Hey reddit! We're from IBM's Application Security team, and we'll be here at your disposal, to answer questions that you might have. Discussion topics in this session will include cloud-based security and mobile security in the application development space.

Panelists Include:

Douglas Wilson, Distinguished Engineer, CTO for Vulnerability, Risk and Compliance Management

Jeff Turnham, Application Security Architect – AppScan Products

Larry Gerard, Program Director – Application Security Product Management

Shahar Sperling, AppScan Architect – Dynamic Analysis

John Peyton, AppScan Architect – Static Analysis

Roee Hay, Application Security – X-Force Application Security Research Group Lead

Vio Onut, Application Security – Architect and Research Lead, Adjunct Prof. at University of Ottawa

Paul Ionescu, Ethical Hacking Team Lead, SEF + PSIRT Brand Lead

Our Proof: http://securityintelligence.com/events/reddit-ama-with-ibms-application-security-team/#.VVNWntwgrKA

EDIT: Thanks everyone for your questions! We're wrapping up now. Here are a couple links to our most popular blog posts on the topic:

Comments: 127 • Responses: 53  • Date: 

thefoolofemmaus9 karma

Thanks for being here! Few questions:

  • What is the most common application security flaw you see, and how can we fix it?

  • How do you develop a "OpSec is everyone's responsibility" mindset within an organization?

  • What is the top end user bad security habit, and how as developers can we address it, either culturally or via coding practices?

CrazyAboutCode8 karma

To your second question, just last night I talked about this with a local OWASP chapter. The consensus was that is starts by modest goal setting, and then giving visibility to team progress. Trying to get the team in the habit of treating vulnerabilities as "bugs"


thefoolofemmaus1 karma

Thanks for the answer, Doug. As a follow up, how do you recommend we engage with our user community to foster security mindset?

CrazyAboutCode1 karma

Chipping in for Doug here (I'll let him embellish as he desires).

I think you want to assume that developers are interested in writing secure code, especially given the public visibility of exploits in the media.

A good starting point is to educate users about the common vulnerabilities, what they are, what the consequences are, and what they look like in code. Some links for descriptions of application vulnerabilties or weaknesses are:

OWASP: https://www.owasp.org

WASC: http://www.webappsec.org

SANS: https://www.sans.org/critical-security-controls/

CWE: https://cwe.mitre.org/


gmfpanda1 karma


there is no appsec.org i can see Your search - site:appsec.org - did not match any documents.

CrazyAboutCode1 karma

We are correcting the URL above. Here's the correct one: http://www.webappsec.org/ Thanks for letting us know! Neil Jones

gmfpanda1 karma

Thanks, FYI that link gets "Secure Connection Failed" in the above corrected. IE, don't make it https where you put "WASC: https://www.webappsec.org"

CrazyAboutCode1 karma

Got it. Thx.

CrazyAboutCode1 karma

Thanks again for your question- For additional information about the OWASP Top 10 Threats- and how to address them- please check out our recent blog: http://securityintelligence.com/the-10-most-common-application-attacks-in-action/#.VVNt-GMUTst This content may be shared via social media if you (and other members of this forum) want to. Have a great day! Neil Jones

CrazyAboutCode1 karma

Here's one of our recent blogs about OWASP Top 10 vulnerabilities that you might want to refer to: http://securityintelligence.com/the-10-most-common-application-attacks-in-action/#.VVN242MUTst Once again, it may be shared via social media if your colleagues might find it beneficial. Thanks! Neil Jones

CrazyAboutCode0 karma

And just to add to Doug's comments. One of my jobs as an Architect is to consult with some of the largest organizations around the world on what it takes to roll out security programs at scale. What it usually comes down is a series of best practices that include:

  • Executive Sponsorship - most dev teams need a solid nudge towards thinking about security as table stakes for their daily work

  • Security by Design - considering Security very early in the development lifecycle with threat-modelling and early validation of code

  • A layered approach to security assessment tools - Integrating tightly into existing workflows such as Continuous Integration or DevOps processes. Also building tight-feedback loops between security testing and developers so they are made aware of newly found issues as soon as possible. And applying a variety of analysis techniques (static analysis, dynamic analysis, manual penetration testing, etc)

  • And perhaps most importantly the security efforts going on across the organization need to be tracked and visible so that attention and investments can be directed towards the most risky parts of the organization's portfolio

Jeff Turnham

gmfpanda2 karma

  1. How do you go about teaching SDLC stakeholders how to threat-model on a large scale if you had to assume very limited resources.

