https://aaronbedra.com/ Recent content on chatr Hugo -- gohugo.io en-us Sat, 29 Jan 2022 00:00:00 -0500 https://aaronbedra.com/post/failure_synthesis/ Sat, 29 Jan 2022 00:00:00 -0500 https://aaronbedra.com/post/failure_synthesis/ Introduction The every day task of handling failure is rarely given much thought. Grabbing whatever is available for the language of choice, failures are treated as backstops. Because of the general principles adpoted by the industry, this works most of the time. When it fails, those failures are handled by the surrounding software and life goes on. But what happens when you want to encode failure in a more systematic way? https://aaronbedra.com/post/sgx_sealing/ Sat, 29 May 2021 00:00:00 -0500 https://aaronbedra.com/post/sgx_sealing/ Introduction In my last post I detailed the installation process for the SGX sdk and driver. This post will explore the basics of sealing and unsealing data using an enclave. This won’t represent the best practices, or even reasonable security practices. The goal here is to demonstrate the mechanics of shipping data to and from an enclave and performing encrypt and decrypt operations. The complete example is available in the abedra/sgx_bootstrapping repository. https://aaronbedra.com/post/sgx_getting_started/ Tue, 13 Apr 2021 00:00:00 -0500 https://aaronbedra.com/post/sgx_getting_started/ Introduction In 2015 Intel released Software Guard Extensions. This introduces a new set of instruction codes for Intel CPUs that offer new security options in the way of a hardware enclave. This is just one interpretation, with most popular CPU vendors now offering support. While there’s plenty of speculation (pun absolutely intended) around the security of these hardware enclaves, they are conceptually an important step forward in secure computing. https://aaronbedra.com/post/determining_the_ip_address/ Mon, 05 Apr 2021 00:00:00 -0500 https://aaronbedra.com/post/determining_the_ip_address/ Introduction When it comes to web applications, almost anything worth deploying in production will be deployed in layers with multiple proxies. This can make understanding the IP address of the actual requester difficult. A basic understanding of who is connecting to you is a valuable asset in managing traffic and making the most efficient use of your assets. I came across a post recently that claimed to bypass CloudFlare’s ability to identify an actor. https://aaronbedra.com/post/on_password_handling/ Sat, 06 Mar 2021 00:00:00 -0500 https://aaronbedra.com/post/on_password_handling/ Introduction Recently, I’ve been thinking through the implications of building an authentication system. The amount of work to successfully pull of what amounts to a Boolean decision is staggering. One of the more controversial parts of authentication is proper handling of passwords. At this point it’s common knowledge that passwords should be hashed, but the how is still very much up for debate. When I work through designing security software, I try to lean on recommendations from the community. https://aaronbedra.com/post/dependency_confusion/ Sat, 20 Feb 2021 00:00:00 -0500 https://aaronbedra.com/post/dependency_confusion/ Introduction There’s been a lot of discussion recently around dependency confusion and supply chain based attack vectors. Most notably, this post outlines an effective campaign carried out at high scale. This post will cover some techniques for better managing your dependencies and ensuring you don’t fall victim to this type of attack. Much like my other posts on software security, this will focus on rigor and discipline in your software development process, but can be assisted, and sometimes automated, by freely available tools. https://aaronbedra.com/post/securing_security_software/ Sat, 06 Feb 2021 00:00:00 -0500 https://aaronbedra.com/post/securing_security_software/ Introduction When it comes to software security, the devil is in the details. When it comes to security software, those details are even more important. Just recently a significant bug was found in sudo, demonstrating that even the most highly scrutinized software can still contain mistakes. Alexis King beautifully captures a method that would have made this bug impossible. Arguably, security software is one of the easier places to justify spending more time on software security. https://aaronbedra.com/post/dynamic_secrets/ Sun, 17 Jan 2021 00:00:00 -0500 https://aaronbedra.com/post/dynamic_secrets/ Introduction In the previous post on secrets management, we explored a light lift into storing your secrets