Forum OpenACS Q&A: OpenACS ISECOM Security Testing
the Project/Open team (http://www.project-open.com/) has just started to engage in a security certification process with Pete Herzog from ISECOM (http://www.isecom.org/osstmm/). Do you have any pointers about past efforts in this direction (both people and documents)?
We haven't really stated yet, but I think there are already several questions/issues popping up:
- The testing is going to include the OpenACS base modules. However, none of our group has write permissions to the OpenACS core. So we would need the support from somebody in the "core group". Would we get support from you? Who would be interested to collaborate, to discuss issues and/or to submit patches?
- How would OpenACS upgrades work out once we would have a certification? Certifications are quit expensive, and not every new version of OpenACS could be certified... Would it make sense to maintain a "certified code branch" (say 5.1.x for example) while development continues with 5.2.x? Would people backport security updates for example from 5.2 to 5.1?
Such a certification is going to be a huge differentiator for Project/Open, because none of our competitors can offer something similar. I would be happy if the same would hold for OpenACS...
Bests,
Frank
mailto:frank_dot_bergmann_at_project-open_dot_com
http://www.project-open.com/
What do you mean by "support"? As for the certification, we always keep a stable and a development branch. Though certification for each stable branch would be awesome, I think it might be too costly in the end.
In any case, this is a very good initiative and will be a major selling argument, so thanks a lot for taking this on.
</blockquote>
I don't know myself yet, because we haven't started yet to dig into the code. The first phase will be to identify a list of possible types of vulnerabilities, such as:
- "$" instead of ":" variables in SQL
- incomplete ad_page_contracts
- Admin pages without a check that the user is admin or P/O pages without apropriate permissions
- pages where commands are passed as a variable(?!)
- ...
I know the ACS 3.4 code pretty well, but I'm lacking in-depth knowledge of many 5.x areas, so we would need here there to think of vulnerability types.
<blockquote> we always keep a stable and a development branch.
</blockquote>
The costs for a certification are some €10.000. That's definitely too much for any stable branch, so the lifetime of the certified branch should be a year or even several years. Is that possible? What consequences would that have?
Bests,
Frank
http://www.giac.org/practical/GCUX/Mark_Riedesel_GCUX.pdf
Not too much openacs / aolserver specific however.
We could set up some automated tests that would help (but not solve) the challenge of making sure that the security holes remain closed.
I'm really happy to see more security-conscious people involved with OpenACS. It has a pretty good track record, but the more scrutiny, the better, I think.
What guarantee does €10.000 for their testing bring? Lets say they analyze it and miss a bug -- do they refund the fee? What is their liability for security issues? Is there a listing somewhere of other software that they have certified? Google shows very few links to their site. My first impression is that not many people have paid the fee to become certified. Is he licensed in New York? Does he hold valid business insurance? Have you done the due diligence on his certifications before sending any money? What is ISECOM's expertise in TCL? Will they have onhand experts to determine security problems?
Secondly, is a company claiming an industry wide certification program that has broken links and domains that don't exist one that people will trust? I click on their Forums link, and get redirected to a site in Canada which doesn't resolve. I guess if I registered that domain name and set up a forum base, and asked people to reregister with their info, I could get their passwords from the partner area since people rarely use different passwords for different sites -- seems like a rather large security hole. However, it does appear to be registered to someone else alongside the organization, but, it sure raises questions.
Will flying a 'certified' banner on your site make your new clients less vigilent because it is certified secure? A client's site is only as secure as you make it. Its a battle we fight every day -- trading security for client ease-of-use. In another thread there is an issue with included html code and cross site scripting. By no means a new issue, but, a pretty important one. When a client asks you to do something that goes against the recommendations of your certification, that invalidates the protection that you have offered, and releases ISECOM's liability, right? Will the change order document you have them sign stand up to your lawyer and insurance company lawyer's scrutiny?
I think what you are doing is good for the community, but, OpenACS has a development environment and is a moving target. I have a feeling you'll either have to fork OpenACS and maintain a secure-stable branch, or recertify each time there is an upgrade. After the recommendations are made, will the report be made public so that a best-practices document might be written for new packages that are written and perhaps an internal audit of modules not in the core? You might ask some of the existing developers on the project whether that money could be put to better use. Honestly, I don't feel that someone not intimately involved with the code will be able to see potential security issues. For instance, will ISECOM see the potential security problem in a categorized revision item in the content repository? Is 120 hours enough time for them to get up to speed with CR so that they can determine whether there are security issues at hand? I only choose 120 hours based on the USD rate that they are charging ($100 USD/hr estimate).
Personally, I did not get a warm feeling surfing their site and wouldn't put a lot of trust behind that certification. Secondly, I would think a professional organization with a parent company of Ideahamster will certainly have the Fortune 500 CEOs scratching their head before signing that check. I can see the conversation now:
Its certified by who? Ideahamster, you know, the guys that run Hacker High School.
