Archive for the 'Uncategorized' Category

Aug 08 2013

Security Development Lifecycle Training

Last year we tried to outsource our classroom-based training (CBT) for our SDL effort to a third party…that didn’t go so well. I don’t want to mention the name of the company we used but we were disappointed enough with the first round of the training and we decided to go our own route.  To that end I was tasked with creating the content for the training…and I have been heads down most of the time this year working on several classes:

  • Threat Modeling
  • Secure Coding in C and C++
  • Secure Coding C#

The Threat Modeling class has been completed (although it could stand to be updated and cleaned up a bit).  The Secure Coding in C and C++ class was completed but the feedback I got from my second group of attendees was that they’re doing development on the ARM processor platform and they wanted to see the exploits in the hands-on lab exercises on that platform.  The Secure Coding in C# is still being built out.

The good news is that I have been able to get a Debian Linux image built (with a GUI interface) for the Secure Coding in C and C++ class using the QEMU ARM emulator.  The next step is to setup the networking so that I can pull additional packages into the image and build out a complete development environment.  This has been driving me crazy for the past couple of months because the installer for the image and the QEMU disk image were constantly giving me problems.  Today was a “Good” day…

 

No responses yet

May 26 2011

Software Development Lifecycle – Training

Lately I’ve been working on incorporating a Software Development Lifecycle (SDL) in the development processes of a smart grid vendor for their smart grid products.  It’s no secret that everyone (from the vendors to the utilities to the public utility commissions to NERC and FERC) are concerned about the rush to deploy smart grid or – more aptly – advanced metering infrastructure (AMI) systems.  There are many issues that need to be considered when doing an advanced metering infrastructure – internal security at the utility; securing the endpoint devices; the security of the connecting network.  All of these are things to rightly be concerned about.  However, very few smart grid vendors have focused on the builtin security of their software.  I’m not talking about all of the bells and whistles that they provide to secure the AMI infrastructure…I’m talking about the quality of their code.  It’s all well and good to have lots of security features that your customers can turn on and off…but what lurks under the engine?  Buffer overflows? Heap overflows? Cross-site scripting?  Cross-site request forgery? I could go on and on.  To deal with these concerns and potential vulnerabilities I’ve been working on implementing Microsoft’s Security Development Lifecycle (SDL) in our product development groups.  This has been a real challenge given that we previously didn’t worry about such issues since meters (electric, gas, and water) were isolated, electro-mechanical devices that didn’t have two-way (or in some cases even one-way) communication capabilities.  I plan to post updates with implementing an SDL in this blog in hopes that others learn from our experience.

One of the primary components of an SDL is a software security training program.  Developers and development management tend to focus on one thing primarily – writing code and getting it working as fast as possible.  In many cases security is not even an afterthought and even if it is given some consideration many developers don’t have the experience in writing code with security in mind.  This is where a software security training program is essential.  It needs to cover a wide variety of topics such as an overview of the SDL process, secure coding in C/C++/Java/.NET, threat modeling, and secure software architecture to name a few.  In today’s market there are two options in software security training for an organization that is looking to stand up an SDL:

  1. Do it yourself
  2. Outsource

From a “do it yourself” perspective one of the hardest parts is finding people skilled at secure coding within an organization that is already possibly behind the curve on software security.  All content would be developed internally – and there’s the Catch-22 situation: how can you develop the content when your staff doesn’t have the skills necessary to write the content which needs to be taught? In addition to that you will need to setup a learning management system (LMS) in order to track developers as they go through the training which is internally developed (or perhaps bought).

In many cases the only viable alternative is to outsource.  Outsourcing should leverage both instructor-led training (ILT) and online classes.  The only thing to decide is The question is which philosophy do you subscribe to with regards to training: ILT training first with online classes as a reinforcement/refresher or online classes first followed by ILT.  I’ll try and explain both approaches below:

Leveraging ILT before going proceeding to online training is based on the idea of getting the most, in-depth training upfront is the key component of the training and the online classes are just there for reinforcement of the material learned in the ILT classes.  In addition the online classes can be used as refresher classes after some specified period of time – say, approximately a year – after the initial ILT/online classes have been taken.  The trick is that the online class content needs to be updated during that time…otherwise it becomes stale and loses value for the developers.  The big benefit here is that you put a lot of effort upfront to get your developers trained and can leverage that training as soon as possible.

