The Fix Must Occur by Rewriting the Code. Wait, What?

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

The Fix Must Occur by Rewriting the Code. Wait, What?

posted on Tuesday, November 06, 2007 1:22 PM

This article is just full of interesting ideas.

First we're told that the only way to secure Web 2.0/SOA/Web applications is to rewrite the code. This "rewrite the application code" to address any number of delivery issues - security, performance, availability - is old and busted. There are other more efficient mechanisms that can certainly be used to address application delivery issues, such as an application delivery network comprising appropriate intelligent, application aware devices capable of ensuring that all applications are fast, secure, and available. These solutions do not require that the application be rewritten, and in fact in many instances rewriting the application will not solve the problem because some of the issues related to availability, security, and performance are the direct result of protocol inefficiencies and vulnerabilities (HTTP, TCP, IP) that cannot be addressed by rewriting application code. That's because the network and application stacks are not under the control of the application developers.

Michael Sutton, security evangelist with SPI Dynamics, now part of Hewlett-Packard Co. (HP) speaks out on Web application security.

He said companies have always operated under the assumption that IT is responsible for security and not the Web developers. The problem is that once faulty applications are launched, IT can't provide the fix. The fix must occur by rewriting the code. But there are ways IT can help the developers get it right.

Are you really suggesting that application developers rewrite the Java TCP/IP stack to address inefficiencies and vulnerabilities? Are you really saying that the only way to deal with language-specific vulnerabilities (ASP, PHP, JSP, etc...) is for the application developers to rewrite the interpreters executing the application?? Are you really implying that there is no fix IT can provide other than flogging of developers?

Come on, this is one of the reasons Web Application Firewalls exist - to address those vulnerabilities that simply can't be addressed by the application developer whether due to location in the application/network stack or the time and expense of rewriting the application.

The article gets stranger (which I wasn't sure was possible) when Josef Brunner, security solutions manager at Enterasys Networks, starts discussing SOAP-based security issues.

Brunner expressed particular concern for how the Simple Object Access Protocol (SOAP) is used in Web services. SOAP is a way for a program running in one kind of operating system such as Windows 2000 to communicate with a program in the same or another kind of an operating system such as Linux by using the Hypertext Transfer Protocol (HTTP)and its Extensible Markup Language (XML) as the mechanisms for information exchange.
A rather simplistic definition but not completely off-target. We call it "loose coupling", and its the cornerstone of what makes SOA work.
SOAP is platform-independent and allows users to bypass whatever security devices are on the network, Brunner said, adding that encryption tends to be the only security mechanism for SOAP. "SOAP is very flexible and dynamic, which is always bad from a security standpoint," he said.
Wait, what? SOAP does not "allow users to bypass" security devices on the network. If users/clients are bypassing security devices on the network in a SOA (Service Oriented Architecture) then the enterprise architects have failed at designing and implementing a secure, robust SOA. SOAP doesn't "allow" such a thing any more than any other application "allows" such a bypass to occur.

And if "encryption tends to be the only security mechanism for SOAP" then implementors aren't paying attention to the myriad web services standards available from OASIS that provide for authentication and authorization specifically for Web Services (WS-Security 1.1), as well as message and field level encryption (XML Encryption) and non-repudiation (XML Digital Signatures).

If only there were XML/SOA security solutions that could more efficiently screen traffic by acting as a reverse proxy (endpoint) and enforcing organizational security policies regarding authorization, authentication, and message contents. If only!

SOAP tends to be encrypted by an inconsistent set of methods and so there's no way for security professionals to break and inspect the traffic for trouble. Making matters worse, he noted that SOAP servers are connected to critical back-end systems attackers can compromise with the right exploits.
SOAP messages tend to be encrypted using industry standard encryption a la SSL.
Brunner's suggestions for improving the situation include securing SOAP servers with host-based IDS to prevent buffer overflow attacks, and, above all, demanding better application security, which means training developers to do better.

Wait, what? This is a complete non-sequitor. Let's burden SOAP servers with even more resource intensive processing (IDS) that require additional maintenance and costs to deploy and manage. It's not like processing XML is CPU and memory intensive or anything. It's not like AJAX-based applications aren't sucking up a ton of overhead and entries in the session state table because of long-lived sessions and additional connections.
An IDS is not going to solve authentication/authorization issues, it's not going to solve the encryption problem, and they are not necessarily going to be able to deal with application-specific vulnerabilities. Besides, it's really difficult to convince a developer that you should be deploying agents on servers that will likely significantly degrade the performance of their application.

