:: extra ::

About 18 months ago Jacob West and I got serious about writing a book. With much joy and relief, I'm happy to say that the book is finally out. Secure Programming with Static Analysis has been released into the wild! In some ways this is an extended-play version of my PhD work, but written for more than just an academic audience. It makes the case for static source code analysis as an essential tool for getting software security right. The book covers a lot of ground.

• It explains why static source code analysis is a critical part of a secure development process.
  
• It shows how static analysis tools work, what makes one tool better than another, and how to integrate static analysis into the SDLC.
  
• It details a tremendous number of vulnerability categories, using real-world examples from programs such as Sendmail, Tomcat, Adobe Acrobat, Mac OSX, and dozens of others.
  
• It includes tutorials that walk through applying a static analysis tool to a real programs.

I'm now going to face the happy problem of finding something to do with my weekends! I can handle it.

I'll send a free book to the first person who names the type of flower on the cover and gives a decent explanation for why we used a flower rather than a lock or a gate or some kind of weapon. Post your answer here or send me email (my first name @ fortify.com).

Update: The prize goes to Andre Gironda who named the flower as a lotus, and who correctly guessed that we used a lotus because it is a symbol of purity and enlightenment. It begins in the mud, but transforms itself into a beautiful flower. We like the idea that static analysis helps bring purity, and that taking security into account is part of an enlightened approach to programming. We also like the way it looks.

A few months ago, while we were still in the thick of finishing off the book (Secure Programming with Static Analysis) and hadn't yet started focusing on selling it, Brian and I recorded and interview with Informit's new OnSoftware podcast where we talked about software security and the kind of material we cover in the book.

Well, months later the book is finished and now the interview we recorded is available for mass consumption through iTunes as either a video or audio podcast. You can subscribe to the podcast series on www.onpodcastweekly.com or link directly to our episode at http://media.podhoster.com/peachpittv/05_SOF_ChessWest_01.mp4.

Secure Programming with Static Analysis has gotten some nice attention from other sources, too. Gary McGraw recently posted the forward he wrote for the book on his Justice League security blog http://www.cigital.com/justiceleague/2007/07/06/from-the-foreword-to-secure-programming-with-static-analysis and SANS has a nice interview with Brian up at http://www.sans.edu/resources/securitylab/brian_chess.php. I particularly like the part in the SANS interview where Brian takes credit for all the typos in the book ;-).

Hoglund and McGraw's new book just came out. It's brilliant. Exploiting Online Games: Cheating Massively Distributed Systems is a peek into the future and an amazing recruiting tool all rolled into one.

If you already understand the kinds of security problems today's software creates, then the book gives a view into the kinds of security problems tomorrow's software is going to create. Here's a hint: Time and State. Massive distributed systems can fail in the same ways that centralized (traditional) systems can fail, but they're also likely to run trouble as they try to coordinate critical data between nodes. There is a lot of money flowing through modern games, and so any sort of defect fuels the fight between the game companies and people who seek to profit from them.

But if you just think games are cool and want to know more about what your options are for getting ahead, or if you're trying to figure out why your arch-nemesis from the next dorm building seems to have such good aim with his Crossbow of Ultimate Peril, this book has all sorts of tricks, hacks, code examples, and step-by-step information on how to get inside the mother of all massive multiplayer online games: World of Warcraft (WoW).

When I was in college, there was a whole subculture of people who learned to program so that they could extend and improve Multi-User Dungeons (MUDs), an early forerunner of WoW. This book is going to be the gateway to programming for the WoW generation. And, if everything goes as I'm sure Hoglund and McGraw have planned, those kids won't even know its possible to program without thinking about security.

I've read lots of articles about hacking the iPhone lately. They're mostly focused on exploring the hardware, circumventing the intended activation process, or putting new software on the device. That's nice, and I like to see a technological marvel smashed open with a hammer just as much as the next geek, but I'm more interested in how the iPhone changes the balance of power when it comes to security.

Small items first: There are a few minor application issues that make a phisher's job easier. For instance, the email client does not display the URL you're going to visit when you click on a link, so a phisher can send out spam that says Click here to go to PayPal and point the link to http://paypal.fakesite.ro, and there's no way to know what's going to happen until you click. Once you do click, the browser displays only the first 20 or so characters of the URL, so its easy to hide a big gnarly cross-site scripting attack without arousing any suspicion. Alternatively, the phishing site can use JavaScript to scroll the URL bar out of site. (See Joe Hewitt's writeup.) I expect issues like these will be addressed soon enough, just as they've been with all of the major desktop mail clients and Web browsers.

Much more interesting is the way the iPhone connects the Web browser and the phone. As the author of a Web site, you can embed a telephone number in a web page like this:

<a id="phone_home" href="tel:1-900-867-5309">call me!</a>

You can also write JavaScript that causes the iPhone to initiate the dialing process:

<script>
window.document.url = "tel:1-900-867-5309"
</script>

When that code runs, the user will be prompted "1-900-867-5309 (call) (cancel)". If the user accepts, the phone dials. Now you can turn phishing into money faster than ever before because the payload is the product: victims dial a 900 number, and the money starts rolling in. By the way, setting up a 900 number is easy.

Alternatively, use a cross-site scripting vulnerability to have a banking Web site initiate a call to a fake technical support number. What's the first thing the fake support rep asks for? Your account information of course! After all, you called them, so they need to "confirm your identity". Once again, an old scam gets new legs with a little help from the latest technology, and once again the ante on cross-site scripting goes up.

I expect two things will happen in coming year:
1) We'll learn about more cute tricks that web applications can use to look more like native iPhone applications and to interface with the iPhone and allow access to things like contacts, photos, and maybe even the phone's physical location. All of these features will expand the horizons of enterprising attackers.

2) All of the other handset makers in the world will begin to deliver their response to the iPhone. At that point, they will all have been working around the clock in panic mode for the better part of a year, and the devices will contain a treasure trove of security vulnerabilities that make the iPhone look like Fort Knox. After all, Apple got plenty of things right: at least you have to confirm before the phone dials.