Flipping the sequence around has the online training occurring before the ILT classes.  The philosophy here is that the developers get a broad knowledge of the SDL and its various components and then you’re able to focus the ILT more effectively to provide the attendees a class that explores the content more completely.  One of the big benefits to this approach is that the developers get a broad education in what an SDL is and what steps are part of the overall process.  This allows you to provide some training to all of your developers (of course that depends on how many seats you buy for the e-learning system) and to take those who are key and provide them the ILT first.

It’s hard to say which is the better approach – too many factors to consider: cost and schedule being the primary ones.  It is my belief that both approaches are equally valid.  I would also stress that it depends on how big your developer population is and how quickly you need to get some training started.  From my own perspective I think the idea of starting the e-learning first and then moving to an ILT is more effective – it allows for your developers to all start at the same knowledge level before having them go through the ILT.  It also doesn’t prevent you from using the e-learning later as a refresher for the material that the learned in the ILT.  I’d be interested in hearing other’s thoughts as well on this.

2 responses so far

Sep 21 2009

And Another Classic One

Published by under Uncategorized

For the real network geek in me. Another funny one that I found was this one — talking about the day the routers died

No responses yet

Nov 21 2008

Scary Times

I’ve stopped paying attention to the stock market these days. Oh, I keep tabs on it frequently but I’ve removed the Windows Vista gadget I used to have in the sidebar that showed me how the market is doing in a “realtime” basis. It’s too depressing. I’ve already done all that I can at this point to shore up my own finances. Back when this plunge was first starting I moved my 401k investments out of stocks and into bonds and money market funds. I’ve moved my wife’s IRA to bonds. Where I can’t do that I’ve left the accounts alone with the hope that when the market rebounds…which it will…I will at least recover my investment (albeit I may be an old man by then) or make good on it in a big way.

What disturbs me is the lack of leadership at the top — both from the White House and from Congress — in addressing this issue. After asking for $700 billion dollars to buy these toxic mortgage backed securities that helped drive this mess, Treasury Secretary Paulson has now decided that doing so is too complicated and would not provide the needed effect of calming the markets and providing some sense of confidence. Instead, he’s investing that money in the banks themselves. Unfortunately, the banks apparently are intent on either sitting on that money (like the American consumer is doing with whatever cash reserves they have) or using it for acquisitions and mergers. That, of course, hasn’t helped at all nor has it resulted in the much needed relaxation in the credit markets. The idea that this money would help cause a “trickle down” effect that would settle the upset American economic market seems to have failed. I, personally, would posit that the Reaganomic idea of “trickle down” has now been clearly shown to be the “Voodoo Economics” that President George H. W. Bush once claimed. Perhaps Secretary Paulson should use the other half of the $700 billion dollars that he’s got in a “trickle up” idea — instead of giving the rest of the bailout money to banks and other financial institutions give every household in the country $100,000 and let them spend it to help jump start the economy. Since “trickle down” doesn’t work…perhaps “trickle up” will.

I read Paul Krugman’s latest op-ed piece in the New York Times and it doesn’t really give me all that much hope. Yet he’s right…we’ve got a complete drift in economic policy due to an administration that is apparently unsure of what to do (or unwilling to do what it needs to do) and a Congress that is biding it’s time…for what I don’t know. What I do know is that the lack of action by the administration (or their claims that they are not sure of what action to take next) as well as the statements made by Congressmembers such as Senator Carl Levin yesterday are going to really drive the American consumer into a bunker mentality that perception will become reality. Consider this statement made by Senator Levin yesterday

We cannot allow the issue of which source of already appropriated funds will be used for the essential purpose of preventing the economy from sliding into a depression, which is a real possibility if one or more of the domestic auto companies goes under, given the impact of the auto industry on millions of jobs, on suppliers that are in most or our states and on all of our communities which have Big 3 auto dealers.

Levin, Carl, “Statement of Senator Carl Levin on Bipartisan Agreement to Support Auto Industry,” November 20, 2008, found at http://levin.senate.gov/newsroom/release.cfm?id=305179

I’m certainly not claiming that Senator Levin is stating that we are already sliding into a depression but such statements can cause real fear in American consumers and they will respond accordingly — by pulling back even further on whatever spending they are already doing and that will, in turn, contribute to the slide into a depression.

