Archives For Musings

What is the last thing that you have broken just to verify if it could have been broken? A phone? A car, perhaps? Or the new TV set of your neighbor?

Well, breaking thing definitely is not something that people normally do. Incidents happen, surely, but good people simply do not break things for the thrill of doing that.

Good people do not do that, but bad people definitely do. They break things not only because it can be done, but because much can be gained in the process.

So, intentions are really important: are you breaking things to obtain unwarranted advantages, or are you doing that to help who make those things to improve how they are built? The first are simply robbers, while the second are doing a service to all of us, makers and users alike.

In software security, we refer to the good “breakers” as White Hat hackers, while the bad “breakers” are Black Hat hackers. And yes, you guessed well: there are Gray Hat hackers too.

This is a very simplistic description of the world of the hacking. You could find various types of hackers everywhere: for example, do you recall that time when as a boy or a girl you opened that toy to understand how it worked? Well, you have been an hacker without knowing anything about that!

Now, I think that clearly White Hat hacking is a good thing for everyone if done ethically, and for that reason it should be encouraged. It is not easy to be a White Hat hacker: it requires both a broad and deep knowledge of technology, processes and of human behavior.

If the White Hat hackers would not do their job, applications and systems will remain unprotected and Black Hat hackers will have much easier access to your data.

That said, why someone would want to punish White Hat hackers?

It is very interesting to understand how attackers work, and sometimes it is also scary to see how unprepared we are. This in an unbalanced war, which we are losing.

Ransomware is on the rise, and it is more and more dangerous. But it is not the only problem. Many of my customers are totally unprepared, yet they say that they have not been compromised in the past, but for a couple of well known incidents. No wonder, considering that their detection controls are in some cases totally ineffective.

Sometimes customers have no clue of where their assets are or how they can be exploited. The most absurd thing to see is that many organizations have VIPs that are not tolerant toward the limitations imposed for Security reasons, and they have the power to require exemption: as a result, sometimes those who have the highest value for an organization are the least protected!

Attackers already know all this and understand your business better than you. They are going to find your weakest spots and to hit them, hard. Many are not able to see that coming and even less to respond properly.

FireEye‚Äôs incident response business further reports the mean “dwell time” for breaches in EMEA is 469 days, versus 146 globally.


In other words, in EMEA the time an attacker on average remains undetected in a victim’s system, is more than 3 times higher than the World average!

We have to change this and soon, and it all starts from adopting a more active stance toward Security. It is not a cost: it is a necessity!

David Ferbrache from KPMG describes the situation very well, and SC Magazine has an article about it that can be both alarming and illuminating:



June 26, 2016 — Leave a comment

Life prepares you many surprises. You can plan your life as accurately as humanly possible, but you will eventually need to reconsider your plans.
It is not necessarily a bad thing, though. And in my case, I trust it has been for the better.
After I switched to Proactive Support from the Consulting organization within Microsoft, to focus 100% of my time to Security, I planned to improve all my initiatives, blog included. I discovered soon that I needed to dedicate all myself to cope with my deficiencies around Infrastructural Security and to meet the already challenging goals my new organization has defined for me, plus the goals I defined for myself, that is mostly doing whatever I can to expand the importance of Application Security within Microsoft.
This has meant much additional work for me, but also very important successes, like achieving the CSSLP certification (finally!) and recognitions like having been made WW Lead of the Security Development Lifecycle Community within Microsoft, side by side with my good friend Kiyoshi Watanabe, who is an Application Security expert from Japan.
New duties mean more things to do and less time for other things, as I discovered last year. This is the reason why I have written nothing since I switched: I had no juice left to think to anything but the most essential things.
Now it is different: my goals for the new year are set to be more projected toward the community of Application Security practicians inside and outside Microsoft, because I feel it to be critical for the world I live in and my own future.
Stay tuned for new content and (possibly) a very big surprise, soon. ūüôā

A Shared Responsibility

November 22, 2014 — Leave a comment

Applications are more and more subject to be integrated with other applications. Clear examples are¬†Social Networks like¬†Facebook, Twitter¬†and LinkedIn: it’s very common to see links between them, as well as¬†other¬†applications¬†integrating with Social Networks. This interconnection is so important that it has involved many¬†Enterprise applications as well.

The net result is that the relationships between applications are defining a network, where each one of them takes a role that can big or small depending on the application characteristics, but it is an important role nevertheless.

This Network of Applications defines a new¬†Internet, quite different from the one it was when all this started,¬†and this new Internet is so interconnected¬†and pervasive that it includes directly or indirectly a big part of many (most? all?) Enterprise’s infrastructures as well. We do live in the¬†Cloud’s Era, don’t we?

This interconnected thing reminds me of our brain and of our body by extent, not only because it is clearly a parallel to the synapses, but also because it is subject to illness as well. The more I think about it, the more the dynamic of most of the current attacks shows clear similarities with the propagation of a virus in an organic body: you start with a localized infection Рa system or two are compromised Рthen it spreads to some adjacent systems and voilà! You have a serious illness that has gained control of the attacked body. This is very like to how Advanced Persistent Threats go, and to attacks like the infamous Pass-The-Hash. The idea behind those attacks is to gain access to the real prize a step at a time, without rushing to it, trying to consolidate your position within the attacked infrastructure before someone detects you.

The main difference between the organic body and many pieces of this Network of Applications is that the latter have not yet developed the antibodies needed to detect the attacks, and therefore it is even less able to vanquish those attacks. This weakness allow compromising entire Enterprise Networks starting from a single Client and, as a consequence, gaining access to strategic resources like the Domain Controllers, through a series of patient intermediate steps.

A single weakness allows the first step; the others let the castle collapse.

If we extend those concepts to the whole Internet as a Network of Applications, it is clear that nowadays attackers have plenty of choices about how to attack and gain control of a System, if necessarily starting from a very far vulnerable point. Target’s attackers started from a supplier, for example.

One of the principles of Security is that a system is as secure as its “weakest link”. This sentence implies that the said system can be represented as a chain, where data is processed linearly. But what if you have a multi-dimensional reality, where each node could potentially talk with any other one? You rapidly have an headache… and a big opportunity for any potential attacker.

In this scenario, there is only a feasible answer to the quest for Security: that any actor considers creating Secure Applications and to maintain their security over time as a personal responsibility toward its customers, toward its peers, toward Internet as a whole and toward itself.

Is that thing Secure?

November 14, 2014 — Leave a comment

A colleague of mine has just asked me if WebView, the control that is shipped as part of the Windows 8.1 SDK, is Secure. His customer has expressed a doubt about it, probably due to serious issues with a similar component built on older technology (see: Microsoft Security Bulletin MS06-057 – Critical).

The interesting fact, here, is not about the specific issue: it is about the concept of Security. That is, a control like WebView builds upon a browser, Internet Explorer, to allow integrating web navigation within an application: this means that the application that uses the control inherits all the faults and issues in Internet Explorer, plus those in the control itself. On the other hand, this is part of Products that are maintained over time by a Corporation that is very serious when Security is concerned (see: Life in The Digital Crosshairs), a control that is used by many developers on many applications, therefore it will necessarily be more secure than anything the average Joe can cook on his own.

So, is that thing Secure? I hate to say so, but… it depends. It depends on what are you trying to accomplish, on the characteristics of data you are working on, depends on the abilities of your Team and on your budget and on many other factors.

The sad truth is that Security is a rogue concept: it does not allow absolutes and it wears down quickly. In other words, you have to stick with ‚ÄúSecure enough‚ÄĚ and continuously invest to fight against bugs to maintain the status of your Application‚Äôs Security at an acceptable level.