If only there were some sort of network devices that could deployed in front of SOAP servers that not only optimized and accelerated protocols like HTTP and TCP but could also prevent buffer overflow attacks and application-specific vulnerabilities by acting as the first line of defense at the network perimeter. If only there were solutions to these problems that didn't involve rewriting applications (time, resources, money) or deploying solutions that don't address all the issues (IDS).

It's true that in general developers need to be more security conscious. It's also true that there are specific types of vulnerabilities that cannot be addressed outside of the application at this time (application flow/logic errors are peculiar to the application). But it's patently untrue that IT "can't fix the problem" because there exist both Web Application Firewalls as well as holistic application delivery networks that provide excellent solutions that address both security and performance issues associated with SOA/XML-based applications. Ensuring SOAP services within a SOA are deployed within a robust, dynamic application and network architecture is the task of an integrated and cross-functional team from IT, not the individual developer of services.

There is often more than one answer to the problem of application security, and though "rewrite the app" is always one of those options, it's rarely the most efficient or cost-effective option out there.

Imbibing: Pink Lemonade

Technorati tags: F5, MacVittie, security, SOA, application delivery, web applications

Categories: Development and General , General SOA , Security , SOA Delivery , Web 2.0 Security , XML

del.icio.us

Feedback

11/7/2007 8:35 AM
		Hi Lori, interesting post. Although I think some of your dismissal arguments look only at the opposite extreme ends. Sutton wasn't suggesting to rewrite the JVM or TCP/IP stack...his comment seemed (to me at least) be limited to the context of the application itself, and not the platform it is hosted on. It also seems Brunner's comment about SOAP 'bypassing security devices' is just a throwback to the older belief that anything tunneled through port 80 bypasses other network-based security controls. While that's not necessarily the case anymore, I wouldn't call him crazy...he's just a bit outdated in this views of the technology. But in the end, IT traditionally doesn't control the apps that the developers are putting on the system, and the developers don't control the OS and base platform that IT is giving them to work with. Thus neither camp is well outfitted to solve the entire problem. IT deploying a WAF in front of the application is a workaround, but it's a political as well as a technological move--not to mention the increased overhead due to the communication of all app changes by developers to ensure they are accounted for in the WAF configuration. Rather than making a change in one location (the app), you now have to make a change in two locations (the app and the WAF) and keep them syncronized. Plus, many developers use commercial/commodity OS and application platforms; so saying they need new TCP/IP stacks and better application VMs is a very harsh view that the current commodity technologies used by everyone aren't good enough to run secure, available, and efficient applications. I think if you look around, you will find that many people are pulling this off (well enough) using the standard commodity components...so it can be done without having to roll your own IP stack or write your own JVM. Of course, some technologies/platforms are naturally better suited than others for highly available, efficient, and secure applications...but let's not let the common (mis)use of some of the wrong technologies lead to the dismisal that all the technologies are incapable. Also, Brunner's comment regarding encryption read, to me, as encryption of the individual data elements within the SOAP message, and not the entire transport. Rewriting the app isn't the only option. Of course, rewriting the app is a bit of an extreme--it implies nothing about the existing app is correct/worth keeping. But fixing the app, where appropriate, is still the best option in a perfect world. Using a WAF to mitigate application vulnerabilities doesn't fix the core problem: the developers are writing insecure code. If you don't educate them to write better code, they will continue to code in the same manner, introducing even more security problems into the application over time. You ultimately become dependant on your WAF, and anyone who can route around the WAF has access to the application's vulnerabilities. I've noticed that people seem to consider mitigating a security problem and fixing a security problem as equals. WAFs mitigate the application security problems, but they do not fix them. I think it's pretty clear that mitigation tends to be more cost-effective than a proper fix--but mitigation doesn't remove the vulnerability...it only stops the exploitation. Those are two very different things. Take care, - Jeff ps. disclaimer: I work for HP/SPI Dynamics
Jeff Forristal