What’s happening now is a mess created by this administration with it’s lack of real economic policy, by a Congress that is, and has been for years, truly partisan, and by a Fed Policy Board Chairman that argued too much for allowing the markets to regulate themselves. But, let’s be honest, it’s also caused by an American consumer that bought on credit as far as they could go and by a system that threw all the basics of lending out the window in the pursuit of short term riches. We have forgotten the very basic concepts of economics — you don’t get something for nothing. And now, many more of us may well lose everything.

No responses yet

Aug 27 2008

Rebuilding the VMware Server

My trusty VALinux Full-On 2240 system finally reached the point where I couldn’t use it. The system disk is fine with Ubuntu 08.04 on it. The problem was with the RAID array that I created using 3 36GB disks. That’s where I stored my VM images and one disk back in June began to have problems. Well, a few weeks ago a second disk began to have problems — wonderful. The issue is that I had it configured as a RAID as a RAID 0 array…just concatenating the three partitions together. Doing that I wasn’t just able to replace a single drive and reconstruct it. Now I had to replace two out of the three drives. Oh joy.

The first thing I needed to do was to “rescue” the VM images I had installed on the RAID array. I copied the images to my desktop system (it pays to have 500GB of available space for this) and saved them that way. Then I ordered 3 73.4GB Seagate ST173404LCV drives from PC Progress in Elk Grove Village, IL. The disks arrived on Monday and I installed them on Tuesday. This time, I built the RAID array using mdadm as a RAID 5 array so that if one of the disks goes south I can always pull it, put another 73.4GB disk in and rebuild the array easily. Now the only thing left to do is to restore the images to the server. Again…oh joy!

No responses yet

Aug 08 2008

Paris Hilton Strikes Back

Published by under Uncategorized

Senator John McCain used an image of Paris Hilton (and Brittany Spears) in his latest campaign ad against Barack Obama. Well, looks like Paris Hilton has struck back.

It’s very funny. “Old White Hair Dude” — at least she has a sense of humor. Can’t say the same thing about Senator McCain whose campaign is starting to sound alot like the George W. Bush campaigns of 2000 and 2004. But that’s not a shock given that he’s hired Steve Schmidt (a protege of Karl Rove) and some others from the Bush 2004 campaign to bring back the low blow mud slinging that was their trademark. Whatever happened to the principled, high-minded, Senator McCain who was admired for his maverick stances on controversial issues? It would be nice to have him running for President rather than this new McBush.

No responses yet

Jul 30 2008

Politics and the DOJ

Published by under Uncategorized

The NY Times today highlighted an article that focused on an internal DOJ investigation that identified aides to former attorney-general Alberto Gonzales who used political affiliation in their hiring and promotion process. They apparently picked less-qualified applicants for non-political positions over others because of their political affiliations or passed over better qualified applicants because of their or their spouse’s political affiliation or activities. The articles continues by detailing a few examples of such behavior.

A longtime prosecutor who drew rave reviews from his supervisors was passed over for an important counterterrorism slot because his wife was active in Democratic politics, and a much-less-experienced lawyer with Republican leanings got the job, the report said.

Another prosecutor was rejected for a job in part because she was thought to be a lesbian. And a Republican lawyer received high marks at his job interview because he was found to be sufficiently conservative on the core issues of “god, guns + gays.”

(Lichtblau, Eric,”Report Faults Aides in Hiring at Justice Dept.“,The New York Times, July 29, 2008 )

What, of course, is not surprising at all is that the report also determined that White House officials were also actively involved in these hirings and promotion decisions. Does this surprise me? Not in the least. The Bush administration has continually flaunted the legal limits on a wide variety of issues — be it wiretapping without warrants to the firing of U.S. attorneys because of political affiliations or leanings. The fact is this administration has made a rather severe mockery of the law by behaving, and encouraging the behavior, that it is above the law. Former Attorney General Gonzales should have kept better tabs on his department.

The [Department of Justice] report released on Monday goes much further in documenting pervasive evidence of political hiring for some of the department’s most senior career positions, including immigration judges, assistant United States attorneys and even senior counterterrorism positions.

The pattern appeared most damaging in the hiring of immigration judges, as vacancies were allowed to go unfilled — and a backlog of deportation cases grew — while Mr. Gonzales’s aides looked for conservative lawyers to fill what were supposed to be apolitical jobs.

