Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

Ivan Arce, CTO of Core Security Technologies

Stephen Northcutt - May 6th, 2009

Ivan, it has been a while since we talked, can you give our readers an update on what you think is hot?

I am currently interested in tracking and analyzing security trends and attack techniques on a handful of areas:

  • Rich Internet Applications
  • Wireless (mostly related to 802.11* )
  • Embedded OSes, firmware and low-level hardware attacks
  • Mobile device security
  • Virtualization technologies
  • Cloud computing and web services
  • Applications that are prevalent in specific verticals

I believe these are all moving shape-changing pieces of the puzzle to solve in order to have a relatively comprehensive view of emerging security trends for the next 5 years.

Besides that, I also invest a good portion of my time analyzing practical and useful relationships between penetration testing software and practices and security and operational risk management models. Another portion of my time is dedicated to evaluating and analyzing technologies and products that I deem interesting. I am mostly interested in the application of P2P, visualization, signal processing, distributed and cloud computing to information security.

Clouds, clouds, everyone is talking about clouds, I was at one presentation at RSA 2009 where they said the word six times on a panel presentation and they weren't even done with the introductions. Do you have any thoughts about security testing in a non-private cloud?

That is a great question. Unfortunately, I don't think there are any clear and direct answers on how to perform security testing in non-private clouds. Many security experts and the security teams of medium and large-sized organizations are still grappling with that problem. Particularly because behind the "perimeter" of the cloud, the security and privacy boundaries for transient and stored data may be significantly blurred. I think that a necessary first approach is simply contractual: it should be possible or even required to have processes for systematic security testing of cloud services and infrastructure, it should be possible or even required to have transparent assessments and audits performed by cloud users internally or by independent third parties. However, as we know, service level agreements and other contractual obligations or compliance requirements do not guarantee effective security by themselves. Practical, hands-on joint exercises (user+provider or multi-user+provider) may be a good way to improve the security posture for a shared footprint faster, but such a thing would require a significant amount of transparency, cooperation and openness of all involved parties so it's unlikely in the short term.

Certifications and security "service level" ratings for processes and facilities tied to risk management instruments may have some interesting development as well. This area has some very interesting runtime code and data compartmentalization and isolation challenges for the information security and privacy community and I have not seen any groundbreaking work in this topic yet.

I realize you are not on the business side of the company, but does CORE offer separate products, or is everything integrated into IMPACT? What do I have to do to get it and about what does it cost? People always have these types of questions and we must answer them *smile*

There are two primary capabilities that have been added to the traditional network and OS vulnerability focused IMPACT; now we have added scanning web applications, another example of being comprehensive. There are other commercial products that have subsets of what we have, but nowhere near as comprehensive a solution. But, one facet of CORE that many people overlook is the ability to test the user. We have client side attacks for browsers and also support social engineering such as Spear Phishing. And we do have new, more limited, offerings, CORE IMPACT Essential. I am probably not the right person to talk about the money side, but the approximate cost is about $32K for an annual subscription that includes an unrestricted number of targets and a full year of all the weekly updates and any upgrades. To get fully correct information call +1 617-399-6980 or email:

My sense is that enterprise web applications that are Internet facing change regularly, how does your tool help one regularly and safely test web applications? And can you elaborate on your first answer a bit more, are you saying you can duplicate actual data breach attempts - the ones you see directed against organizations like The SANS Technical Institute?

It is a good practice that you test regularly. In fact it is bad practice not to. If you buy a pen test, that only helps you for the period of time right after you have the test, you are likely to be facing new vulnerabilities since applications will have changes over time. With the right tools, it is possible to test applications against weaknesses in a systematic manner, because these things do change a lot. CORE IMPACT makes it easier to repeatedly test.

OK, and on that note, what are the hottest techniques right now to breach data?

From what we are hearing and seeing there are three things that are most important right now:
  • SQL injection
  • Remote file inclusion, when you can tell the remote system to include a file you are serving that contains commands, the vulnerable web server might run it for you, this is a big problem with PHP, there are so many applications developed with PHP
  • Cross Site Scripting, Web applications are just one aspect of it, because for many years the weakest link has been the client side applications, the programs the users are running, as well as security awareness issues (phishing and spear phishing)
Keep in mind the attackers combine their attacks so your weakest link is where you will fail, which is why you need a comprehensive approach. Believe it or not, the current fad when buying a pen test is to only buy a web application pen test as if all the network and system vulnerabilities have suddenly gone away. This is why it is so important to have a comprehensive testing tool. That said, the things that I just mentioned are not the hottest in terms of trendiness: people want to talk about AJAX, JavaScript or Web 2.0, but talk is cheap; as far as current attacks, the numbers are staggering from the three items I mention.

Incredible, so with your tool a tester can duplicate the latest breaking attacks without having developed advanced technical skills?

