Lo scorso mercoledì 6 Maggio ho partecipato alla prima edizione della conferenza Better Software, a Firenze, con un intervento dal titolo “Project management 2.0”.
L’intervento è dedicato all’evoluzione di questa disciplina anche grazie all’influenza delle metodologie agili e alla nascita di veri strumenti di collaborazione nell’ambito del cosiddetto web sociale.
La presentazione è suddivisa in due parti: nella prima cerco di ripercorrere le tappe evolutive del project management, passando per il manifesto agile e la dichiarazione di interdipendenza del moderno project management. Nella seconda l’approccio è un po’ più pratico e evidenzio quelle che dovrebbero essere le caratteristiche principali degli strumenti software in aiuto dei project manager, passando in rassegna anche qualche prodotto.
Molti dei presenti, che ringrazio per le interessanti discussioni seguite all’intervento, mi hanno chiesto la possibilità di scaricare da qualche parte le slide. Visto però che la presentazione è composta quasi esclusivamente da immagini senza testo, ho pensato di includere anche un commento audio, che trovate alla fine di questa pagina.
Mi sarebbe piaciuto utilizzare l’audio registrato in sala, ma per una mia leggerezza non ci sono riuscito. Gli organizzatori hanno però una registrazione audio e video di tutti gli interventi. Appena saranno disponibili sostituirò l’audio che ho realizzato in casa, decisamente monotono, con quello della conferenza che è sicuramente più interessante.
Alcuni mi hanno anche chiesto come ho realizzato una presentazione di questo tipo, atipica rispetto ai canoni di presentazioni a cui di solito si è abituati. A questo dedicherò il prossimo intervento qui su Fucinaweb (trovate parte della bibliografia che ho usato in Progettare una presentazione).
This will be my last post regarding this year’s Web 2.0 Expo, of which i attended the first 2 of 3 days. It’s time for conclusions and votes, but also for some quotes that didn’t fit in my previous posts.
In today’s scenario I could not have started Fon – Martin Varsavsky
There are times when markets are prepared to give entrepreneurs ridiculous money and times when their refusals are ridiculous – Martin Varsavsky
In America many users of Fon are bills, while in Japan they are linuses. That’s because Americans want to earn money, Japanese like to give something to others – Martin Varsavsky
Developing an interaction audit for Ebay was not like following a strict blueprint – Josh Damon Williams
Adobe AIR sucks! – Alex Stamos (Actually he didn’t tell that, but this is a good summary)
If you do the right thing, it’ll come back to you – Yossi Vardi
A very interesting and informative talk dealing with the new types of attacks that affect web 2.0 applications and RIA in particular.
The session was divided in 2 parts, the first about AJAX and the last about Rich Internet Applications.
The slides of this talk are available on slideshare and are impressive for their completeness. Not only they provide detailed examples for every case illustrated, but they link to a series of articles and web resources.
The main problem of this talk is that it’s quite impossible to be able to be specific enough and, at the same time, don’t get too much into details. This resulted in some hard-to-understand parts.
AJAX
In general attacking an AJAX application is more difficult compared to a web 1.0 site. But on the other hand is more difficult to protect an AJAX application because there are more ways to exploit it and new ways are discovered every day.
Not all “web 2.0” sites use new technologies (such as Youtube and MySpace)
A single page in Myspace has a lots of includes.
Also Google Maps has a lot of includes, but ofJavascript code. Google code can be potentially insecure
Why care about web 2.0 security
People changed how they interact with web sites (they erase privacy barriers and they don’t feel the distance. The are the new generations)
Technologies spread from innovators to traditionalists (today AJAX in financial institutions, health care, government) – mainstream
Bugs are affecting people now
Discovery and method manipulation
Playing with parameters is still an excellent web attack (asking application to do the work for you). As business logic gets more complex, so do parameters vulnerabilities
Figuring out web apps is tough part of pen-test
Two types of Ajax apps
client-server proxy (equivalent to SOAP, client hides javascript)
client-side rendering (we can see the javascript and know what it does)
Cross Site Scripting
Downstream communication methods are much more complicated
User controlled data might be contained in arguments in dynamically created javascript, contained in Javascript arrays, etc. As a result, attack and defence is more difficult
Four bugs
downstream JS Arrays. Dangerous characters
XSS payload can be tucked into many places
XSS might already be in the dom (document.url, document.location, document.referer).
AJAX uses “backend” requests never expected to be seen directly in browser
RIA
Is ill-defined. Many contain many terms, AJAX, Flash, offline mode, decoupling from the browser. There is a huge disparity in features and security design.
Why use RIA
to increase responsiveness
desktop integration
to write full desktop apps
RIA Frameworks
No one framework is without limits and security problems. The worst seems Adobe Air because it shows all the limits of the very old ActiveX model.
The frameworks:
Adobe AIR
Microsoft Silverlight
Google Gears
Mozilla Prism
Adobe Air
Full-featured
Cross-browser, cross-platform
Created with Flex, Flash
Can be invoked by browser with arguments, like ActiveX or Flash
Air is best thought as ActiveX than Flash ++ (code runs with full privileges and can install malware)
SWF files can import functionalities that allows them to interact with AIR applications
SWF files can check install status and version
By default, code included in AIR application has full rights
There is not a “code access security” model such as in Java or .Net
AIR has many ways of loading executable content to run, such as HTML/JS and SWF
AIR applications can be bundled as binaries
Problems: allowing users to install signed applets is dangerous. Allowing self-signed is terrifying
Some suggestions to adobe: change default action, disable unsigned install prompts
Silverlight
Lot of sensibility toward security
Is the Microsoft Flash equivalent
Cross browser and cross platform
Subnet of the .NET frameworks
The security model is based on .NET
Calling system primitives the system will fail. You need to isolate it
What could go wrong (threading, DoS attacks against local system)
Google Gears
Has SQLite embedded
Uses an homegrown API for synchronizing data
Has a LocalServer
Works offline via SQL database, local assets and a local app server
Uses some origin to restrict access to site databases and LocalServer resource capture
Provides for parametrized SQL
Unfortunately they allows personalization of opt-in screen
Yahoo! Browserplus
A very bad idea
Runs as a browser plugin, with a separate helper process
It’s very similar to ActiveX concepts
Use old version or Ruby. Perfectly safe as long as you don’t use strings and arrays
Mozilla Prism
Wraps webapps to appears as desktop apps
Standalone browser instance
Problem: the Javascript included with webapps has full XPCOM privileges (but no content scripting privileges)
Problem: the sandbox isn’t real
HTML 5
HTML introduces some new concepts related to storage of informations.
Introduces DOM storage (sessionStorage, localStorage, database storage)
The major goals are more storage space and real persistence, because cookies are considered too small and users delete cookies or won’t accept them
This method bypasses pesky users, that however can use a specific about:config directive
Browser based SQL Databases
Injection becomes far more damaging (because of lot of privileges)
Checklist
prevent predictability named data stores
parametrize sql statements
Summary
RIA frameworks widely vary in their security models
It is highly likely that web developers will introduce interesting flaws into their desktop applications
Alex Stamos is a Founding Partner of iSEC Partners, Inc, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He is a contributing author of “Hacking Exposed: Web 2.0” and holds a BSEE from the University of California, Berkeley.