RE: The Santy worm and Application Security

[Paul Laudanski <zx () castlecops com>]

On Sun, 2 Jan 2005, Ofer Shezaf wrote:

> I would argue such as effectiveness measurement. In web site security
> catching many is not difficult as so many automatic exploitation
> attempts are carried out. The real problems are:
> (a) Catching zero day attacks (those that you don't have a specific
> signature for)
> (b) Catching targeted attacks that points specifically at your web site.

Which is why in terms of application security a multiple step approach can 
be ideal in the real world:

- secure program practices
- filter on regular expressions
- use white or black lists
- filter against signatures

To help against zero days, well, one approach might be to take a look at 
what characters are allowed, and which ones are not.  This is where the 
sysadmin must know the site being administered, and the requirements of 
the server(s).

Continuing from my earlier examples, for some admins filtering the tick 
(') might not work, but then again on others it is never required.  
However, on those sites that might need it, the tick might be restricted 
to a single argument -- which begs the question, filter the tick site wide 
except for that single argument at which point that argument should get 
sanitized.  

mod_security, from a web security application perspective does a great job 
at this, and is open source to boot.

> In other words - for you as a security expert with application knowledge
> it is a great solution. For an organization it is impractical.

Not necessarily.  mod_security is in full force at CastleCops.  Thanks to 
the articles I put up there, I've been contacted by organizations (private 
and government) thanking me for the code and how effective it has been in 
keeping their organizations up and running.

I for one like the open source tools available in the market place today.  
It permits anyone to use them immediately without having to wait for 
purchase orders.  In the case of these PHP worms, it enabled many 
organizations to install a tool right away which brought their servers 
back online.  

Then the most important step, is to ensure code is secure, always, keeping 
that in mind.

Happy new year, 2005.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.