11/7/2007 6:07 PM
		It's true that in general developers need to be more security conscious No, they need to be sofware security assurance ninjas. They need to be forced to use Fortify SCA in their IDE. They need to be forced to write unit tests. They need to be forced to use continuous integraiton - and error (aka fail, or "not build") on all security weaknesses at the build server. The most security-conscious developer on every team should moderate using Fagan inspection, at least one other developer should always have eyes on his/her neighbor's code, and code review should be done on every check-in. At least one-tenth of the time developers spend on "developing" should be spent on generating requirements - the rest can be spent on testing, inspection, and actual "writing" of code. During this requirements process, both "use cases" and "abuse cases" should be considered. All [web] applications developed or issue-tracked in 2007 should take into account an Architectural Risk Analysis and known attack-paths before the developers start writing them. XSS on any website can affect any other website due to the problems with the same-origin policy in modern-day browsers - so everyone needs to do this. It's also true that there are specific types of vulnerabilities that cannot be addressed outside of the application at this time (application flow/logic errors are peculiar to the application) You mean like double-encoding and SQL injection inference attacks? Or just everything else that goes straight through a WAF? How about whitespace-obfuscated Javascript? When is my WAF going to support trapping on malware made of whitespace or Unicode characters that appear as whitespace? Special note: these techniques are not "only" known to the uber-hackers of the Internet. All XSS and SQL injection attacks are easy and require the equivalent of CS III. The double-encoding, inference, and whitespace-obfuscation techniques I just mentioned are widely available in online literature as well as books you can pick up off the shelf at Borders or Barnes and Noble. They require very little skill, especially compared to classic software weaknesses.
dre

11/7/2007 6:12 PM
		But it's patently untrue that IT "can't fix the problem" IT CAN'T FIX THE PROBLEM. REPEAT: IT CAN'T FIX THE PROBLEM. Commercial applications are doubling in size every 18 months. Can you hire enough IT security or operations people to throw process and technology at this problem? My answer: not unless they are actively working with developers to solve software security weaknesses before they go live into a production environment. Software must be tested for security weaknesses at build time - not during QA/functional/maintenance/operations testing. Developers should be completely aware of every MITRE CWE affecting their code while they type it (Fortify SCA can help with this). Business analysts, project/product managers, test managers, and software architects/engineers must use attack-modeling during design, code, operational, and architectural review. The largest win is not only to find bugs, reduce code, and reduce trusted code (as DJB did with qmail) - but to also "regression" test. When a software vulnerability is located, it needs to be submitted to an issue tracking system with a priority of "$" (aka: losing money). The developer(s) who write a fix for the security-related defect also need to have a test written to assert the defect's fix. In other words, a unit test needs to be written that would identify both the defect itself, but also be generic enough to find defects that would be similar in error. This unit test needs to be added to the continuous integration process so that every night when software is built - this test is one of hundreds that gets executed. Developers who lack the skill or motivation to remember these sorts of security-related defects also may want/need to have these as checks in their IDE. If you really think we can keep up with the vulnerability problem without doing these things - you're in for a world of surprise. There is no way a WAF or any APIPS can keep up with any modern-day attacker or modern-day software weakness inherent in 90% of live web applications - all of which are growing at unprecedented rates. They don't even provide protection against a "sample" of these issues - they are about as worthless as a broken door lock. Speaking directly to SOAP and Web services, there is a great package from Crosscheck Networks called SOAPSonar Enterprise Edition, which provides support of PKI as well as a mode/definitions for vulnerability testing (I found that it even supports REST!). While SOAPSonar can't be directly integrated into a build - it's a good example of tools that IT security professionals should be familiar with when thinking about maintenance testing modern-day applications. If developers are using tools to test quality, performance, safety, compliance, etc - why aren't they testing for security? Why aren't we as a society developing and testing for security? My answer: because of people like you. You are telling stock-holders, managers, investors, etc - that they can be secure by purchasing an appliance that goes "in-line" between the network and their applications. You are taking all of the money that they should be spending on "fixing the problems at the source". It's you; you are our misery. Your "hamster wheels of pain" (see: Andrew Jaquith's Security Metrics website, blog, and book) will eventually be your downfall as business process improvement and key performance indicators point decision-makers to a more cost-affordable, realistic, and "secure" solution: software security assurance.
dre

11/8/2007 2:46 PM
		Oh - take a look at how to "re-balance" your IT security budget by reading this PDF from Gunnar Peterson from the QCon yesterday in SF. Looks to me like he's saying dump at least half of your Network Security budget in favor of Application/Data Security... wonder why he would say that??
dre

12/13/2007 6:55 AM
		So interesting ...
hicivler

1/6/2008 10:06 AM
		You mean like double-encoding and SQL injection inference attacks? Or just everything else that goes straight through a WAF? How about whitespace-obfuscated Javascript? When is my WAF going to support trapping on malware made of whitespace or Unicode characters that appear as whitespace? Hi DRE, you will surprised to know that F5's ASM is capable to detect and prevent these kind of attacks. Cheers, Ido
Ido Breger

