Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Finally - Curphey award 2004 to SPI Dynamics

from [Sebastien Deleersnyder] Network Security [Permanent Link]
Subject: RE: Finally - Curphey award 2004 to SPI Dynamics
Date: Wed, 25 Aug 2004 13:51:02 +0200 
 Hi again,

Oops, I still must have been on holiday in my head: 
My remark applies on Application Level Firewall products, and not on the
SPI Dynamics product mentioned.

Greetz,

Sebastien

-----Original Message-----
From: Sebastien Deleersnyder 
Sent: woensdag 25 augustus 2004 13:39
To: 'Madsen, Villy'; Mads Rasmussen; Mark Curphey
Cc: webappsec@securityfocus.com; Jeff Williams
Subject: RE: Finally - Curphey award 2004 to SPI Dynamics

Hi,

A bit late, but I am going through a pile of mail myself, and kicking in
an open door:

The problem with this kind of application level firewalls is that it can
protect you agains most common input validation mistakes, but when it
comes to design mistakes they will fail and only provide a false sense
of security (like the 'old' firewall story).
We should not fall in this trap a 2nd time: A have an (Application
Level) Firewall thus I should feel safe?
An application level firewall can provide defense in depth, but should
not replace proper security design/implementation throughout the whole
SDLC.

Kind regards,

Sebastien




-----Original Message-----
From: Madsen, Villy [mailto:Villy.Madsen@atcoitek.com]
Sent: dinsdag 29 juni 2004 16:19
To: Mads Rasmussen; Mark Curphey
Cc: webappsec@securityfocus.com; Jeff Williams
Subject: RE: Finally - Curphey award 2004 to SPI Dynamics

While I do not advocate that Developers be allowed to get lazy about
security,

I also feel that providing a standard tool that they can use to filter
input is a bad thing.

Way back a couple of decades ago, I was involved in a Telco project to
rewrite an application used by Long Distance Telephone operators to
manage "Time and Charges" calls.   The application was finally shut down
in 2000.

One of the "breakthroughs" that we pioneered was the heavy use of what
was we called Table Driven IO.  All data input or output from the system
was defined by a set of mapping tables, that defined what the data could
look like, how long it was, and where it was mapped to in the
application data schema. 

The "mapping" applications were general purpose, checked for proper type
- performing whatever data conversions where necessary, guarded against
overflows etc etc.

Sounds very similar to me.

I thought it was a great idea then, and I still do...

One application to vet (the mapping routine), and a bunch of tables to
validate.

Easier than validating all of the code snippets that are "accepting
Input" from the external world....


Villy


Villy Madsen ISP GSEC
Information Security
ATCO I-Tek
Bus: (780) 420-5093
Cell: (780) 975-0110
Fax: (780) 420-3916
Mailto:Villy.Madsen@atcoitek.com

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material.  Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited.  If you received
this in error, please contact the sender and delete or destroy this
message and any copies.


-----Original Message-----
From: Mads Rasmussen [mailto:mads@opencs.com.br]
Sent: Tuesday, June 29, 2004 5:47 AM
To: Mark Curphey
Cc: webappsec@securityfocus.com; Jeff Williams
Subject: Re: Finally - Curphey award 2004 to SPI Dynamics


Mark Curphey wrote:

Here I am, depressed at the prospect of filling in mountains of 
expense claims from weeks of traveling and approving mundane mails to 
webappsec about XSS after XSS and along comes a shining light. At last



an "application security" company that gets it ! Hats of to the folks 
at SPI and the Curphey Award for 2004 for leading the industry down 
the right path !

http://biz.yahoo.com/prnews/040628/clm006_1.html


Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp

I don't know about you guys but I have a bad feeling about this. I am
not sure this is the right path.

The article quotes Caleb Sima, founder and chief technology officer of
SPI Dynamics saying "It doesn't require developers to learn about
security," - "You really just need to validate input to eliminate most
application vulnerabilities."

Shouldn't you at least have a feeling for where the developers makes
their mistakes to be able to insert the right piece of secure code?

By all means it looks like a cool product, but how much can we trust it?

One of its features is, qoute
"Input Validation objects will check incoming data on web forms to
validate user-supplied input against a set of rules and prevent
parameter manipulation exploits, such as SQL Injection attacks."

Can we trust these "set of rules".
If they opened their technology, the OWASP team could contribute rules
to such a database and then we just might get somewhere by having a list

of f.ex regular expressions for using the validator classes in .Net or
input validation in general but that would probably not happen.

I am concerned that products like this just leads to lazy developers.

Jeff what do you think about this? You wanted to start an input
validation project based on filters, a database like described above
would be quite handy :o)

Just my two bits

--
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: query: switching b/n secure and non-secure mode, Adam Tuliper
Next by Date:  RE: Finally - Curphey award 2004 to SPI Dynamics, Sebastien Deleersnyder
Previous by Thread:  RE: Any details on this book?, Eric Rachner
Next by Thread:  RE: Finally - Curphey award 2004 to SPI Dynamics, Sebastien Deleersnyder
Indexes:  [Date] [Thread] [Top] [All Lists]