using a Hashicorp Vault instead of leaving them in the configuration file. While this approach solves the secret sprawl problem, it does not address consistent rotation of credentials. Credential rotation for service accounts is often overlooked, and when performed can lead to downtime if performed infrequently. Starting from the assumption that your username and password will be dynamically generated and handed to your process when it starts creates a design that considers all credentials to be ephemeral and eliminates the need for credential rotation. https://aaronbedra.com/post/injecting_secrets/ Mon, 04 Jan 2021 00:00:00 -0500 https://aaronbedra.com/post/injecting_secrets/ Introduction Making the change to proper secrets management in your software can be a daunting task. The associated lift can be enough to make a team postpone the choice indefinitely. This post provides some design ideas that should help ease the burden. We will set the following goals: Seamlessly swap out real secret values with references to secrets in another system Allow real secrets to continue to be used in the case of secrets management system failure Having the ability to “break glass in case of emergency” should be considered a design requirement. https://aaronbedra.com/post/secrets_management_discovery/ Sat, 26 Dec 2020 00:00:00 -0500 https://aaronbedra.com/post/secrets_management_discovery/ Unfortunately, secrets can live anywhere. During the development process, secrets are plugged into code to ensure it works as intended. Left unreviewed, they live in code until they are discovered by another developer, or worse, uncovered via public discovery. Because we don’t truly know where all secrets live, discovery of secrets is a complicated problem. This post will outline common methods for discovery of secrets that you can use to build your initial secrets inventory. https://aaronbedra.com/presentation/cto_summit/ Tue, 11 Aug 2020 00:00:00 -0500 https://aaronbedra.com/presentation/cto_summit/ At the foundation of Security lies a command of change. This talk identifies the best way a CTO can support security in their organization by managing the speed and cost of change. Recorded for the virtual 2020 CTO Summit. https://aaronbedra.com/presentation/security_gurus/ Mon, 25 May 2020 00:00:00 -0500 https://aaronbedra.com/presentation/security_gurus/ I spent some time with Matias Madou, CTO and co-founder of Secure Code Warrior on the Software Security Gurus Podcast discussing regulation, compliance, security culture, and rigor in software development. https://aaronbedra.com/presentation/microservice_security/ Tue, 30 Oct 2018 00:00:00 -0500 https://aaronbedra.com/presentation/microservice_security/ Microservices bring about a series of architectural shifts. One of the most powerful is true separation of concerns. This change brings with it incredible security opportunities. Join Aaron as he demonstrates how to identify and execute on these opportunities. In this session you will explore service and data classification techniques, authentication and access control, and service interface design that respects classification boundaries. If you are interested in, building, or currently using Microservices, this session is a must see! https://aaronbedra.com/presentation/adaptive_threat_modeling/ Mon, 19 Jun 2017 18:20:21 -0500 https://aaronbedra.com/presentation/adaptive_threat_modeling/ I had the privilege of presenting at GOTO Chicago 2017. I hosted the security track at the conference and gave a talk on the evolution of Threat Modeling and Risk. This talk builds a basic foundation of what makes up Threat Modeling and how it plays into improving the quality of Risk analysis. The talk goes on to explain the evolution of manual Threat Modeling and Risk Analysis and talks about how to automate systems to arrive at a state of continuous analysis of systems. https://aaronbedra.com/post/fair_notebook/ Fri, 05 May 2017 12:50:53 -0500 https://aaronbedra.com/post/fair_notebook/ I’ve been using FAIR methodology for a little over a decade. I was lucky enough to learn about it from Jack Jones and Alex Hutton many years ago. Since then I have continued to use this as a foundation for risk management programs. As it has gained traction a number of people have added their spin on how to use these ideas to quantify risk. I will always highly recommend the folks at RiskLens for both their deep knowledge on FAIR and for the products they offer. https://aaronbedra.com/post/orchard/ Tue, 01 Nov 2016 23:10:29 -0500 https://aaronbedra.com/post/orchard/ A while back I was working on a Java version of the Repsheet library. I needed it to be functionally equivalent to the C version. Along the way I realized that once again the world lacks a reasonable library for determining if an IP address is within a CIDR block. As simple as this is people just don’t seem to need it. Like the C library I ended up writing something. https://aaronbedra.com/post/whatsnext/ Sat, 15 Oct 2016 17:46:28 -0500 https://aaronbedra.com/post/whatsnext/ Sometimes I sit down with a desire to write some code but no real direction. Sometimes I forget about things that I am supposed to keep up on. Either way, keeping up on personal open source tasks can be difficult. While things may be curated in GitHub issues, they are spread across multiple projects and organizations. With all those repos it’s a real pain to keep track of it all. While I was doing some basic learning with go I decided to create a small tool to help with this. https://aaronbedra.com/presentation/layered_security/ Wed, 12 Oct 2016 21:45:44 -0500 https://aaronbedra.com/presentation/layered_security/ I was invited to speak once again at Windy City Rails. I enjoy this conference because they do a great job with it. It remains a single track conference which I really enjoy. The venue was nice and the people were great. A link to the slides can be found here. https://aaronbedra.com/post/phoenix/ Mon, 10 Oct 2016 18:27:48 -0500 https://aaronbedra.com/post/phoenix/ As I looked upon the tragic remains of my site I realized that while I have made plenty of things over the past few years I have failed to keep up with writing about them or the software industry in general. I enjoy writing and I am making a conscious effort to make time to do it on a more regular basis. I also realized that as I dusted the blog off I was using a severely old version of Octopress and almost nothing worked anymore when I tried to create new content. https://aaronbedra.com/presentation/scaling_web_security/ Mon, 10 Oct 2016 00:00:00 -0500 https://aaronbedra.com/presentation/scaling_web_security/ I recently had the pleasure of meeting the fine folks at CrossChx and presenting at their monthly scaletech meetup . I talked about some of the challenges present in securing web applications and what we can do to improve security as we scale. I hope you enjoy the video below. The slides are available here. https://aaronbedra.com/presentation/adaptive_security/ Sun, 27 Dec 2015 00:00:00 -0500 https://aaronbedra.com/presentation/adaptive_security/ As humans we process information as it is presented to us. We use the information presented to us to decide on how to react and possibly adapt to the current situation. This trait has a lot of advantages and has served us well over many years. Our approach to the security of our systems should be much the same. This presentation introduces patterns for processing potentially malicious activity and weaving an adaptive security system. https://aaronbedra.com/presentation/formal_verification/ Sat, 17 Oct 2015 00:00:00 -0500 https://aaronbedra.com/presentation/formal_verification/ Designing secure systems is a very difficult task. Even the smallest issues can have devastating consequences. As designers of these systems we have to do everything in our power to ensure that these systems function as intended. Join Aaron as he demonstrates techniques for formally verifying security systems. These tools demonstrate the power of functional languages as verification systems against both functional and imperative software systems. You will learn how to create functional models and use them to prove the correctness of your security systems. https://aaronbedra.com/presentation/rockem_sockem_robots/ Tue, 14 Jul 2015 00:00:00 -0500 https://aaronbedra.com/presentation/rockem_sockem_robots/ Keeping a multi-faceted system running is hard work. It’s even harder when you have to deal with the day to day nonsense that happens on the web. Gathering the data you need to drive your business is also a tricky game. It is made even more complicated by all of the bots running around messing up the place. And the attacks. Oh the attacks. Every day all day with the attacks… https://aaronbedra.com/presentation/nginx_modules/ Tue, 04 Nov 2014 00:00:00 -0500 https://aaronbedra.com/presentation/nginx_modules/ This talk explains how to write custom modules for NGINX in C. It goes into detail about how NGINX handles requests and how and where to insert your modules to get the desired result. https://aaronbedra.com/presentation/dmm/ Tue, 