If Security is Theater, Matt Tesauro and OWASP can help prevent Drama

So, as we all know, IT Security involves a lot of useless theater.  What I learned today at LASCON 2013 is that really good defensive programming involves no theater - only hard work on the part of engineers.

I took part in a training today at LASCON 2013 from Matt Tesauro - "OWASP Top 10" relating to what's important in application security.  Matt was an invited speaker and incredibly talented security professional from Rackspace.  Rackspace must be very committed to application security to allow Matt the time to teach this course.

Security Theater involves drama, where identities are lost, people are hurt, company reputations are ruined. OWASP is all about preventing drama.  While there are laws (HIPAA, SB1386, SOX, breach disclosure laws) and standards (PCI, NIST, DISA STIG and Safe Harbor), the bottom line for security is how well applications are coded. No amount of auditing and regulating make an application safe - only good programming practices and diligence do that.

The OWASP Top 10 hasn't changed much recently.  It's about time (IMHO) that more security training is required of programmers - like OWASP's.  Less drama, more insightful programming.

One more observation.  A legion of security professionals I know are not developers.  Even if you're not a coder, take the time out of your busy day to learn something about application security, and become intelligent about the issues programmers face, if you intend to be effective in helping your company achieve better IT security.

Black Hat - A Little More than Commercialism and Less than Malicious

With General Keith Alexander back in the news, I thought to share some  Black Hat USA 2013 experiences.  As you may recall, the General was heckled during his keynote. The General handled it pretty well, but a four-star general has got to be accustomed to adversity.  Speaking with several attendees, there is some raw emotion about this issue – apparently the General previously denied the NSA Prism program’s existence just last year.

    

I heard some griping about the commercialization of Black Hat, since originally there was no Sponsor Hall, but there were a lot of interesting new technologies to see there.  Personally, I really liked the Sponsor Hall, and vendors who have called me following up were pleased with the leads they got from the show.

The talks were extremely valuable.  Brian Meixell’s talk, “Out of Control: Demonstrating SCADA Device Exploitation”, really represented the spirit of the non-commercial Black Hat.  They had a SCADA setup hooked to a pump attached to a tank of blue fluid, and demonstrated a hack into the system from a laptop nearby.  They showed taking over control, and it was funny, because there was almost a messy overflow when they took control, which apparently the Black Hat people had scolded them not to do.  By the end of the demo, they had Solitaire running on the tiny SCADA screen.  This was a crowd pleaser, with applause breaking out periodically.

Brian Krebs spoke about his recent “SWATting” incident, where FBI came to his house based on a tip by someone who didn’t like him. His talk was entitled “Spy-jacking the Booters” and addressed sites that allow you to easily and affordably purchase a denial of service against websites – using PayPal!.  He also had the concept of NPT – Noob Persistent Threats, done by people who “make script kiddies look smart.” 

Most humorous presentation I saw was Patrick Reidy, from the FBI, “Combating the Insider Threat at the FBI: Real-world Lessons Learned.”  His slides were great – my favorite quote from his preso: ”Every time you say BYOD, God kills a kitten” with a picture of the cutest darned kitten trying to evade space invaders in the grass. 

In his talk, Eric Fiterman former FBI, had an interesting observation: “Antivirus is just ten years too late”.   Saw similar thoughts at the Sponsor Hall, with many vendors featuring their expertise, either built into software or provided as a service, rather than old-hat signature approaches.  His thoughts were around assuming zero trust.  He pointed out that malware can, and will, turn off logging.  He pointed out that one way to look at hackers is that they are just Admins without authorizations.  Admins sort of look like hackers to security professionals.

It was a refreshingly friendly, inviting and educational atmosphere.   The word hacker sounds so bad if you read the press.  Black Hat was full of hackers, but there was more of a sense of discovery and joy in engineering and taking things apart to see how they work than malice.