  2. Furthermore, in todays AGILE SDLC world, how do you see threat-modeling working in that framework?

CrazyAboutCode2 karma

re: 2 I think that the threat model should be part of the initial architecture sprints. From there, the counter measures indicated by those threat should become stories and prioritized like all stories

If necessary you can treat the whole of the threat modeling practice as an epic for the project

CrazyAboutCode2 karma

Great questions and they both actually highlight one "anti-practice" we see: Teams investing far too much into trying to build up tooling and heavy weight process and workflow around Threat-Modelling.

Threat Modelling really needs to be as light-weight as it can be so that it can serve its purpose but not slow down development, especially Agile development. So to answer your two questions:

  1. For teams that are new to threat modelling it is best to start modestly. Simply have a team lead or architect draw out the primary components of the system on a whiteboard and start to discuss the integration points and the possible weaknesses. If only a few weaknesses are identified that hadn't been previously considered, then that means you are moving in the right direction. Over time, teams can start to put more process in place, have their threat modelling done in design tools, have mitigations tracked and so on.

  2. I can use our own development efforts as an example. We build our own products with an Agile SDLC (3 week sprints) and we include threat model review and mitigation as part of our acceptance criteria for stories we take on each sprint. In most cases the threat model review doesn't need to take more than an hour each sprint and we treat the mitigations just like other defects that must be fixed before considering the stories to be done.

  • Jeff

CrazyAboutCode6 karma

Great series of questions! To learn more about making "AppSec everyone's responsibility" at an organization, check out our blog: http://securityintelligence.com/making-the-case-for-application-security/#.VVNrDWMUTss You (and all members of this chat) can feel free to share the content via social media, if you wish. Thank you! Neil Jones

CrazyAboutCode4 karma

On the bad security habit...the biggest one by far is lack of input validation. I have seen in my experience applications accepting SQL statements in numeric id parameters.

CrazyAboutCode3 karma

Re your first bullet, we still see a lot of injection vulnerabilities (e.g. SQL Injection). One should always validate and/or sanitize user input. In the specific case of SQL injection, one should use parameterized SQL queries.

My team has also been researching the space of mobile vulnerabilities. In Android, we see a lot of vulnerabilities related to bad validation of Inter-App Communication messages (Intents).


IzDank8 karma

I'm a computer science student in Sweden at a school called BTH (maybe you've heard of it). Basically, what im wondering is how a typical day looks like for you? How much programming is there och stuff like that. Sorry if the question isnt as technical as you had hoped.

CrazyAboutCode6 karma

As a research team we spend most of the time learning new stuff, staying up-to-date with new publications and coding Proof-of-Concepts. -Roee

CrazyAboutCode3 karma

Hi..it's a great question actually. We have a wide range of expertise and skills. For example, we have full-time security researchers who spend their days keeping up to date with the latest vulnerabilities and making sure our tools can find those issues. We also have full-time development and QA teams who spend every day improving our products. And we also have architects who spend a great deal of time talking to clients around the world and thinking about the long term direction of our application security portfolio.
- Jeff Turnham

litelinked1 karma

Hello- Can you please post the link to the webinar? I'm not able to register for it.


CrazyAboutCode1 karma

Thanks for your question. This particular forum is conducted via chat only. However, you can check out the following URL for all of our upcoming Webinar sessions: http://securityintelligence.com/events/ Have a great day! Neil Jones

CrazyAboutCode1 karma

Here's wishing you the best of luck in your studies! It's an exciting time to be in this field. Check out the following blog: http://securityintelligence.com/datingapps/#.VVNpTGMUTst to learn how our researchers detected vulnerabilities in a certain type of applications. You may feel free to share the content with your schoolmates via social media, if you wish. Pretty cool stuff!- Neil Jones

IzDank1 karma

Thanks, it truly is. I've done some thinking about what i want to excel in, and security has always been one of my main interests. I have a couple of other question too;

  • What would you say is one of the best qualities/skills that you possess for your Work?

  • what Do you think the future holds for software in the aspect of security? By that I mean new ways to exploit systems, and How to tackle/Work against them.

CrazyAboutCode1 karma

If you like to wear a "white hat" against the bad guys in the "black hats," then you'll find a rewarding career in security. At IBM, we are seeing major growth in AppSec in the Cloud and on mobile devices, as more and more apps transition to those platforms.

CrazyAboutCode1 karma

As Neil said, this is truly an exciting time to be getting into the Security field. It is growing and changing at an incredible pace. There are so many resources freely available on-line that a sufficiently motivated student can do enough self-study to become quite competent before landing their first job in the industry. To your specific questions:

  • I think the most important quality/skill is to have a passion for problem-solving and thinking like a hacker. From a purely technical point of view, the details of many exploits are fascinating in how the hacker is able to get around existing controls. But as attacks get more sophisticated it is getting even more interesting and critical to consider how to defend critical assets from exposure. Specifically, if I was just starting out, I would join as many open source projects as I could and review published security vulnerabilities. I would try and either discover new vulnerabilities in those open source projects or add in protection to make them more secure (By the way, all of that would look great on a CV/resume in addition to being very interesting work)

  • The future of software security is an interesting one to ponder. There many emerging trends, but here are two that seem sure to continue to accelerate:

  1. These days many new development projects are basically a mash-up of runtimes, libraries and other components thrown together with relatively small amounts of user-written code.
  2. Most organizations have already adopted or are in the process of adopting Continuous Delivery/DevOps where applications are being updated constantly. This includes the explosive growth of containerization where an "application" is really the app itself along with deployment metadata.

These trends lead directly to some of the main challenges we see for Security tools in the next few years: Integrating effectively into these super aggressive development and deployment pipelines and applying a variety of analysis techniques to detect vulnerabilities as they happen either through the addition of new code, updating a dependency or changing some aspect of the deployment container.

  • Jeff Turnham

superman524 karma

In a fast-paced startup environment, do you think security is a top priority? If you were building an application from the ground up, would you start with integrating high caliber security early on? Or would you wait until later in the development process?

CrazyAboutCode3 karma

Interesting question. It is always better to start from the system design, and in particular start understanding the potential threats as early as possible. If your startup is building system for regulated industries, then for sure, good attention to security details will make your systems of much more interest to your clients. Think of security as a feature or differentiation.

-- Doug

CrazyAboutCode2 karma

This is a very good question. In a fast growing start-up environment, security can be probably the last thing that goes on the list. It is very easy to ignore this aspect, and it is every easy to say "It won't happen to me".

However, we all know that the moment you have a product out there that collects information from your customers you are a keeper of their PI data.

A good initial practice will help you establish security practices in the mentality of your team. here are few things that you can do:

  1. Threat Modelling (you don't need to have the code to do that)
  2. Security Testing earlier in the SDLC (the sooner you detect security problems, the lower the cost of fixing them) So developers can do Static Analysis on their code as they write it
  3. Security Testing at build time (this will ensure that you are constantly testing your app)
  4. Penetration testing


qutwutwut3 karma

What's IBM's managed appscan platform, and how does pricing compare to HP's Fortify On Demand? Where is the platform hosted, and which country typically performs the issue validation?

CrazyAboutCode0 karma

We would like to keep this conversation product agnostic and focus more on technology.


qutwutwut3 karma

Does IBM have an infrastructure vulnerability scanning tool? If it's QRadar VMS, what is the underlying scan engine- is it Nessus or Proventia?

CrazyAboutCode1 karma

The quick answer is QRadar Vulnerability Manager (QVM).


mpsix2 karma

As an AppScan user, with an incredibly complex application, I'm curious what you've experienced as the most challenging application you've had to have AppScan assess.

Also, can you share any great, upcoming features that will blow our socks off?

CrazyAboutCode2 karma

On the static analysis side, while we've scanned very large applications (>30MLOC), complexity is not always a function of the size of the application. The challenge for static analysis is how the data flows through code. In some cases, these can be fairly local and not too complex, and in other cases, a very small set of code can be very difficult; for example, we have a small, few hundred line test case that is extremely challenging for static analysis.

On the dynamic side, size may be more of an issue, as one of the challenges there is discovering the attack surface of the application dynamically.


P.S. On the features question, see the comment below that we're trying to keep this session technology focused rather than product focused.

sumit2702 karma

Is COBOL still being developed or used at IBM for Mainframe?

CrazyAboutCode1 karma

Yes! COBOL v5.2 came out earlier this year: http://www-01.ibm.com/support/docview.wss?uid=swg27045365

--Jeff Turnham

gompey_chomp2 karma

Hi guys thank you for doing this.

I am graduating in a few days with a Computer Science degree. I really want to get into the security side of things. I've been looking at and applying to jobs in the sector, but have found that not many companies want to hire a fresh graduate and would rather hire someone with experience.

