Railsgoat! July OWASP Austin Chapter with Ken Johnson - with link to recording

Ken Johnson travelled to Austin for the July OWASP meeting.  No thanks to US Airways! Remember, last meeting Ken and Mike McCabe were supposed to present, and US Airways deprived us of their presence. Vern Williams jumped in heroically to give a talk, but Ken and Mike spent most of a day trapped in Raleigh, subjected to several layers of lies from the airline.

Here's the recorded presentation http://vimeo.com/channels/owaspaustin

This month Ken made it!  Nice crowd on hand:

Ruby & Rails was an interesting topic - it seems like a lot of people using those technologies are startups trying to build apps as quick as they can, and Enterprises trying to pretend they're startups.  Both of these scenarios tend to "forget" about security and can lead to nasty problems.  It can be downright scary to security folks.

Given this state of security worries, chapter priorities included a Happy Hour, as usual:

We might have a recording of the presentation coming soon - if so I'll post it as a comment.

The slides are here http://prezi.com/5zo5lxs82lr7/railsgoat/

follow Ken @cktricky and Mike @mccabe615

Austin OWASP Chapter Meeting: Learn to Fight Wounded

Vern Williams presented at the Austin OWASP chapter meeting today on "Process and Architecture" in software development.  He advocates an engineering approach to security in software and systems, and suggests "engineering better management in." rather than reacting later.

In terms of software, architecture means designing something that meets the needs of the customer, but is also resilient, robust (resistant to failure) and secure.  This means that even when the system does fail, it will be gradual rather than catastrophic, and recovery will be rapid when something bad happens.

Vern also spoke about users and the importance of training.  He suggested warning users to notice when there are problems and alert IT.  Then again, it has been said that a user and his mouse can be viewed as a "malicious rodent on the desktop."









Vern also spoke about defense-in-depth, and used a few examples from his days in the navy, working on nuclear subs.  He described life about the nuclear sub as "the only place people run toward fires."

To the audience of mainly application developers, pen testers and security professional, Vern made a very interesting observation: We need to learn how to fight wounded.  Everyone in the audience agreed that it is foolish to assume that your company is impenetrable.  The best thing to do is figure out how to architect your systems and applications  in a way that is attack-resistant.

Never Underestimate the Power of the Little Raspberry Pi

The Raspberry Pi is fascinating a diverse set of people – from technophiles, to security researchers, to security practitioners, to Penetration Testers, to adventurers, to problem solvers, to kids, and to bad guys too.  This Raspberry Pi is a lot like Lego – you can literally build anything, do anything, with this affordable and diminutive device.  Unlike the smart phone, the Pi is basically disposable.

Tiny is the Pi’s power. Its size and unexpected power makes it interesting.  Applications for the Pi seem to be limited only by your imagination.

You can plant the Pi behind a power junction switch, put it in a Dell power brick, put it in a FedEx delivery envelope or put it on a drone – it’s also a great platform for remote attacks.  You can use it to send covert signals to nearby receivers using specific frequencies, and it’s so small it’s virtually invisible.

The Pi can support a camera, drive your TV video display, sense temperature and GPS location and even sense the opening and closing of doors.  This little critter can be programmed to really freak people out, by providing you all this information remotely. 

OK, back to task!  Branden Williams presented at the Austin OWASP chapter on 4/29/14, sharing his enthusiasm about the Raspberry Pi and its applications in security.  As Branden pointed out, the $35 Raspberry Pi is a full computer – the size of an Altoid tin and basically disposable given its price point. 

There was an in-person audience of about 50, and some online viewers.   One of the first things Branden asked of the audience was "Who is a ham radio operator?"  Amazingly, there were about 8 in the audience that were.  High percentage.  Let's think about why this might be the case. 

Security people understand some things quite well: they favor the path the attacker will ignore, or be unable to attack successfully.  Security people think about things like minimizing attack surfaces.  They are aware that attackers care about ROI and attack targets of value.  Ham radio appeals to the OWASP audience for these and other reasons.

To see and hear Branden’s talk, please go here and advance about 10 minutes to skip the OWASP meeting portion 

Branden’s slides are here 

For another example of the cool things the Pi can do: here’s a whitepaper Branden provided me that tells you how to configure and run a Raspberry Pi for Wireless Analysis.

Used to be, it was hard to acquire a Raspberry Pi.  No more.  Look on Amazon, there are some really nice kits with everything you need, for less than a dinner for two.   

If Security is Theater, Matt Tesauro and OWASP can help prevent Drama

So, as we all know, IT Security involves a lot of useless theater.  What I learned today at LASCON 2013 is that really good defensive programming involves no theater - only hard work on the part of engineers.

I took part in a training today at LASCON 2013 from Matt Tesauro - "OWASP Top 10" relating to what's important in application security.  Matt was an invited speaker and incredibly talented security professional from Rackspace.  Rackspace must be very committed to application security to allow Matt the time to teach this course.

Security Theater involves drama, where identities are lost, people are hurt, company reputations are ruined. OWASP is all about preventing drama.  While there are laws (HIPAA, SB1386, SOX, breach disclosure laws) and standards (PCI, NIST, DISA STIG and Safe Harbor), the bottom line for security is how well applications are coded. No amount of auditing and regulating make an application safe - only good programming practices and diligence do that.

The OWASP Top 10 hasn't changed much recently.  It's about time (IMHO) that more security training is required of programmers - like OWASP's.  Less drama, more insightful programming.

One more observation.  A legion of security professionals I know are not developers.  Even if you're not a coder, take the time out of your busy day to learn something about application security, and become intelligent about the issues programmers face, if you intend to be effective in helping your company achieve better IT security.