Slashdot Mirror
Ask Slashdot: Share Your Security Review Tales
New submitter TreZ writes: If you write software, you are most likely subject to a "security review" at some point. A large portion of this is common sense like don't put plain text credentials into github, don't write your own encryption algorithms, etc. Once you get past that there is a "subjective" nature to these reviews.
What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.
What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.
If you write software, you are most likely subject to a "security review" at some point
Wrong! My code has never been subjected to any such stupid security review.
Disclaimer: Opinions expressed here are mine, not my employer Equifax.
Disclaimer to disclaimer: Nah! I'm not really working for Equifax
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.
This happened to a customer of us: They were told by an auditor that they absolute must have anti-virus on all machines, as per policy. Hence they built a tunnel into a completely isolated environment with absolutely no malware-vectors in order to be able to get updated AV signatures to the AV they installed on these machines. The really bad thing was that they did not seem to understand when we explained to them that they now did not have an isolated environment anymore and that the AV vendor as well as anybody successfully attacking the AV vendor could now attack them and export data at their leisure. What they should have done is to get an exception.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Some software I was involved with developing had to undergo a security review. Little did I realize how unprepared for this event I was!
It started off relatively benignly. I was sitting in one of the conference rooms, waiting for the external security consultant to come in. He arrived a minute or two after I had arrived.
"Hello.", he started off. "I'm Steve and today we'll be performing a security review of the software you and your team have developed." He opened his laptop and started loading up the source code we'd provided to him earlier. He didn't even bother with any sort of friendly small talk.
"So I see you chose C++." he said after a minute or so of looking at the code.
"Yes, C++14.", I confirmed.
"Unacceptable.", he stated without hesitation.
I was slightly taken aback. "Pardon?", I asked.
"C++ is unacceptable.", he stated.
"We're using modern C++ techniques, including smart pointers and RAII. We also run our code through several static and dynamic analysis tools.", I explained.
"C++ is unacceptable.", he repeated.
We sat in silence for a couple of minutes as he continued to scroll through the code.
"Why didn't you use Rust?", he finally asked.
"Rust?", I replied. "We started this project before Rust 1.0 had been released. Plus our team is more familiar with C++."
"C++ is unacceptable.", he repeated once again.
He was starting to get agitated. "Why the fuck didn't you use Rust?!" he asked once more.
"I just explained why.", I responded.
"Don't you give a fuck about guaranteed memory safety? Don't you give a fuck about threads without data races?", he asked loudly.
"Well, yes, I do care about such things. But we can achieve those by using modern C++ sensibly."
As expected, he replied "C++ is unacceptable. C++ is fucking unacceptable."
I wasn't really sure what to do at this point. Clearly he didn't think C++ was an acceptable language to use.
My pondering was cut short. He abruptly started screaming, "WHY THE FUCK DIDN'T YOU USE RUST?! DON'T YOU GIVE A FUCK ABOUT ZERO-COST ABSTRACTIONS?!"
"C++ usually has zero-cost abstractions.", I pointed out.
This sent him over the edge. His face started getting a very deep red color, and I could see he was getting extraordinarily angry. "C++ IS UNACCEPTABLE! C++ IS UNACCEPTABLE! YOU HAVE TO USE RUST! RUST IS THE ONLY PROGRAMMING LANGUAGE THAT RUNS BLAZINGLY FAST, PREVENTS SEGFAULTS, AND GUARANTEES THREAD SAFETY!"
At this point I was starting to fear for my safety. I had read comments from Rust fanatics online, at places like Hacker News and Stack Overflow. But I had never expected these Rust advocates to be as egregiously agitated as this security consultant was.
Noticing that the door to the conference room was slightly open, and thankful that I was sitting closer to the door than the consultant was, I made a dash for freedom. I slipped through the door, and immediately started running toward my manager's office.
All the way I could hear the consultant screaming, "C++ IS UNACCEPTABLE! YOU NEED TO USE RUST BECAUSE IT HAS TRAIT-BASED GENERICS AND PATTERN MATCHING!"
I quickly explained the situation to my manager, who was wondering what all of the yelling was about. He quickly dialed the office building's security team, but they must have been alerted beforehand by somebody else, because the consultant's yelling abruptly stopped mid-way through a rant about the importance of move semantics.
To be perfectly honest, I have no idea what happened in the end. I assume the security consultant was promptly removed from the building. As for the security review of our software, I haven't heard about having to do any additional ones. Perhaps management realized that there were better uses for our time than listening to some lunatic berate us for using C++ instead of Rust.