(Lichtblau, Eric,”Report Faults Aides in Hiring at Justice Dept.“,The New York Times, July 29, 2008 )

Since these are apolitical positions within the Justice Department it is illegal according to Civil Service Law and contrary to the department’s own internal policies to use political affiliation as a benchmark for hiring and promotion decisions. Obviously Ms. Goodling and her predecessor, Susan Richmond, felt that they knew better than the law. An example of Ms. Richmond’s interference can be seen in the extension of an attorney’s appointment in the deputy attorney general’s office. When an aide in the deputy attorney general’s office inquired abount the delay he

summed up his frustration in an e-mail message recounting his inability to keep the lawyer in his office. “I also probed whether there is something negative about him that I did not know,” Mr. Levey wrote. “Turns out there is: he is a registered Democrat,” he wrote, and Jan Williams, an official in the White House, “thinks everyone in the leadership offices should have some demonstrated loyalty to the President. She all but said that he should pack his bags and get out of Dodge by sunset.”

(Lichtblau, Eric,”Report Faults Aides in Hiring at Justice Dept.“,The New York Times, July 29, 2008 )

Now, is this something endemic to just this White House? Probably not. But it is interesting to see how pervasive this behavior is in this administration. Sure there were scandals in the Clinton administration, some of them politically oriented and motivated. But this White House has taken this behavior to a new level. And it runs counter to the concept that President Bush is a “Uniter…not a divider” and of trying to portray himself and his administration as being principled. And of course the response from the White House to this report is as expected: Tony Fratto, a spokesman for the White House said of Monday’s report, “There really is not a lot new here.” (Lichtblau, Eric,”Report Faults Aides in Hiring at Justice Dept.“,The New York Times, July 29, 2008 )

No responses yet

Jul 23 2008

Small Change to Blog

Published by under Uncategorized

I have decided to put all of my blog information about the Garden, our plans for it as well as our rain barrel project and other “Green” projects in a new blog called “Imladris Gardens.” Being a big fan of J. R. R. Tolkein and his Lord of the Rings books (I’ve been a fan long before the movies ever came out and I’ve read his other works as well) I chose to name our garden “Imladris Gardens” as I hope that the garden that we create will be a place of peace and quiet in our neighborhood where people can come, visit and even walk through it and enjoy the beauty and the sounds of the garden. For those who don’t know, Imladris is the Sindarin (i.e. Elvish) name for the Valley of Rivendell where the Last Homely House of Elrond was located…Hobbits welcome 🙂 .

No responses yet

Jul 16 2008

A New Server to Build

Published by under Uncategorized

So I’ve decided to go the virtualization route in order to save energy (i.e. don’t put so much money into the hands of PEPCO who, by the way, is raising rates again by 10% this summer to offset the higher cost of fuel for their power plants — it amazes me that the energy companies don’t get it that they really need to start investing in alternative energy NOW — not later!) and reduce the carbon footprint of my network. I’ve salvaged an Antec Performance Plus 660B case from the Montessori school where I manage their network and it’s already got a lot of parts. Interestingly it already has a 430W power supply in it (as opposed to the original 330W power supply that comes standard with the case). Anyway, I’m going to salvage as much as possible and build the new server with the following components:

Component Number
ASUS L1N64-SLIWS/B Dual 1207(F) NVIDIA nForce 680a SLI SSI CEB Server Motherboard 1
AMD Opteron 2346 HE 1.8GHz Socket F 55W Quad Core Processor 2
Arctic Cooling Freezer 64 Pro 92mm CPU Cooler 2
Seasonic M12II SS-430GM 430W ATX 12V 2.2/EPS12V 2.91 Power Supply 1
Kingston 4GB (2x2GB) 240-Pin DDR2 SDRAM ECC Registered DDR2 667 (PC2 5300) Dual Channel Kit Server Memory 4

This should make the system an 8 core, low-power, system with 16GB of memory. The goal is to put Ubuntu Server 8.04 (or better) on it and run VMWare Server. Then I’ll convert all of my physical machines into virtual machines and run them on this one system. I figure I’ll save about $30 per month on my electricity bill.

One response so far

May 29 2008

Another one by Tom Friedman

The man just knows what he’s talking about. He definitely has a clear sense of the reality we are currently in and tells it straight…unlike the politicians in Washington and the rest of their cronies. See his current opinion post here.

I’m looking forward to getting my own Prius soon as well!

No responses yet

Next »