can be referenced in hundreds of instances often all of them Internet reachable. What do you think the number one error is; the mistake a programmer can make to guarantee a spot in the hall of shame?

I have to say that I really have a problem with blaming the developers. I do a lot of security training for developers and, in most cases, those guys are much more intelligent and knowledgeable than me. The problem is that our current development models reward features, performance, reliability and speed to market with security being one of those "Oh yeah, and it has to be secure." *smile*

So, I think the one single mistake the programmer can make is to agree to program in a non-sandboxed and non type-safe environment where one mistake can be fatal. The reason why such critical-impact errors occur is that our current application environments are not designed to protect that application’s assets. For example, in the web world: an SQL Injection on the Login Page, or a bank details page which asks the user which account he wants to see and doesn’t check if the user is authorized to see that account, or an airline system which uses a price for a ticket purchase submitted from a user-supplied html form, or XSRF vulnerable pages, and the list goes on.

One of the areas which I have been trying to get some of the big players in the market to change their paradigm (for example Microsoft) is in the use of Sandboxing technologies. We need to create run-time execution environments (for example, the environment where the web application server side code is executed) that limit what the code can do to those assets (for example, why should every single line of code in an application be able to manipulate the database, access all data, change the user identify, attack the internal network, etc.)

This also takes us to a problem of complexity where developers (and even system architects) are not able to list the attack surface of their application (i.e., all inputs and types of data that can be submitted). Add to that mix the use of Frameworks (from .NET to Ruby on Rails) that contain their own types of vulnerabilities, and you have a powerful cocktail where one mistake can lead to catastrophic consequences.

The good news is that the attackers are not exploiting these vulnerabilities (where are the kids writing benign worms when you need them? *smile* )

Dinis, the security market continues to change, new threats evolve, what are the hottest trends right now in attacking web applications and what can we do to prevent them?

I think XSS (Cross-Site Scripting) exploits (and its variations) have really exploded in the last 9 months. This was mainly caused by the wide use of AJAX, the emergence of meshes / "2.0" type of applications and the exploitation of JavaScript’s capabilities. We also had a couple cases of backdoors inserted (and discovered) on popular applications (see the WordPress case) which is something that we will see more and more in the future

To solve these problems we need to take security much more seriously, in both Open and Closed source worlds, where companies and organizations that develop software used to manage or store important assets use security-aware SDL (Software Development Lifecycle), run security audits regularly, and allow clients (i.e. the users of those applications) to select products based on their security (or lack of).

The key will be to enable the clients, who are paying for that software or using those web applications, to select with their wallet or eyeballs.

If security was your primary driver, would you prefer a framework like .Net or an AJAX driven Web 2.0 approach like MySpace? What if coding efficiency, getting it done both quickly and pretty much correctly, was the primary driver?

Well, I think you will find very few cases where getting it done both quickly and pretty much correctly is NOT the primary driver. I think the key is not in which framework or technology you use, but rather in the answers to the following questions:
  • How much do the key players (from developers, to architects, to clients) understand the security implications of what they are doing?
  • Is creating a secure application a key requirement?
  • Is there a dedicated security team?
  • How much clout (and budget) does that security team have?
  • Can the application's features be changed based on their security implications?
  • What are the REAL consequences of a security incident? (i.e., will it be a marketing / damage control exercise, or will that company actually lose customers and revenue?)
  • Can the clients make their purchase decisions based on how good (or bad) the product’s security is? (i.e., are the clients aware of the efforts and cost required to write a secure application?)
  • Finally, the main one: Does it make more commercial sense to: a) create a "secure" product; or, b) create a product that has a lot of "security features" but is quite insecure? Note that, in most cases, the answer is (b).
The answers to those questions will have more impact on the security of the website/application than the framework or operating system chosen. That said, I am a big fan of Frameworks since they can create development environments where the developers are making the right decisions by default (of course, if those Frameworks don’t implement and enforce Sandboxes, then the developers are able to bypass those "secure techniques" and manipulate the assets directly.)

What advice do you have for someone in the security field to stay current on web app security, what is your favorite newsgroup, mailing list or other information source? I know you speak at events on a regular basis, where does a software developer go to get the inside scoop on application security?

Being very involved in open communities like OWASP, especially actively participating in or leading their projects, is one of the best ways to stay current, work on interesting challenges and learn new techniques. Regarding mailing lists, I would say the best Web App security lists are WASC[7] and the Secure Coding List[8]. I also subscribe to Full Disclosure, using a separate email address, which I try to read once a week. For blogs I would recommend OWASP[9], Jeremiah’s[10], Ha.ckers[11], GnuCitizen[12] and SecuriTeam[13].

Regarding conferences, the "must go to" are OWASP (one in Europe and one in the US) and BlackHat (main one in Las Vegas, plus throughout the world).

What haven’t I asked, this is your chance to grab the bully pulpit[14], a platform from which to persuasively advocate an agenda, and drive home your number one point that you are trying to make as a thought leader in the industry?

The main point that I would like to make (which will be no surprise to anyone who has the patience to hear me talking about it *smile* ) is my wish that we would all take sandboxing (most specifically, Partially Trust on ASP.NET) much more seriously. At this moment, our main security model is one based on the nonexistence of malicious code and vulnerabilities in the applications and libraries used on our servers and desktops. I prefer the world where there WILL be vulnerabilities and malicious code in our servers and desktops that cannot be exploited (or are, at least, will be easy to identify when activated) due to the sandbox used to execute it.

Unfortunately, the big players who can move markets (Microsoft and Sun, in this case) don’t view that as a priority and their paying clients are not being attacked enough to demand serious solutions from them.

I have been defending this idea for 3 years now, and I still believe that this approach will solve a lot of the current security problems (note that my sandbox concept is focused on the assets and takes into account both server side and client side execution environments.)

Thanks for taking the time Dinis!

No problem - thank you, Stephen.

1. http://www.owasp.org/index.php/Category:OWASP_.NET_Project
2. http://www.owasp.org/index.php/Main_Page
3. http://www.owasp.org/index.php/Top_10_2007
4. http://video.google.com/videoplay?docid=941077664562737284
5. http://www.webappsec.org
6. http://cve.mitre.org/
7. http://www.webappsec.org/lists/websecurity/
8. http://www.securecoding.org/list/
9. http://blogs.owasp.org/
10. http://jeremiahgrossman.blogspot.com
11. http://ha.ckers.org/
12. http://www.gnucitizen.org/
13. http://blogs.securiteam.com/
14. http://www.c-span.org/guide/congress/glossary/bullypul.htm