Black Ops Of Fundamental Defense: Web Edition presented at Blackhat USA 2010

by Dan Kaminsky,

Tags: Security Web

Summary : Lets be honest: Year in, year out, we keep finding the same bugs in the same places, and wondering: Why don't they learn? Why don't developers use these beautiful tools we provide them -- parameterized queries, XSRF tokens, X.509 certificates, and escapes in all their glorious forms? I will tell you: It is because these tools are not very good. And they are not very good, because their quality simply has not mattered. Security demands, devs implement, and if devs don't implement, security complains. And six months later, it's the same bugs, in the same places, by the same devs. It doesn't have to be this way. In this talk, I will discuss the theory that most classes of security flaws are actually symptoms of deeper causes. Furthermore, I will present attempts at addressing these causes. Specific areas of investigation will include potential answers to questions, specifically: 1) Why can't we keep code and data separate? 2) Why can't we log into web sites? 3) Why can't we authenticate across organizational boundaries? By answers, I mean code, and by code, I mean _a lot_ of code. I will not provide any assurances that the code is secure -- only extended peer review can do that -- but I want to show another way of doing things. This talk is going to be packed with live demos.