Developers and AppSec : Collectively You're Doing it Wrong

There's a lot of cool stuff in motion and behind the scenes I'll cover later. But let's start with the most recent hot topic:

Dr. Chenxi Wang spoke today at OWASP Application Security USA 2010, about overcompensating for weak security from Developers (my biased paraphrasing).

The idea is that we can't depend on developers for security, so we need to correct outside of the development process. To over-generalize further, the Web Application Firewall concept is being done wrong. I agree that we can't wait for developers to start writing secure code, but I think this is more of a temporary band-aid to buy us time to starting more secure code--not a solution per se, but a crutch.

Signature detection isn't enough, visibility to steer current attacks would help mitigate if a super-WAF is available. But there's not patch for exploiting business flow/logic, therefore we can't stop educating the developer community to write secure code.

So it boils down to I agree we can't wait until code is secure, because it will never be, but that's no reason to give up on developers. We must fight on every front. That's one reason we started the x06d project: to start adding visibility to the browser and on the network from outside the browser. I'll post updated DEFCON 18 slides from the project soon ...

Netwars Round 5 Results

There was some confusion on the CNN story: There were three things happening for NetWars in December:

1) Workshop hosted by SANS
2) Allstar challenge
3) Round 5

The CNN article dealt with #2, the Allstar Challenge. Winners for the Allstar Challenge:

1) chrisbdaemon
2) Level
3) SevenM7

The allstar points carried over into Round 5 which ended December 23, 2009. Here are the ROUND 5 TOP 20:

Player         Round5  BONUS Round5TOTAL
alertlogic       6103    125        6228
chrisbdaemon     4279               4279
sleepya          3246               3246
Level            2065               2065
SevenM7          1271     19        1290
user0555          397                397
ace1              126    125         251
h4n5ju57          150                150
xeno280            96                 96
oorang3            89                 89
user0230           41                 41
PuN1sh3r           28                 28
user0910                  17          17
dontarpme          16                 16
n00ne              15                 15
user0341            8                  8
infonaut            5                  5
dr29                       5           5
bpfinn                     5           5
user1260                   3           3

We have some nice things in store for Round 6 in January, 2010. If you would take advantage of a Netwars workshop in your area, please email workshop@netwars.info with WORKSHOP and your preferred zip code in the subject and we'll see what we can do in 2010.

NetWars Allstars and Round 5

We are finalizing details on the upcoming Allstar event, sponsored by SANS at the CDI 2009 Conference. We have a few surprises up our sleeves to enhance entry-level player experience. Round 5 will prove to be very interesting as we'll be starting the allstar players on a different level during the regular competition.

We will continue to update the http://tinyurl.com/netwarscal calendar with any scheduling changes. We will also be adding more promotional material such as http://tinyurl.com/netwarspromo.

Netwars Round 4 Results

Round 4 ended Nov 23, 2009, here are the *CORRECTED YET AGAIN* results from that round:

didnot    1601
theCET    1554
xeno280    241
geronim0   187
alertlogic  82
ace1        59
user0230    54
user0692    46
TheWorld    31
user0088     6
celery       2
chrisG       2
bpfinn       1
user0129     1

Round 5 will start Dec 17th, 12:01 AM PST, and will coincide with a Netwars Workshop and Allstar Event (more difficult round) and last through Dec 23rd, 11:59 PM PST. Please see http://sans.org/netwars for the most current information.

Netwars Round 3 Results

Correcting anomolies in the bonus scores took longer than I had hoped, but we now have our final results for Round 3.0. We definitely will have a round Dec 17-23, and I'm trying to see if we can pull off a round Nov 17-23. We should know in a few days if November will be Round 4.

PLAYER       ROUND3 BONUS TOTAL

attackresearch 2472    0   2472
oxff           2075    0   2075
rmadair88      1623    6   1629
sleepya         941   93   1034
xeno280         365   64    429
user026         350    0    350
ace1             10   67     77
trvswrn          14   62     76
alertlogic       63    3     66
user186           0   53     53
alteran           0   50     50
unknown          43    0     43
tfgnetwars       18   24     42
jgimer           26    0     26
user620          18    0     18
user123           9    0      9
user052           7    0      7
reprap            6    0      6
user014           6    0      6

NetWars Round 3 Oct 10-Oct 18 2009

Busy rebuilding the targets for the next round of NetWars, October 10-18, 2009. You can sign up at http://sans.org/netwars/.

Adding a ton of rich content--websites, streaming audio, etc. The NetWars network will be taken down (has been up for practice) while we rebuild everything. Also, if you have some licenses or hardware you'd like to let the project use, please send an email to netwars@sans.org with "SPONSOR" in the subject. There are a ton of things brewing; I hope it comes together soon.

I'm a little bummed I'm building it instead of playing the game . . .

NetWars Round 2.0 Final Scores

Finally finished adjusting the scores after bonus and team breakdowns, here are the top 20 (well, 21 since the 20th slot was a tie):

SevenM7:       3809
frankred:      3794
tfgnetwars:    1337
funky4strngz:  1337
chrisbdaemon:  1337
cet:           1337
tcp_duece:      495
jgimer:         392
xeno280:        360
ace1:           207
allanak:        126
dr29:           107
deLusion:        89
cygnul:          75
codemasta:       61
punisher:        41
Level:           37
innrwrld:        15
KillerCube:      13
w153man:         11
user296:         11

Stay tuned for more info on the next round (2nd week of October). Mad props to Attack Research for helping keep the in-game peace vigilante style, and technically won most points as a team (but since we're not playing on teams, this is the official score).