What are some tips for recent graduates looking to get into the field that you could give - and also, am I doomed to start out as an entry level programmer until I get corporate experience under my belt?

CrazyAboutCode3 karma

Hi, I think this is a very exciting time to be a student. I've been with IBM for nearly 20 years and when I look at resources freely available on-line now I'm envious. I'll scope my answers below to "Application Security", but some quick tips:

  • Read up on and understand the most common vulnerabilities. For example, the OWASP site talks about the top 10 Web and Mobile vulnerability types. Understanding those, how they are exploited and how they are mitigated would be table stakes I think before walking into an interview that was at all related to Application Security. Shameless plug: Our Security Pen Testing team posted this article with videos discussing each of the OWASP Web Top 10: http://securityintelligence.com/the-10-most-common-application-attacks-in-action/

  • I mentioned this in another response and I tell this to students I interview: if you are looking to gain experience in the field open source projects are your friend. Even if you don't contribute code, pick some projects, get the code, review the defects and how they are fixed, search the bug system for references to "security" and see what issues have been found and fixed and so on. This will give you a sense for the type of work involved. If you can then take it to the next level and actually contribute some bug fixes or enhancements, get accepted as a commiter that is going to give you real-world experience that show employers you are passionate enough about the industry to spend your spare time on these things.

--Jeff Turnham

theearthvolta2 karma

What are the biggest security threats you all deal with? What's the weirdest?

CrazyAboutCode3 karma

I think that APTs that originate with social engineering of the target companies employees are particularly effective and hard to combat because defense involves "teaching" the humans who interact with system to be aware of THEIR part in the threat chain.

-- Doug

CrazyAboutCode2 karma

There's a top 10 of the biggest security threat categories impacting web applications which is the OWASP Top 10 : https://www.owasp.org/index.php/Top_10_2013-Top_10

From that top 10 security issues I find Using components with known vulnerabilities particularly challenging. - Paul

In terms of what actually appears in the real world for application vulnerabilities, Cross-site Scripting (XSS), and SQL Injection are usually at the top of the list. Some reports on the state of the security world can be found here:




CrazyAboutCode1 karma

We've discovered several vulnerabilities in Android frameworks (e.g. a Cross-Application Scripting vulnerability in the Cordova framework for Android), albeit patched quickly by the relevant vendor or organization, we noticed that it takes a lot of time for app developers who use the vulnerable code to upgrade to the fixed version.


CrazyAboutCode1 karma

Thanks for your question- Here's a link to Roee's blog about the Cordova vulnerability: http://securityintelligence.com/ibm-mobile-analyzer-saves-the-day/#.VVN2OmMUTss Please feel free to share on social media, if you wish to share with colleagues. Thanks!

gmfpanda2 karma

How would you, in as much detail as possible, go about doing security on RESTful Web services if given no documentation or WADLs and what IBM tools to accomplish a proactive assessment?

CrazyAboutCode3 karma

On the one hand, let's assume you're talking about static analysis. Static analysis tools can be configured (generally, by default) to distrust network traffic coming into your web service. This would be a great way to find SQL injection, for example. WADLs would help refine the analysis, but aren't necessary for static analysis.


CrazyAboutCode3 karma

Lets assume you mean Dynamic testing. It all starts by accumulating sample traffic from which the test system can permute the inputs. A great way to start is with unit tests that can be used to generate that traffic. Our systems can record that traffic as the basis of tests

  • Doug

bertrussell2 karma

I am interested in changing fields right now, and one possibility is looking at machine learning/data science. I was wondering if you could make a recommendation on good introductory material for machine learning techniques for security? (I have a PhD in physics, and a strong background in computing.)

CrazyAboutCode1 karma

CrazyAboutCode1 karma

There are many aspects to machine learning and security. you can use that for attack detection (probably most common use), user profiling, traffic categorization, threat analysis and simulation, and many other things.

There is a rather old but very good book on Machine Learning by Tom Mitchell. It describes some of the basics on machine learning. The book does not talk about the security challenges that we face today.