Secondly, I would love to get a contract with GIAC. If I could bill a client two hours for disabling root access in ssh on two machines and keep a straight face, I would be rich.
I think your motives are good and I applaud your efforts. As an outsider looking at the community I appreciate what you are trying to do. Before you write that check, do a little due dilligence on that company.
One of the things I've been evaluating is the ecommerce module -- aside from security issues, it doesn't pass Visa's CISP requirements. So, even if ISECOM said there were no issues regarding security in the ecommerce modules, Visa would still levy a fine of $50k if someone did manage to find a bug and get to the data. My E&O insurance would be liable in the event of a breach. Making this comment just invalidated their liability. A client certainly wouldn't expect to have to pay that fine if they are paying someone else to manage their server.
My position is that the money could probably be better spent educating the developers on security issues than paying for a certification of questionable value. In the long run, EUR 10k would pay for a few technical writers to write best-practice documents and perhaps an external review of the code with some lintian analysis to find potential issues.
I could be wrong.
telnet isecom.org 80
Trying 216.92.116.13...
Connected to isecom.org.
Escape character is '^]'.
GET /forum/ HTTP/1.0
Host: isecom.org
HTTP/1.1 200 OK
Date: Tue, 01 Jun 2004 15:07:41 GMT
Server: Apache/1.3.29
Connection: close
Content-Type: text/html
<html>
<head>
<meta HTTP-EQUIV="Refresh" CONTENT="1; URL=http://www.isecom.ca/forum">
<title>Institute for Security and Open Methodologies/title>
</head>
<body>
</body>
</html>
thanks a lot for your involvements and your great comments. Well, I didn't tell you that we got a special deal with ISECOM... I have forwarded your comments to Pete so that he can react to it. And yes ISECOM has tight links to Ideahamster.
<blockquote> Google shows very few links to their site.
</blockquote>
I seems open-source methodologies suffer the same image problems os software used to... I know from Pete that the DoD itself is auditing a large part of its computers using his manuals, but they are unwilling to talk publicly about ti. It's a nice reference customer thought...
<blockquote> liability
</blockquote>
It seems you are pointing out a correct problem. Unfortunately this problem is _know_ to have no solution, so the strategy seems to be to look for different problems... 😊
In particular we will have to distinguish between the scope of certification and the general improvement of security of OpenACS and Project/Open. It's not the same thing, so we will need to do both, even if general security enhancements and increased security awareness from the developers side cannot be certified.
Alwin Egger, a senior developer at P/O is going to handle the certification process. We are currently clarifying the procedure and preparing a project plan for the next three months.
In particular he is going to coordinate a list of known vulnerabilites and security issues, both resolved ones and open ones, as a base. In a second step he is going to check the code for these vulnerabilites. So _he_ and not the ISECOM guys are going to do the real work. It would be great if you could help him by contributing know issues with the code, such as the "categorized revision item" you are mentioning.
Hope that makes a bit more sense...
Bests,
Frank
Perhaps I can answer some of the outstanding questions because I think confusion started when Frank didn't explain the whole situation.
Ideahamster was the original name of the open source documentation group who wrote a few methodologies on secure programming and security testing. In December 2003 we bacame an official non-profit in both New York and Spain. We did this because the name "ideahamster" was not well received by official types.
I'm not sure where you find our website to be less than adequate as many OS websites have broken links occassionally since we have no manpower to maintain it as often as corporate ones. We lost our Canadian mirror hosting the forum to a faulty motherboard but other than that, we still own the domain name and can still control where it points so I don't see how anyone else could set it up and misdirect people. I suppose this could be done by anyone to anyone who controls a a DNS server used by a large number of people, like an ISP, but then it wouldn't actually be that widespread.
About the proposed certification-- about 1 year ago we were asked to create a methodology for which one can measure the deltas of software in their environment. This is not the same as securing software through code. This does mean measuring the security of software and all 3rd party components needed to run in certain environments as well as the installation (default) configuratons. We did this. The worth of such a test is dependent on the size and scope of the softwares with associate environment. Our first contact to make the methodology put the price at $10,000US. As I ran into Frank at the university, I explained this to him and our discussion lead to the proposal-- we would certify his solution in return that he works with us to refine the process into a service we may offer in the future on a regular basis. However, we would only be the accrediting authority and not the testers. This requires that the process be sound which is what we want from Frank's support.
Frank's certification requires us to examine the installation of OpenACS as well as other components of his solution. We did ask Frank to verify the software code himself and we have helped already one of his project people on the methodology of testing source code. While verifying source code improves the product's security, it is not required for a delta certification. It's in his (and everyone's) best interest that the solution is secure.
As for Visa's CISP and CISA, they are part of our generic methodology (www.osstmm.org) and our delta methodology therefore it would be verified for compliancy. In this case, we ascertain if even there were to be a bug, the solution would fail securely and proper loss controls would assure no ensitive data is surrendered.
I hope this helps.
Sincerely,
-pete.