I was summoned by a contract firm to a 500 person company that had been a victim of an inside job. They wanted a security review and fixes for "whatever that guy did". Turns out the guy was a half-assed developer. The client had spotty and in some cases non-existent backups. They wanted to pass a SOX audit (hahahaha!) while 20-30 machines were completely pwned and backdoored. He'd used everything from sub7 to more modern remote access & control tools. Some of the tools looked like ones he'd cobbled together himself from other tools. He'd also got in and falsified and buried a bunch of code hacks in their version control repo. Luckily, I was able to get that off tape and they only lost about a MONTH of code/work. The FBI got involved because the guy was out of state. I spent about 3 weeks gathering evidence and rebuilding servers, routers, print-servers, and other devices he'd hacked or otherwise tainted. My fees amounted to around $30k. A federal DA charged him with about 10 different hacking related and felony vandalism charges. After a pretty short trial (no jury) he was found guilty and he's still in the same federal prison in Louisiana. He actually has a cell near Bernie Ebbers. I had to talk to him once while he was in prison to get some passwords. The whole thing was surreal. Now get this, on the SOX audit? They passed! They got dinged for the hack but they still passed even before I was done cleaning up. That's when I realized that CISSP/SOX/GLBA/PCI security and *actual* IT security aren't always aligned. Audit all you like, but ... "stay frosty and alert. You can't afford to let one of those bastards in here."
I have been a developer since about 1990 and I have been occasionally re-purposed to perform security reviews
The first time was in 2000, we were a data center that was part of a fairly new fiber company.
We were in a partnership with a large document management company and some open source organization.
The website that we were hosting kept crashing and the PM responsible for it had lost the admin password.
It ran on Oracle and I was able to use some default passwords and os level functionality in Oracle to grep the file system and identify the system passwords.
Unsurprisingly, I found that they were using commonly known passwords that were present throughout their training materials
When I asked if they could change the default passwords to new values, and rotate them regularly, the response was "No, we think that will break everything"
This resulted in two things, I because the Unix security guru, and I got them kicked out of our datacenter.
Similarly, one day our SAN admin noticed that DVD images were being stored on our SAN. We traced it back to another start-up that had been using TELNET to log into their box as root. Apparently this traffic had been sniffed out and our systems had been compromised. This resulted in a clean-room rebuild of all active systems and me being tasked with writing security policies to publish to our customers, follow them and be welcome, don't follow them and buh-bye...
You may notice that this is all being done in a completely reactive manner since at that time, apparently, nobody in the fucking planet had a clue about how to build and admin a secure system.
Since that time I have fought the "make a system where you can change the default passwords", "Keep your systems patched up the currently available level", "why the fuck are you passing strings to your database without scrubbing them", and "sure, that is what you think your firewall is doing, but it is not really doing that" battles over and over and over.
They say that security starts at the code level, and you can really fuck yourself over by taking a poor approach, but most security problems are just plain piss-poor admin skills. IMHO
Like rust?
Gamingmuseum.com: Give your 3D accelerator a rest.
In 1999 I was hired by a Midwestern telco -- in the interests of not getting sued I won't say which: I'll just say their market cap used to be in the billions and now you could buy them with the lint in your pocket -- to do security remediation on their billing system. I spent weeks poring over architectural diagrams, going through source code, examining protocols. After a while I realized I had some really scary information, so I asked my manager for a safe.
"Just put it all in a binder," she said. "We trust you to keep an eye on it."
The Binder of Doom was a nondescript black binder about three inches thick. It had no cover page and no markings: I didn't want anyone to realize the secrets that were in it. I carried it around with me everywhere. I slept with it in bed with me. That's how terrified I was these secrets would come out.
Then the Binder of Doom got worse. Having completed my survey, I now devised attacks on the system. I found ways enterprising individuals could fleece the company out of truly mind-boggling sums, and how difficult it would be to detect these attacks with the then-current security infrastructure. By the end of six months the Binder of Doom was stuffed to bursting and I was giving serious thought to filing for a concealed-carry permit. I wondered if the sheriff's department would understand if I told them I was routinely carrying around a binder with a *conservative* worth to a criminal syndicate of $100 million.
I went back to my manager. I told her I was done. It was time to remediate the risks. "Oh, excellent," she told me, "because we just ran out of money for the remediation."
Uh. What?
"Management has decided the main risk is in unsecured communications links, so just ensure we're using PGP on everything and we'll call it good."
I asked if she wanted the Binder of Doom.
"No, you hold onto it for a while."
So I became increasingly disgruntled, bitter, and sarcastic. I told everyone I worked with that I'd been retasked to "secure" our network using PGP -- and even old-school PGP 2.6, not GnuPG (which had just reached 1.0), either -- and oh God this is awful and if this company lasts another year it'll be a miracle and...
I was shortly thereafter cashiered for having a toxic attitude towards work. I walked into the parking lot, got into my car, and tossed the Binder of Doom into the passenger seat. As I drove away I realized something was horribly wrong, but didn't realize what until I was pulling out of the lot:
I HAD THE BINDER OF DOOM IN MY PASSENGER SEAT.
I returned to the office and tried to walk inside, but was met by an HR rep at the door who told me if I didn't leave they'd call the police and file a trespass charge. I held up the Binder of Doom to the HR rep. "Do you want this back?" I asked.
"No," she told me clearly. "Keep it. We just want you to leave."
I turned around, gobsmacked, and left the company holding detailed plans for how to embezzle $100 million or more... which the company had just thoughtfully delivered into the hands of a disgruntled former employee.
(And if you're wondering what I did with the Binder of Doom, it sat on my bookshelf for a few days tempting me before I threw it into an incinerator and threw the ashes into a strong wind.)