In my opinion, the main challenge when trying to apply machine learning to security space is the reality that the Internet is constantly under attack. So when talking about automatic classification of anything, we loose the notion of "clean data-set" or clean baseline for training the classifiers. Our baselines these days are full of attacks. The real challenge consists in finding the attacks that really matter. So yes, I do believe that this research field needs to re-invent himself to the new challenges that Internet is posing, and that there is a lot of room for improvement.


harcos902 karma

What does it take to find an entry level job in IT Security? I am currently working through the OSCP certification, graduated with a minor in Security Risk Analysis and have about 2 years of experience as an Application Developer, but looking through the job ads in Chicago, I won't qualify for a job in the field until I have 3 years of experience within IT Security. How did you all get into the field?

As for a technical question, what is something that the every day mobile user should be doing to protect themselves from threats? Are you discovering any mobile specific attack vectors?

CrazyAboutCode2 karma

On the career question, I think there's not an easy answer when you're starting out. There are a few certifications. Note that more organizations are recognizing the integral part of security in application development. One suggestion we make to organizations that are rolling out a security program is to identify security 'champions' on their development teams who are interested in security and in learning how to make applications secure. So, even if you're not starting as a security expert, this may be a path to get there.

My suggestion is always, that if you really love it, just keep pushing for it. Some of the responses below to IzDank may also be helpful.

On the technical question, every day users need to ensure that they've only installed good, safe applications on their phones. This means, no jailbreaking your phone, and only getting applications from reputable app stores.

As for mobile specific attack vectors, I think most of the issues on phones boil down to data leakage - stuff that you consider personal, private, or confidential going off your phone. This could be geographic location (good apps ask if you want to share this), contacts, or other information. The attack vector can be just the app itself (not all apps do exactly what they say), or it can be due to a weakness in the app that let's other apps on the phone exploit it. See Roee's answer below and this link for some details:


Good luck on your career path.

-- John

qutwutwut2 karma

How do your app testing dev and services teams feel about the OWASP Application Security Verification Standard (Version 2)- https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home

Do you think ASVSv2 provides a better way to guarantee the level or testing performed? Does AppScan scan to Level 1 by default if you supply it all user roles?

CrazyAboutCode2 karma

ASVS is a great artefact and I highly recommend that is use by security testing and application development teams. Automated scanning tools can test at all levels of the Standard.

gmfpanda2 karma

What type of vulnerability do you find is most difficult for scanners to find?

CrazyAboutCode1 karma

I don't think there's a particular vulnerability. It's mostly a matter of how difficult is to configure the scanner to find the vulnerabilities. For example the scanner may have issues getting to a particular page where the vulnerability exists. When it comes to web scanning I like to manually explore as much of the website as possible

  • Paul Ionescu

MarshallX1 karma

Any thoughts on how vulnerabilities since Heartbleed have become "Panic Mode" for big business? Before then I rarely heard about security vulnerabilities, let alone my executive team.

Now, the second one comes out I get an email from a VP or CIO asking why we haven't fixed it yet.

CrazyAboutCode1 karma

I think it started happening before Heartbleed.

I think the nature of the attacks have changed. There's a lower proportion of the old script-kiddy-just-showing-my-chops kind of attacks and a higher proportion of sophisticated APT attacks orchestrated by professionals aimed at making money.

The financial consequences of these kinds of attacks have gotten much larger. Executives respond quickly to large financial losses. They also respond to the possibility of losing their jobs, which has happened in several of these high profile attacks.

I think more attention to this from the executive room is actually a good thing, though it does present challenges to the teams below.


Owlstorm1 karma

What are the team's opinions on modern antivirus software?

CrazyAboutCode2 karma

I found this quote which I think is a very good representation of our collective opinion:

Antivirus, firewalls and other signature-based defenses are good at stopping known threats or blocking traffic that matches a specific pattern. However, attackers have gotten incredibly savvy; they know these tools are looking for known signatures. Therefore, they mutate their threats just enough so tools can’t detect them — or worse, they use zero-day exploits nobody knows about. You need to be able to stop threats you’ve never seen before. This requires new technology to identify when attackers are exploiting applications or protocols to gain unauthorized access to systems and install malware. You need to shield against entire classes of vulnerabilities, not match known exploits.

This quote is found in this article: http://securityintelligence.com/top-security-myths-that-could-leave-your-organization-vulnerable-to-an-attack/

Another good article on this topic: http://securityintelligence.com/are-you-digging-deep-when-antivirus-is-not-enough/

And just so that all my links are not from our IBM blog, here's one from Symantec explaining why Anti-Virus is not enough: http://www.symantec.com/connect/articles/why-antivirus-not-enough

--Jeff Turnham

alex_squeezebox1 karma

How would you suggest explaining how computer security works and howto take safety precautions to someone (especially an older person) who doesn't know much about computers?

