Call for panelists: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" panel in the next OWASP Conference

Ok, First a quick apology for sending this request 18 days before the
event (too busy, lack of sleep, charging kids nappies (or diapers for
the US crowd), etc... :)

In the next OWASP conference in Seattle, which will happen on the 17th
and 18th of October 2006 (see
http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda) I
managed to convince the organizers (thx Dave) to add the following
panel to the line up

Thursday 17th, 16:50-18:00 : "The role of frameworks (e.g., .Net,
Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to
create and deploy 'secure' applications. Moderator: TBD Panelists:
Dinis Cruz, OWASP .Net Project Lead and others TBD "

The problem is in that last line: "Moderator: TBD Panelists: Dinis
Cruz, OWASP .Net Project Lead and others TBD" since at the moment it is
only me :)

So I am doing this public call for panelists in the hope that I will
find the right ones.

Ideally I would like a strong representative from the following camps:

* .Net CLR guru (with strong background on CAS (Code Access
Security))
* Java JVM guru (with strong background on the Java Security
Manager)
* Struts guru (with a focus on Struts as a security layer), or
other 'developer focused' frameworks
* Web Application Security Consultant (somebody focused in
'breaking applications')
* Business manager (somebody whose job is to create/deliver
applications, and will bring to the table the 'business mind' point of
view)

To finish off this email here is a quick abstract of what I want to
discuss in this panel:

" The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts,
JaCorb) in 'forcing' developers to create and deploy 'secure'
applications

From a security point of view, the current development paradigms are
mainly based on the concept of 'making no errors'. I.e. if only the
developers (and the Software development Livecycle that is supporting
them) are able to program 'securely' (what ever that might mean), the
security vulnerabilities that we have today will cease to exit.
Basically it is the concept of the 'Big Wall of china'. There are some
efforts in 'defense in depth', which most of the time are either: a)
not implemented, b) only designed to protect the server and not the
assets (for example the idea of executing the code under a non-admin
account) or c) too complex.

This creates an environment where the application asset's CIA
(Confidentiality, Integrity and Confidentiality) can be compromised via
one single mistake (created accidentally, by lack of knowledge or
'deliberately' ), such as: SQL Injection (the buffer overflows of Web
Apps :) ), Authorization/Authentication blind spot, Application logic
or malicious file upload/execution.

Part of the problem is that this requirement ('make no mistakes')
applies to 100% of the code, since all code is executed under the same
privileges (from the point of view of the assets). This means that we
(the developers and security good guys) need to protect and worry about
100% of the code base (which given a large enough application is just
impossible). Basically, we need to be able to "security and safely
handle malicious code or benign code manipulated in a malicious way"

For me the solution is to create a development model where 85% or 95%
of the code base is executed in an environment that doesn't have major
security implications). In this world, the exploit vector would have to
be in the remaining 15% or 5%, which would be the code base that would
be audited, closely analysed and in some cases certified.

My view is that this world would deliver secure applications (and an
environment where it would be commercially viable to do so), because
most developers would be focused on what they are good at and are paid
for ( i.e. features, performance and user experience) and only a small
number of developers would be involved in security related activities.

And of course, the way to create this world is by using development
frameworks that 'force' the developer(s) to program is such a way' (and
having enough enough commercial preasure).

So what I what to talk about in this panel, is how to we get there (and
'are development frameworks a big part of the solution?').

Currently there are two main approaches to solve this problem: There is
the 'Operating System' camp, and the 'Managed Environment' camp

Examples of the 'Operating System' camp are Microsoft's Vista, SELinux
and AppArmour

Examples of the 'Managed Environment' camp are the .Net Framework (or
mono) and Java

The only one that has any real momentum today is the 'Operating System'
camp, and in the 'Managed Environment' camp most of the code (probably
99%) is executed in an 'unmanaged environment' (Full Trust in .Net or
with the Security Manager/Verifier disabled in Java).

Unfortunately, due to the enormous attack surface and the fact that
most of the assets are located at the user/identity layer, the
'Operating System' camp is fighting a lost battle (look at Vista's UAC
mess and reimplementation of CAS (Code Access Security) at the OS level
(best example of this reimplementation is the new Vista Network
permissions for processes (which will not work as expected, ironically
mainly because of the problems that CAS has today: Policy, Complexity,
Perceived value and ultimately Lack Effectiveness))

As you can see in my previous posts, I put more faith in the 'Managed
Environment' camp, but at the moment there is no major focus in this
direction. My view is that we will have to wait 1 or 2 more years until
Vista, Mac Os and Linux show how their are not able to sustain
'unmanaged' malicious code.

So, if you have strong opinions on this and have an active role in
either camp, join me on this panel at the next OWASP conference."

Best regards

Dinis Cruz
OWASP Autumn of Code 2006, http://www.owasp.org/index.php/OAC
OWASP .Net Project, http://www.owasp.org/index.php/.Net

.

Relevant Pages

  • Call for panelists: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) i
    ... Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to ... Java JVM guru (with strong background on the Java Security ... Business manager (somebody whose job is to create/deliver ... the 'Operating System' camp, ...
    (comp.lang.java.security)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Can Easy To Use Software Also Be Secure ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... So even if you do not want the piece of paper - education never hurts. ... Can Easy To Use Software Also Be Secure ... because DNS does not configure properly or security permissions are ... easier to work with then they use to is developers have created ...
    (Security-Basics)
  • Re: OT: Still think the UAE should get the contract?
    ... Excerpt from 9/11 Commission testimony of CIA DIRECTOR GEORGE TENET, ... desert camp. ... Deputy National Security Advisor Donald Kerrick the intelligence ... operational authority over the ports had nothing to do with their ...
    (rec.boats)
  • Re: OT: Still think the UAE should get the contract?
    ... Excerpt from 9/11 Commission testimony of CIA DIRECTOR GEORGE TENET, ... desert camp. ... Deputy National Security Advisor Donald Kerrick the intelligence ... operational authority over the ports had nothing to do with their ...
    (rec.boats)