Tag Archives: Security

Security related info and issues

Cloud Security Article in CrossTalk

Pack Horse and Cowboy
Pack Horse

Crosstalk has just published an article I wrote on cloud security in the September/October 2013 issue. The article is titled “Cloud Shifts the Burden of Security to Development“.

The abstract reads: The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Engineers are extremely well poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome.

The paper explores three ways to help development bear the burden of security that the cloud places on them:

  • Use penetration testing results to help engineers determine how to effectively “harden” the most vulnerable parts of the application.
  • Apply the emerging practice of “service virtualization” to provide engineers the test environment access needed to exercise realistic security scenarios from the development environment.
  • Implement policy-driven development to help engineers understand and satisfy management’s security expectations.

It’s an in-depth article with some practical suggestions for improving your code security in the cloud. If you’re not familiar with Crosstalk, it’s “The Journal of Defense Software Engineering” and is full of interesting articles but carries no advertising. Give it a try.

Development Testing for Compliance Seminar in DC

412748_EventImage
I’m doing a free seminar next week in the DC area “Development Testing can help you comply with government regulations and security guidelines”. Entry is free and you can register here

This will be an informative lunch seminar on Thursday, May 16th from 10am to 12pm at FCN, Inc in Reston, VA. During this event we will be discussing trends, strategies and best practices for NIST compliance.

Discover how to best utilize your company investments to deliver compliance throughout your organization. Participate in a presentation by industry expert Arthur Hicken as he facilitates a discussion on how to continuously integrate software quality into the development process with Parasoft’s comprehensive Development Testing platform.

What you will learn:

  • Consistently apply static analysis, unit testing, peer code review, coverage analysis, runtime error detection, etc.
  • Accurately and objectively measure productivity and application quality
  • Drive the development process in the context of business expectations – for what needs to be developed as well as how it should be developed
  • Gain realtime visibility into how the software is being developed and where it is satisfying expectations
  • Reduce costs and risks across the entire SDLC

Following the presentation Parasoft will demonstrate Parasoft’s development testing solutions for C/C++, Java and .Net applications.

Hope to see you there. If you’ve always wanted to meet the CodeCurmudgeon in person, sign up here.

SSH Tips – How to Login Securely Without a Password

old fashioned keys SSH is a wonderful tool and will let do do all kinds of amazing things – not to mention that it does them securely. However sometimes when you’re trying to automate steps, or are performing the same steps repeatedly on a trusted machine, the frequent retyping of your username can be a pain. Worse still, if you’re writing a script, you certainly don’t want to hardcode passwords into it for others to grab. In this case, what you can do is use ssh keys to secure your connection.

How to do this differs depending on the operating system of the source machine, IE the machine you are SSHing from. Suppose you have two machines, the local one (your laptop) and the remote one (some server, eg my.server.com) To ssh from the laptop to the server without needing a password, perform these steps:

Linux

On the local machine:
% ssh-keygen -t rsa
Either put in a passphrase or just hit return twice to skip. Note that using a passphrase makes it more secure, but makes automation tricky.

This produces a file called id_rsa.pub in a subfolder called .ssh underneath your some directory. Now you need to transfer that file to the remote server. Note that you’ll need your password to perform this step, and to avoid troubles we’ll rename the file during transfer.

% scp ~/.ssh/id_rsa.pub USERNAME@my.server.com:id_rsa.pub.mylaptop

Now we need to add the id_rsa.pub keys to the proper file on the remote machine (my.server.com). Note that if you don’t already have a .ssh folder on the server, you can just create it, or better yet, run the ssh-keygen command there, as above.

% ssh USERNAME@my.server.com
% cd .ssh
% cat ~/id_rsa.pub.mylaptop >>; ~/.ssh/authorized_keys
% rm ~/id_rsa.pub.mylaptop

Make sure .ssh dir and all it’s files don’t have any open group or other permissions, or this won’t work.

% cd ~/.
% chmod -R go-rwx .ssh

Here’s an example of what the authorized key file will look like. Note that there will be one line (word-wrapped) per each user/machine that has exchanged keys in this manner.

%cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyJnwH/k4/FdY88p2utHHDc5VSJqL97n/nsK1PkW9q9KWddMIu8u+Golyg4RW10nIGs3A4EYYPn9Gu7dJy+vhO2xRJM4A+EEF/9nYYy/ZLXBlh4V3zMRYLom6TZx9OSTA6L0z9HKdopgJ/HnQ+yEFzS29TBjCs/9Dy4+iS0uVhWs= root@krysia.afraid.org

Windows

Use your favorite ssh tool and check it’s documentation. For now I’ve used puttygen, it should be where you installed putty, probably something like c:\bin. It is a graphical program for managing keys on windows with putty.

Select “SSH2 (RSA)” as the type of key (at the bottom of the screen)

Select “generate” and follow the instructions. It wants you to move your mouse around in a block for awhile to generate randomness. Then it makes a key.

Select “save private key” and either give it a passphrase, or ignore it when it tells you to think about using a passphrase. you can save your private key to disk somewhere. Note that using a passphrase makes it more secure, but makes automation tricky.

Select “save public key” and save it to disk somewhere.

In the normal putty window select load to pull in the profile you want to add the key to. Go to Connection and put the ID in the “auto-login username” box. IE your unix login name.

In the SSH Auth section select the browse button to go to where you stored the private key file, and select it. THen go to the “session” category and select save.

Now you need to take the public key stuff and add it to your ~/.ssh/authorized_keys file on the ssh server machine. If you’re using putty you have pscp that you can use. It’s in the same dir where you put your putty executable.

c:\> cd dir_with_public_key_file
c:\> pscp putty_public_key_file USERNAME@my.server.com:id_rsa.pub.mylaptop

Now connect to the remote system using ssh so you can add your public key to their authorized keys file, IE use ssh or putty. After you’re connected, edit the file you put there, id_rsa.pub or whatever you called it.

Remove the first line of the file that says “BEGIN SSH2 PUBLIC KEY”

Remove the last line of the file that says “END SSH2 PUBLIC KEY”

Remove the line that says “Comment: ”

At the beginning of the first line insert “ssh-rsa ”

At the end of the last line after the =, put something that says what the key is for future reference. IE your user/machine name, like this, instead of “=” put “= user@machine.company.com”

Now there are probably 4 lines in this file, and they all need to be joined into one line. Plus if joining creates spaces they will need to be removed.

Now you can append this to the ~/.ssh/authorized_keys file:

% cat ~/id_rsa.pub.mylaptop >> ~/.ssh/authorized_keys
% rm ~/id_rsa.pub.mylaptop

As an extra bonus, if you’re trying to use the pscp command line in windows (it’s the windows equivalent for scp in unix) then here’s how to do it.

Make sure you’ve done the public key transfer, as above. Then when you call pscp, just pass the “-load” option with the name of the “profile” that you’re using.

Hopefully this helps – I find it very useful. If there are other operating systems, or other tips you’d like to know, just ask.

Cloudy With a Chance of Cyber-Attacks Webinar Slides Posted

Riders On The Storm
I just finished the Parasoft webinar on security for cloud applications. It’s titled Cloudy With a Chance of Cyber-attacks – Securing Cloud-based Applications In this cloud security webinar I discussed some basic tools and techniques you can use in your SDLC to make sure that your applications are secure. It’s a short webinar, and should serve to give a good introduction to anyone interested in cloud application security.

It covers things like distributed denial-of-service attacks (DDOS), SQL injections (SQLI), and other security breaches that are lurking in the cloud for their chance to wreak havoc on computers, servers, networks, and mobile devices. Also we discussed resources for security standards and training, such as NIST (SAMATE), CWE, OWASP, and PCI DSS.

For your convenience, here are the links to those organizations.

I’ve got the slides below, as well as audio in mp3. If you want the whole thing all recorded together you can get it from GoToMeeting.

Download (PDF, 2.9MB)

MP3 Audio (17MB)