CrazyAboutCode3 karma

Found this doc that is very well written and seems for that exact purpose: https://www.dhs.gov/sites/default/files/publications/Cybersecurity%20for%20Older%20Americans_0.pdf - Paul

tadamhicks1 karma

I am a CS grad student and just finished some research on fuzzing. I was wondering if you guys use fuzzing at all, and if so how?

I became familiar with Pai Mei and, more specifically, Evolutionary Fuzzing Systems that a specific group wrapped into a Pai Mei branch (including a Charlie Miller fork). It is fascinating, but it seems like fuzzing as a specific research area has stagnated a bit, unless I'm just out of the loop.

I was wondering if you might have some insight into the current state-of-the-art in regards to fuzzing, especially from the perspective of utility. In other words, given a whole suite of security and vulnerability tests, is fuzzing such a small focus that it isn't worth energy? Or do you think that it could be considered extraordinarily powerful?

Part of my research has led me to the intuition that while code coverage is great (and ultimately desirable), it isn't the end-all, be-all. In other words, we can't just cover the code and call it a day, we need to go beyond (without falling prey to the Halting Problem). What do you think about this? Do you think attacking code coverage like SAGE does is a heuristic trap?


CrazyAboutCode2 karma

Right, by trying to predict application behavior in the future, we're all fighting the Halting Problem and its generalizations.

My take is that heuristics is not necessarily a bad path if it helps in many instances of real code, even if it ignores, or fails at, some theoretically tricky corner cases (or even not so tricky cases that seldom occur).

You probably know much more than I about fuzzing at this point, but I think blackbox fuzzing is just very expensive for what can be found. SAGE and other whitebox fuzzing techniques (see LLVM blog: http://blog.llvm.org/2015/04/fuzz-all-clangs.html where they discuss finding Heartbleed) seem more promising, but even the SAGE folks see room for both whitebox and blackbox fuzzing.

I think your intuition about code coverage is correct, it's not just about hitting all the control points in the code, you still need to explore the universe of possible inputs covered by each control point (i.e., just because you've tested the control point for strings longer than 32-bytes, doesn't mean you've tested all such possible strings).

While my bias is towards static techniques (which helps some with the universe of possible inputs), I think, in the real world, both static and dynamic techniques will continue to be important, as each has its strengths and weaknesses.


JayAreMcCabe1 karma

Are you sure this isn't Watson answering these comments?

CrazyAboutCode1 karma

Yep. My first name isn't Thomas.


callmecraycray1 karma

After seeing all the Snowden stuff a few weeks ago with Steven colbert I am terrified. Do you think uncle sam really has all of our dick pics? If so then how searchable is their archive of dick pics? Is there any way I can protect myself?

CrazyAboutCode2 karma

For those of you who are unfamiliar with the interview, it was actually John Oliver who interviewed Edward Snowden. Here's a link to the interview: https://www.youtube.com/watch?v=XEVlyP4_11M It is well-worth the time commitment to watch, because it is interesting and quite funny. Please note that the opinions are John Oliver's and Edward Snowden's, and not our company's. We will let you draw your own conclusions about the security of your favorite selfies. Thanks! Neil Jones

callmecraycray1 karma

Thanks for the reply! I know it is a silly question but I seriously have no idea how to protect my mobile data from hackers or companies who would misuse my information. Any tips for the average joe?

CrazyAboutCode2 karma

Actually, it was one of the most interesting interviews that I've ever seen, since both Oliver and Snowden are such, um, "non-conformists" (My opinion, not IBM's). Here are 2 recent blogs with practical recommendations about improving mobile security: http://securityintelligence.com/datingapps/#.VVN6omMUTst & http://securityintelligence.com/mobile-insecurity/#.VVN7oGMUTst If you find the content of interest, please feel free to share it with your colleagues. Enjoy! Neil Jones

bowshikabowow1 karma

Hello! I have a few questions: Do you think DAST (Dynamic Application Security Testing) is the future or just another buzzword in the software security space? Have any thoughts on API-specific security for IoT devices? What are your thoughts on dynamic polymorphism of html (Shape's core tech)?

CrazyAboutCode2 karma

DAST is much more than a buzzword! While no single analysis technique is a silver bullet, DAST is a core analysis technique that is able to accurately find critical web application vulnerabilities. I would assert that any organization that is not using DAST as part of their security program to regularly assess their important web assets is running with a unreasonable amount of risk.