1/6/2008 10:29 AM
		Hi DRE, Some of your points are valid, overall I think you are taking into extreme what Lori just wrote. I don't believe Lori meant to replace all code fixes/ code reviews with a WAF type solution. WAF are no different then any other security device, the security they offer depends on the level of configuration. I personally don't think that there is a bulletproof "100%" security solution. If some security "expert" says that he has this solution, then you should know immediately that this "expert" isn't really an expert... Code reviews are good but they have their own limitations: 1. There are thousands code lines to review, it is absolutely impossible to review all the code. It is expensive, time consuming and requires rare to find people with high level of expertise to perform good code reviews. 2. Even if you get the money, time and brain to do code review, this still doesn't proof your application from vulnerabilities. 3. What about third party library code that some developers are using? who will audit that code? 4. Good security practice is to always use layered security. A WAF is the First line of defense for the application, it is also the most cost effective solution. I believe that in order to solve the application security problem the community need to do multiple things, educate developers, use scanners during development cycle, use third party pen tests, do code reviews and use WAFs. If a customer has a limited budget, and need to choose one thing, then I would recommend him to use a WAF. Cheers, Ido Product Manager, Application security, F5
Ido Breger

3/18/2008 12:26 PM
		@ Ido: You said, "WAF are no different then any other security device, the security they offer depends on the level of configuration" I don't look at factors such as "security offered". Instead, I usually go for "percentage of data breaches prevented" or "amount of risk averted" sorts of measurements. You also said, "I personally don't think that there is a bulletproof "100%" security solution" You should check out the ISECOM OSSTMM 3.0 then. Assumptions you made, such as, "Code reviews are good but they have their own limitations" are inaccurate. I am not suggesting code review. Personally, I think that code review is too late in the development lifecycle to be considered as the primary vehicle to reduce software weaknesses. It's expensive (for the other reasons you mentioned) and it's difficult to do in all situations - especially as a universal approach. Fagan inspection begins in the requirements phase of a lifecycle. Combined with the V-Model, Fagan inspection can provide test cases before the application is even designed. However, this is not the last step for testing either, as scripted-testing is only so valuable, even when automated correctly. Exploratory testing often has at least equal value. Web application security scanners (or manual methods) do not fall into this category of testing - it has to be developer-testing. I honestly think that your understanding of development environments is blindsided by your employer since you avoided my valid contributions to this discussion. I'd like to know how in summary from my arguments above, all you got was "code review"? Leaning on old school theories, you said, "Good security practice is to always use layered security." Clearly this doesn't apply to information and software assurance in the 21st century???? I suggest you read "The New School of Information Security", a book by Adam Shostack and Andrew Stewart. If you otherwise have irrefutable proof that "defense-in-depth" works, I'd love to get some peer review around that. ZOMG you said, "A WAF is the First line of defense for the application, it is also the most cost effective solution." The first line of defense happens before the application is DESIGNED OR WRITTEN. It's the planning and requirements phase of a development lifecycle. Nice try! Your argument about a WAF being the cost-effective solution has left me confused. More cost-effective than what and in what context? Finally, you made the mistake of saying, "If a customer has a limited budget, and need to choose one thing, then I would recommend him to use a WAF." This is the ethical equivalent of stealing candy from a baby. You should be ashamed of yourself. Customers with limited budgets need to concentrate on how to affect their levels of risk first and foremost. This is a people/process/awareness problem that cannot be solved by any product or service. If anything, a 1-2 day strategy consulting engagement with a SWOT analysis as the primary deliverable should be budgeted. The SWOT should focus on Information Systems Acquisition, Development, and Maintenance (all process-driven). How does the organization acquire software/applications? How does it create software/applications? How does it maintain its software/applications? On that note - I would like to thank you for removing the unsightly amount of blog spam from this blog post, which had been here since mid-November, 2007 until yesterday (mid-March, 2008). It made my desire to respond to this post lessened, as the user experience left a bad taste in my mouth. I take it that my recent blog post about "Short-term web application defenses" (which linked to this blog post and discussed the blog spam) annoyed a customer of yours who notified you, or hopefully something similar in affect. I'd be curious to hear the story behind how it all happened (and how the spam got there in the first place!).
Andre Gironda

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 2 and 1 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		473		Comments		763
Stories		0		Trackbacks		37

	Tag Cloud
	acceleration AJAX APIs application application acceleration application delivery application delivery controller application security applications architecture availability BIG-IP blog cloud cloud computing cloud computing infrastructure developers development dynamic infrastructure efficiency F5 Gartner Google HTTP infrastructure INfrastructure 2.0 integration internet iRules load balancing load-balancing MacVittie Microsoft network optimization performance scalability security services SOA SSL standards TCP twitter virtualization VMWare web web 2.0 web application firewall web application security more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0 Security
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing

Archives

		July, 2009 (2)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Security

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2008 F5 Networks, Inc. | Privacy Statement | Terms Of Use