Well, that's what we do. That is the purpose of what we are doing at Core, we are trying to bring those techniques into the hands of security practitioners that are not necessarily skilled in this area. So, we productize these techniques and provide an easy-to-use interface with wizards so it is like using your word processor or project management application.

But it would seem that technical skills do matter, if someone is a skilled penetration tester can they do more with your product than someone that is not fully up to speed in web application security? I would certainly think so!

Oh yes, definitely, IMPACT brings the base level up; however, if you are an expert, our product is extensible and does not limit you. What it gives you are the tools to speed up the process and does many of the necessary but repetitive processes that use up a lot of your time.

Ok, so if I am a skilled penetration/web application tester, what is the primary advantage of the product for me? I would guess it would be speed right and the ability to replicate myself. And how do you help me with speed?

You find yourself doing routine things that you need to do as a penetration test that are not so interesting, but they are part of a penetration test. Now, with our tool you can automate the routine and go far faster and concentrate your efforts on things that only an expert can do.

Yes, I remember when your team directed CORE IMPACT against the blue cell at ICE 2007[4]. You guys lit up the scoreboard fast. So, will this ease of use include the timing attacks that you were talking about at Black Hat this year?

We presented that as part of our research efforts, it is not included in our product right now. The timing attacks we studied focus on databases. Since we are developing web application security products and services, there is an interest within our company to find out about database and other attacks. The general user would find it hard to make timing attacks, so it is harder to productize this one.

Timing attacks have to do with the internals of database injects; there is a way to extract the content from the database only by doing an insertion or actually a number of insertions. As you insert records, you could extract information about the content of other records. You do that by exploiting timing differences in the indexing algorithms of the databases.

Most commercial databases use the same algorithm, a binary tree called a B tree[3]. The timing of an insert is different; the content affects the timing. If I can insert a record with my own arbitrary content such as SSN, I can do the insert and measure how much time it takes for that insertion, and then try a different bit of content since certain values take different amounts of time to insert. Based on the timing test results I can infer what other values are already in the table. So, this lets us do reconnaissance against a database to understand what it contains.

How does one develop their professional grade penetration testing skills? Is there a technical book out there that you would recommend for someone trying to learn about all this stuff? I am personally keen on Professional Pen Testing for Web Applications by Andres Andre.

What we do to develop our skills is a lot of work, we learn in the field to some extent, but we build our security skills other ways too. You can also learn by lab work, training classes such as SANS, working in the lab, and formal education, but you need some real scenarios too. We gain our experience through our services, we have been doing professional services since 1996. We also do cross training between the various teams. There are so many books about web application security! I try not to focus so much on books about techniques, rather I try to focus on books that explore the foundation, such as Matt Bishop's Computer Security: Art and Science. Also The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Dowd, McDonald and Schuh. A security professional should have a mixture of both skill sets, the tricks as well as the foundation, the building blocks. Matt's book helps with the latter, theory and abstract ideas.

OK, I am looking for a "war story" now; a lot of people suffer from belief that the web is safe. This is another example of an unseen killer not much different than high blood pressure or diabetes in my opinion, can you give me an example of CORE IMPACT being used to demonstrate the potential consequences of a successful attack to help someone "get religion" to actually come to believe that web security is crucial.

How about all the bots and worms that are proliferating on the internet that are being used to send SPAM, I have heard that 90% of email on the Internet is SPAM. The reason for all of this is not because of the users being dumb, but instead that the security of their systems is not up to standards. Also, the Storm worm is a great example for the present. And, it is still going on and it is because web applications are not secure, client application are not secure and then the system is not used. Once again you come back to the concept of comprehensive security; attackers are combining attacks and unless we improve the server and client security to that level, this problem will continue.

I am a big believer in remediation, I personally believe in scanning a little, remediate a lot, does the CORE product do anything to help me get information needed to remediate, address security issues and prevent data incidents?

CORE IMPACT points to the remediation effort, it tells you what your vulnerability is. It will not solve the problem, but gives you a totally precise pointer into what needs to be fixed and why it needs to be fixed. As you point out, with any reasonably sized network it is impossible to scan, and then remediate 100%. So we need to understand what to fix first and why fix that first. That is where IMPACT comes in.

CORE IMPACT to date -- before the web testing component -- is mostly focused on known commodities, common operating systems and applications with known vulnerabilities. Now you are in the brave new world of custom web applications what did you have to do to make it possible to test applications you have never seen before?

Yeah, there is a difference between web applications and standard applications off the shelf. In the case of operating systems, we have a huge lab, we test, we figure out how to exploit. In the second case, where we are testing custom applications, there is no way to test with standard exploits developed in our lab. We leverage what we have been doing for ten years. We have been doing source code audit and web app testing so we know the process an expert goes through very well. So, how do we productize how do to what a security expert would do? What we do? What we do is create exploits on the fly, at run time, based on the data we collect while looking at the system. Obviously we have a set of base components. But the bottom line, if you have a custom web application, we can generate a custom test for it.

Do you feel there is any company with a similar capability in terms of web apps?