IoT is such an interesting area. OWASP actually published an IoT Top 10 last year: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014 and most of the items are related to your question about API-security. They deal with the web, cloud and mobile interfaces, authentication issues, transport layer issues and so on. So yes the API by which IoT devices are connected to the internet are such an obvious attack vector that they have to be top of mind. The good news is that many of these APIs could be scanned with existing DAST or SAST tools and lend themselves to traditional threat model discussions and countermeasures. But obviously much like our mobile devices, IoT devices in general can be physically inspected, monitored or even taken apart and reverse engineered. So physical security and data protection on the device is also where we will no doubt see interesting attacks in the coming years.

And sorry I am not familiar with Shape's core technology and am not sure what you mean by "dynamic polymorphism of html". I might guess you are referring to HTML5 and single-page-app design, but not sure.

--Jeff Turnham

bowshikabowow1 karma

Sorry, I was joking about the first one, just some humor among my friends in IT who say we're constantly creating new acronyms in the software security space. Agreed, IoT is going to be BIG in the coming years. As for the last part, I was referring to this for Shape Security. They're a relatively small company that gained some serious capital, generated a lot of buzz last year but have been relatively slient this year. Just wondering if you've heard of anything similar. Thanks for answering Jeff!

CrazyAboutCode2 karma

Nice! That was some well concealed sarcasm with the DAST question. Not even a <sarcasm> tag or smiley face to go on. I clearly failed that test.

And no I do not know enough about Shape Security to have an opinion worth sharing.

Cheers, Jeff Turnham

LHoT108201 karma

I work for a non profit organization. I feel like IT is seen as a burden more so than in a standard environment. What are some ways to make security appear as less of a monolithic unknown for my end users?

CrazyAboutCode1 karma

This is such a great question and you are not alone. We often see large (and very profitable) organizations crippled with extreme inertia with respect to their security programs or lack thereof. There are several causes for this inertia such as budget or skill gaps but in many cases organizations have simply thrown up their hands because they feel the security problem is too large and don't know where to start.

Here are a few strategies to cope with this:

  • First have an open discussion within your organization and acknowledge that there is no such thing as 100% security, so that is not the end goal.
  • A comprehensive security program takes time to build and is constantly evolving, so do not use the lack of a fully documented plan as an excuse for not making incremental improvements today.
  • To get started, use a risk-based approach to guide security investment decisions. In other words, identify the critical assets you most need to protect and use that to prioritize your incremental security improvements. For example decide what your organization consider to be "crown jewel" data. Do you store sensitive user data, do you have intellectual property that would damage your organization if it leaked, do your employees have privileged access to business partner data, and so on. Get those assets documented and prioritized. And then, in priority order, spend time understanding possible attack vectors or ways the data could be inadvertently leaked and work on countermeasures.
  • Find ways to prove Return On Investment (ROI) for your security efforts that will be compelling for the executives in your organization. This can be challenging but if you've done a good job on the previous step (the risk-based approach) then much of your work is done. Discussing obvious attack vectors that could lead to critical data breaches should be eye-opening for executives. And then showing them the countermeasures that have been implemented along with the ones that have not, should show that the efforts are worth it and need to continue or accelerate.

--Jeff Turnham

badp4nd41 karma

  1. What are your feelings of vulnerability disclosure now becoming monetized?

  2. If a company like Target can get completely owned, with sensors blaring at them daily, for months, do you believe there will ever be a fix to the "people" problem of security?

  3. Do you believe there should ever be some sort of formal regulation of security controls on the internet, such as baseline requirements for securing services so they aren't abused for spam, DNS amplification attacks, etc?

CrazyAboutCode2 karma

  1. I suppose it depends on your point of view. As professionals working in the Application Security space I think it provides further validation that we are in a constantly evolving and ever important fight with the bad guys. The technical challenges will continue to become more involved and organizations will need to continue and in most cases ramp up their investments in Security. From the point of view of an employee and investor in other organizations it is obviously terrifying to think of the implications of ransomware and see the damage that can be done to bottoms lines and reputations with well publicized vulnerabilities.

  2. Great point. And there are so many aspects to the "people problem": Malicious internal users, naive employees prone to fall for social engineering attacks, developers who don't know about or don't practice secure coding, and so on. At first glance it seems the response to these might be largely around mandated education. Education is important, but the reality is that you are never going to educate your entire workforce to the level of being able to anticipate and to defend against advanced threats. So the only answer that really scales is around intelligent analytics. Systems need to detect and report anomalous behaviour from around the organization and teams need to be monitoring that data constantly.