21 Oct 2014 00:00:00 -0500 https://aaronbedra.com/presentation/dmm/ Following close on the heels of heartbleed we have seen a resurgence in questioning C as the implementation choice for critical infrastructure. With performance innovations on managed runtimes the option to implement more and more critical pieces in alternative languages is becoming tangible. Of course this brings along with it a different set of problems. To re-write a system like OpenSSL or even just to implement SSL/TLS on top of a managed runtime there are some serious obstacles to overcome. https://aaronbedra.com/presentation/future/ Mon, 11 Aug 2014 00:00:00 -0500 https://aaronbedra.com/presentation/future/ Every year billions of dollars are spent on preventing breaches. While some of these systems are doing a sufficient job of keeping data away from the hands of attackers, it has become clear that there is no real way to prevent breaches with 100% certainty. Of course time should be spent building proper controls, but if we hope to survive the next decade, we need to focus on detection and remediation. https://aaronbedra.com/presentation/tales_from_the_crypt/ Thu, 22 May 2014 00:00:00 -0500 https://aaronbedra.com/presentation/tales_from_the_crypt/ In this talk, three Rails security specialists will take a journey through a terrifying Rails application to illustrate common security problems we have seen in the real world. The discussion will include how to identify, fix, and prevent the issues with an emphasis on practical advice. Along the way we will share our experiences and perspectives concerning securely implementing applications. We hope it is a bit scary, and yet fun … like a horror movie! https://aaronbedra.com/presentation/clojure_web_security/ Mon, 24 Mar 2014 00:00:00 -0500 https://aaronbedra.com/presentation/clojure_web_security/ Web development libraries for Clojure have started to mature, but there are still quite a few gaps. Although there has been some activity in securing Clojure web applications, there has not been much of an effort into documenting the options or even explaining what should be done. This includes authentication and password management, securing application responses and options, as well as code review and deployment. This talk will explore what is available, what is coming, and what does not yet exist in any open and consumable fashion. https://aaronbedra.com/post/getting_started_with_mod_security/ Tue, 08 Jan 2013 00:00:00 -0500 https://aaronbedra.com/post/getting_started_with_mod_security/ We all know that publishing a website or web based application is the start to a long journey. A lot of care and effort goes into making sure everything is just right. The idea of being “safe” or “secure” is just that, an idea; a pipe-dream if you will. The sooner you realize that you’re always behind, the sooner you can let go and focus on the things that matter. What matters more than anything is understanding what is going on with your site. https://aaronbedra.com/post/mysql_memcmp_vulnerability/ Mon, 11 Jun 2012 00:00:00 -0500 https://aaronbedra.com/post/mysql_memcmp_vulnerability/ A vulnerability was recently announced that allowed an attacker to successfully authenticate against a database without the correct password. The issue was a call to memcpy that resulted in a value outside of the standard -128..127 range. To view the full announcement you can visit http://seclists.org/oss-sec/2012/q2/493. Testing your install You can do a quick test to see if you are affected. Find the location of your mysql install and fire up gdb. https://aaronbedra.com/post/sleight_of_hand_for_the_ruby_man/ Thu, 12 Jun 2008 00:00:00 -0500 https://aaronbedra.com/post/sleight_of_hand_for_the_ruby_man/ Chad Humphries pointed me to this tasty bit of code. Since Ruby so graciously lets you open up classes anywhere, it’s nice to know where the right place to debug is. Simply put the following code into a globally accessible place (I just used .irbrc) and you will have the method available. module Kernel def where_is_this_defined(settings={}, &block) settings[:debug] ||= false settings[:educated_guess] ||= false events = [] set_trace_func lambda do |event, file, line, id, binding, classname| events << { :event => event, :file => file, :line => line, :id => id, :binding => binding, :classname => classname } if settings[:debug] puts "event => #{event}" puts "file => #{file}" puts "line => #{line}" puts "id => #{id}" puts "binding => #{binding}" puts "classname => #{classname}" puts '' end end yield set_trace_func(nil) events.