There are other testing tools, open source and commercial, that penetration testers use, Metasploit for instance. It comes back to being comprehensive. What I do not see is the same approach that we have. Most commercial tools that I know of do more vulnerability scanning instead of breaking in. That leads to false positives. And, this is important, we don't just exploit, our focus is on what any given exploitation means; what can happen to the information on the system.

OK let's jump up to 50,000 feet for a bit, in an interview with Net-Security, you said, "We view information security as a three stage iterative process (ASSESS-> PROTECT-> AUDIT) rather than a set of independent technologies and practices."[5] As a quick double check, is that just as true in the web app security space and the computer-network security space?

I do still believe in this and I am not alone, other people say this. Security is a process and the process needs to integrate with the information technology an organization has fielded. We need to assess to determine where our critical problems are. Protection depends on fixing the important things, and then we audit to see if the critical things are taken care of. This is not a guarantee of 100% protection, but it will help you improve. That is how we need to think about security, a process to improve.

Traditionally, security was thought of as protection; the protection segment of the market (IPS, IDS, firewalls, access control systems) is the biggest portion of the security market. Protection is good, but a more modern, forward thinking method is to combine protection with analysis to use the protection wisely and understand where the protection does not work. To ASSESS-> PROTECT-> AUDIT gives you a good chance of success, and I think it is even more true in the web application space because it changes more rapidly so you need a process that can cope with those changes. I know some academics are saying the answer is to keep the problems from ever showing up with good software design and secure coding, I agree with them that those are good and important; however, you cannot rely on that approach alone.

OK then, can you elaborate a bit on the lifecycle from your tools perspective, do you play in all three stages, what needs to be done in all three stages?

Our aim with CORE IMPACT is primarily to be part of the testing process or segment of the lifecycle[6]. We do not focus on the development or design; we test applications that are supposed to be working. We are focused on the later stages of the lifecycle, which is possibly when the higher cost of having a security problem or vulnerability is manifested. It can cost a lot more to fix vulnerabilities at these late stages; this is why secure coding is important and lifecycle management is important. However, if you suffer a data breach, that can be really expensive.

Ivan, thanks for explaining that, let's talk about the development process for a second, after the cardinal sin of failure to validate input, what do you see as the biggest error the development community is making? And what tip do you have for them?

Trust! So many instances of trust problems are with the interactions between applications or different components of the same application, or the user and the application. Just think about the recent problem with Acrobat Reader; you can embed a URL into a .pdf and then it might process it. If the document is on the web, Internet Explorer might then try to figure out which operating system component is needed to process it and pass the URI to that component, but if the input is not sanitized problems can arise. Internet Explorer trusts the operating system to handle the URI with the same care that Internet Explorer uses, but that may not happen. You can think of this as a chain of trust.

Two tips, be a bit more paranoid, adopt defensive coding; do not trust every other component of the application. Instead, assume they will fail or that they are the opponent, they will try to break your application. Then you put checks and balances, or security in depth into the part of the code that you write.

Second, be explicit about how you are supposed to operate with your component and what security assumptions you are making. Be clear to help other people not make mistakes with their code. Create explicit, understandable interfaces that make the security assumptions clear.

How did you get interested in the whole security problem in the first place, what grabbed your attention?

I was working for a computer telephone integration company and my job was to design and deploy systems that would interconnect data and telephone networks together. These tended to be mission critical systems. So the requirements were quite strict. However, at the same time the tools were not very good and that forced me to learn how to break or reverse engineer because I could not rely on the vendors to find the problems and the fix in time. If you are working on a system where two million subscribers are impacted, you have to move fast. So, I started to learn about the importance of security. That is what got me started. Then in 1996, I co-founded Core Security Technologies, which started as a consulting firm doing penetration testing and software audits.

So are you having fun at Core Security?

Yes, a lot of fun so far. One thing that is fun is to get to see the things the technical people are able to do, things I don't get to do so much because of my current job. It is incredible, the new practitioners are possibly more skilled than ever as they can use and build on the techniques developed by the generation before them.

A tradition of the Security Lab is to give folks a bully pulpit a chance to "preach" on whatever is burning in their heart? What message would you like to share with the Security Lab readers?

Things can fail. Everybody wants perfection, but there is no perfect security. We need to be able to deal with that fact. Expect things to fail, be ready to deal with it. It is okay to have problems, we just need to fix these problems. That is probably the best approach. Do not be afraid of practicing security. We sometimes think the bad guys have black arts, things we can never know about. That is not the case, security needs to be closer to science than black arts. Instead, explore your idea, try things, be driven by clear methodologies. I think it will take some time to have a more forward thinking approach to security, but it is something I’m very passionate about.

And finally, can you tell us something about Ivan, when you are not in front of a computer what do you like to do?

I like to be with my girlfriend, read, travel (warm places are preferred). I am a simple person really. I like to relax, listen to music, spend time with friends and my significant other, enjoy good food and maybe a drink.