  3. We obviously see these types of regulation and compliance standards being mandated in corporate environments. And if you personally stand up a service that is getting obviously abused for spam you will likely hear about it from your ISP or consumers of your service will run away screaming. But I wouldn't bet on seeing this type of formal regulation being policed for every service hosted on the internet. There just seems to be too many big questions about how it would be enforced, whether you could actually get the type of global agreement required, and so on. --Jeff Turnham

webhero771 karma

Hey Guys. I'm having trouble logging into Jeff's account. Could you message me his password? Thanks. :D

In all serious this is good AMA thanks for doing this.

CrazyAboutCode1 karma

Thanks for stopping by. My password is now "webhero77"

Cheers, Jeff Turnham

ehochx1 karma


I'm a CS student and graduate this September. I have worked as software engineer in air traffic management, do reverse engineering in my spare time and am currently writing my Bachelor's thesis about real time operating systems for satellites in a space engineering company.

I'd love to work in security, more specifically malware analysis / static analysis. How should I proceed from here? I'm thinking about attending grad school (Ruhr-University Bochum, IT-Security, emphasis on cryptography and software) but is there a more direct way for someone like me (i.e. enough experience to get started quickly but not enough to immediately work independently without additional training)? I interviewed at Google last month but was rejected after the onsite interview. :(


CrazyAboutCode1 karma

IBM Security is hiring! Have a look through the posted IBM Security jobs and apply to ones that look interesting to you.

Start here (at the advanced job search): https://jobs3.netmedia1.com/cp/faces/job_search?adv=true

Select "IBM Security" as the Business group and perhaps also select "Software Development" as the Job area. I just did that query and got back 66 results with positions available around world.

Good luck! --Jeff Turnham

DanDierdorf1 karma

Which OS is natively the most secure, and why is it OS400?

CrazyAboutCode2 karma

Well depending on your definition of "OS" and "Secure", I might point you at the Tails OS (and then drop the mic and walk off the stage): https://tails.boum.org/

But seriously, I'm not sure native OS security should be that comforting when there is so much that can be compromised through mis-configuration or human error. Even rockstar sysadmins can't protect against all the corporate damage that can be caused by insecure apps running on that OS.

--Jeff Turnham

mikeofhyrule1 karma

umm... can i get 4 day masters tickets?

CrazyAboutCode1 karma

No, but if you're feeling lucky you can sign up and hope to get randomly selected to be able to purchase a 1-day ticket.


Good luck. I'm signed up as well. --Jeff Turnham

Itsisaonetimething1 karma

With patient information in the cloud, what are some of the best things developers can do to secure that data?

CrazyAboutCode2 karma

For teams working on applications that deal with US patient data for example, it is critical to understand what it means to be HIPAA-compliant (http://www.hhs.gov/ocr/privacy/). From a developer point of view, part of this is going to require a complete understanding of the security of the data at all times..at rest on a device, at rest in the cloud, in transit and even in memory. But there is much more to it and this really shouldn't be thought of as a problem to be solved with some recommended best practices for developers.

The security of the data has to be the utmost concern for the project. The handling of the data should be completely designed and documented so that there is no question for developers about when or how to encrypt for example. And analysis tools should be used to regularly validate and protect against data leakage to log files, leakage over insecure network/DB APIs or even leakage to email which is usually a HIPAA violation due to the lack of content encryption.

The other aspect to keep in mind with Cloud and HIPAA is that you are in a business relationship with your Cloud Service provider when it comes to hosting your HIPAA compliant application. Both you and your provider have different responsibilities. There are many good on-line resources to be found on this topic. Here are a few:

About IBM's Softlayer and HIPAA: http://www.thoughtsoncloud.com/2014/03/hipaa-cloud-computing-healthcare-compliance/

About Amazon's Cloud and HIPAA: http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/

About Google's Cloud and HIPPA: https://support.google.com/a/answer/3407054?hl=en

Hope that helps, --Jeff Turnham

ThisIsNotMyTrueForm-2 karma

I don't understand anything about what's going on here, but I brew mean coffee and 1 out of 10 of my jokes are funny, so... hire me?

CrazyAboutCode1 karma

We'd have to be talking about some truly epic coffee.

-- Jeff Turnham