Presented at IEEE HST 2015
Static Analysis for Web Service Security – Techniques and Tools for a Secure Development Life Cycle
Adnan Masood, Nova Southeastern University; Jim Java, Nova Southeastern University
In a recent podcast by Scott Hanselman and Erica Stanley, an Internet of Things (IoT) primer, the guest mentioned how security is being treated as an afterthought for most things IoT. This is unfortunately true in various areas of software development; but especially with the unprecedented growth of IoT, this lax in providing security standards will fast become a safety and security dilemma.
To borrow the variety, velocity and volume analogy of Big Data, IoT is also subject to a very large variety of devices, supporting different velocities (performance capacities) and volumes (large number of devices, meshes etc). Protection of data in these devices and providing privacy of is definitely the key challenges in the IoT. It is also bad for business since lax security measures will cause decreased adoption impacting the success of the IoT and hinder overall development.
Following are some of the relevant links and papers which provide overview, analysis and taxonomy of security and privacy challenges in IoT.
References and Further Reading
- Erica's talk on The Internet of Things from the All Things Open Conference
- Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT)
- Future Internet: The Internet of Things Architecture, Possible Applications and Key Challenges
- Internet of Things Demands Security by Design
- Internet of Things (IOT): Seven enterprise risks to consider
- SECURITY IN THE INTERNET OF THINGS Lessons from the Past for the Connected Future
- Cisco Security Products for the IoT
- IoT security: How to do it (mostly) right
- Developers Discuss IoT Security And Platforms Trends
- Understanding The Protocols Behind The Internet Of Things
- The Nest
- Intel Edison
- The Internet Of Things Is A Standards Thing
Systems and methods for dynamic protection from electronic attacks - US Patent 8726379 B1
Penetration Testing techniques in web applications by Dimitris Mandilaras, Nikolaos Tsalis is an succinct info-graphic review of different security frameworks / methodologies including OWASP, PTES, ISSAF, NIST, OSSTM and PTF.
A short poster can be downloaded from here.
- Functional Programming For All! Scaling a MOOC for Students and Professionals Alike
- Reactive Web Applications with Dynamic Dataflow in F# A Tayanovskyy, S Fowler, L Denuzière, A Granicz - ifl2014.github.io
- The F# Computation Expression Zoo Tomas Petricek, Don Syme
- Thinking in LINQ: Harnessing the Power of Functional Programming in .NET ... By Sudipta Mukherjee
- Clash of the Lambdas by Aggelos Biboudis, Nick Palladinos, Yannis Smaragdakis
- Concurrency in Intrusion Detection Systems: A Study in F# by Deines, Jessica
- Functional Thinking: Paradigm Over Syntax By Neal Ford
- Experience in using a typed functional language for the development of a security application Damien Doligez (Inria), Christèle Faure (SafeRiver), Thérèse Hardin (UPMC), Manuel Maarek (SafeRiver)
I have recently encountered the following error when enumerating through the UserPrincipal.GetAuthorizationGroups collection.
System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.
The problem was introduction of the domain controller running Server 2012 while the machine running my application was win7 VM (applies to Win2K8 as well)
With little googling, it appears that for the Windows 7 VM with introduction of 2012 domain controller, this SID error appears to be a known issue. When a 2012 domain controller is involved, the GetAuthorizationGroups() function would fail on groups (SIDs) that are added to a user by default.
Installing KB2830145 fixed my problem.
- GetAuthorizationGroups() Fails on Windows 2008 R2/WIN7
- StackOverflow: UserPrincipals.GetAuthorizationGroups An error (1301) occurred while enumerating the groups. After upgrading to Server 2012 Domain Controller
- KB2830145: SID S-1-18-1 and SID S-1-18-2 cannot be mapped on Windows-based computers in a domain environment
In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.
and here is to poodle.
POODLE: This dog bites – An infographic by the team at Pluralsight
Threat modeling and diversion tactics; a good high level overview on software security.
There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.
Learning Objectives: At the end of this workshop, participants will be able to:
- Understand the basics of threat modeling software applications
- Understand the meaning of threats, attack vectors, and trust zones
- Learn about ambiguity analysis
- Learn about secure design concepts
- Learn best practices for securing software architect
I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.
The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation
Links from the talk follow.
- Open Web Application Security Project
- IIS Lockdown tool
- Configuring SSL on IIS7
- Disabling the directory browing
- Preventing Cross-Site Request Forgery (CSRF) Attacks
- How to prevent Cross site scripting XSS using MVC 3
- CSRF Vulnerability in Twitter Allowed Hackers to Read DMs, Post Tweets
- U.S. Says Ring Stole 160 Million Credit Card Numbers
- DDoS and SQL injection are the most popular attack subjects
- FireHost Detects Surge in SQL Injection for Q3 2013 with Cross-Site Scripting Also Rising
- SQL Injection Blamed for New Breach
- Millions of LinkedIn passwords reportedly leaked online
- How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL