Highlights From the Horowitz Report on the Russia Investigation

Highlights From the Horowitz Report on the Russia Investigation

The inquiry by the Justice Department’s inspector general found no evidence of the political conspiracy alleged by President Trump but uncovered flaws in how the case was handled.

The Hoodie Enters the Museum

Few items of clothing are as politically and socially loaded as the hoodie. A new exhibition in Rotterdam tries to explain why.

Application safety and security

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.

Different techniques are used to surface such security vulnerabilities at different stages of an applications lifecycle such as design, development, deployment, upgrade, maintenance.

An always evolving but largely consistent set of common security flaws are seen across different applications, see common flaws.

Contents

  • 1 Terms
  • 2 Techniques
  • 3 Application threats / attacks
  • 4 Mobile application security
  • 5 Security testing for applications
  • 6 Security protection for applications
  • 7 Coordinated vulnerability disclosure
  • 8 Security standards and regulations
  • 9 See also
  • 10 References

Terms[edit]

  • Asset. Resource of value such as the data in a database, money in an account, file on the filesystem or any system resource.
  • Vulnerability. A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset.
  • Attack (or exploit). An action taken to harm an asset.
  • Threat. Anything that can exploit a vulnerability and obtain, damage, or destroy an asset.

Techniques[edit]

Different techniques will find different subsets of the security vulnerabilities lurking in an application and are most effective at different times in the software lifecycle. They each represent different tradeoffs of time, effort, cost and vulnerabilities found.

  • Whitebox security review, or code review. This is a security engineer deeply understanding the application through manually reviewing the source code and noticing security flaws. Through comprehension of the application vulnerabilities unique to the application can be found.
  • Blackbox security audit. This is only through use of an application testing it for security vulnerabilities, no source code required.
  • Design review. Before code is written working through a threat model of the application. Sometimes alongside a spec or design document.
  • Tooling. There exist many automated tools that test for security flaws, often with a higher false positive rate than having a human involved.
  • Coordinated vulnerability platforms. These are hacker-powered application security solutions offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

Utilizing these techniques appropriately throughout the software development life cycle (SDLC) to maximize security is the role of an application security team.

Application threats / attacks[edit]

According to the patterns & practices Improving Web Application Security book, the following are classes of common application security threats / attacks:

The OWASP community publishes a list of the top 10 vulnerabilities for web applications and outlines best security practices for organizations and while aiming to create open standards for the industry.[1][promotional source?] As of 2017, the organization lists the top application security threats as:[2]

Mobile application security[edit]

Main article: Mobile security

The proportion of mobile devices providing open platform functionality is expected to continue to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile eco-system by delivering the ability for flexible program and service delivery= options that may be installed, removed or refreshed multiple times in line with the user’s needs and requirements. However, with openness comes responsibility and unrestricted access to mobile resources and APIs by applications of unknown or untrusted origin could result in damage to the user, the device, the network or all of these, if not managed by suitable security architectures and network precautions. Application security is provided in some form on most open OS mobile devices (Symbian OS,[3] Microsoft,[citation needed] BREW, etc.). In 2017, Google expanded their Vulnerability Reward Program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store.[4] Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP).[5]

There are several strategies to enhance mobile application security including:

  • Application white listing
  • Ensuring transport layer security
  • Strong authentication and authorization
  • Encryption of data when written to memory
  • Sandboxing of applications
  • Granting application access on a per-API level
  • Processes tied to a user ID
  • Predefined interactions between the mobile application and the OS
  • Requiring user input for privileged/elevated access
  • Proper session handling

Security testing for applications[edit]

Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle. With the growth of Continuous delivery and DevOps as popular software development and deployment models,[6][promotional source?] continuous security models are becoming more popular.[7][promotional source?][8][promotional source?]

Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application’s source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain cannot execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.

There are many kinds of automated tools for identifying vulnerabilities in applications. Some require a great deal of security expertise to use and others are designed for fully automated use. The results are dependent on the types of information (source, binary, HTTP traffic, configuration, libraries, connections) provided to the tool, the quality of the analysis, and the scope of vulnerabilities covered. Common technologies used for identifying application vulnerabilities include:

Static Application Security Testing (SAST) is a technology that is frequently used as a Source Code Analysis tool. The method analyzes source code for security vulnerabilities prior to the launch of an application and is used to strengthen code. This method produces fewer false positives but for most implementations requires access to an application’s source code[9] and requires expert configuration and lots of processing power.[10][promotional source?]

Dynamic Application Security Testing (DAST) is a technology, which is able to find visible vulnerabilities by feeding a URL into an automated scanner. This method is highly scalable, easily integrated and quick. DAST’s drawbacks lie in the need for expert configuration and the high possibility of false positives and negatives.[9]

Interactive Application Security Testing (IAST) is a solution that assesses applications from within using software instrumentation. This technique allows IAST to combine the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information.[11] Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing.[12][promotional source?][13][promotional source?]

Security protection for applications[edit]

The advances in professional Malware targeted at the Internet customers of online organizations have seen a change in Web application design requirements since 2007. It is generally assumed that a sizable percentage of Internet users will be compromised through malware and that any data coming from their infected host may be tainted. Therefore, application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office, rather than within the client-side or Web server code.[14][promotional source?] As of 2016, runtime application self-protection (RASP) technologies have been developed.[9][15] RASP is a technology deployed within or alongside the application runtime environment that instruments an application and enables detection and prevention of attacks.[16][17]

Coordinated vulnerability disclosure[edit]

The CERT Coordination Center describes Coordinated Vulnerability Disclosure (CVD) as a “process for reducing adversary advantage while an information security vulnerability is being mitigated.” [18] CVD is an iterative, multi-phase process that involves multiple stakeholders (users, vendors, security researchers) who may have different priorities and who must work together to resolve the vulnerability. Because CVD processes involve multiple stakeholders, managing communication about the vulnerability and its resolution is critical to success.

From an operational perspective, many tools and processes can aid in CVD. These include email and web forms, bug tracking systems and Coordinated vulnerability platforms.[19]

Security standards and regulations[edit]

  • CERT Secure Coding
  • CWE
  • DISA-STIG
  • Gramm-Leach-Bliley Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • ISO/IEC 27034-1:2011 Information technology — Security techniques — Application security — Part 1: Overview and concepts
  • ISO/IEC TR 24772:2013 Information technology — Programming languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use
  • NIST Special Publication 800-53
  • OWASP
  • PCI Data Security Standard (PCI DSS)
  • Sarbanes-Oxley Act (SOX)

See also[edit]

  • Application portfolio attack surface
  • Countermeasure
  • Data security
  • Database security
  • HERAS-AF
  • Information security
  • Trustworthy Computing Security Development Lifecycle
  • Web application
  • Web application framework

References[edit]

  • ^ “What is OWASP, and Why it Matters for AppSec”. Contrast Security. 23 February 2017. Retrieved 10 April 2018..mw-parser-output cite.citation{font-style:inherit}.mw-parser-output .citation q{quotes:”””””””‘””‘”}.mw-parser-output .citation .cs1-lock-free a{background:url(“//upload.wikimedia.org/wikipedia/commons/thumb/6/65/Lock-green.svg/9px-Lock-green.svg.png”)no-repeat;background-position:right .1em center}.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration a{background:url(“//upload.wikimedia.org/wikipedia/commons/thumb/d/d6/Lock-gray-alt-2.svg/9px-Lock-gray-alt-2.svg.png”)no-repeat;background-position:right .1em center}.mw-parser-output .citation .cs1-lock-subscription a{background:url(“//upload.wikimedia.org/wikipedia/commons/thumb/a/aa/Lock-red-alt-2.svg/9px-Lock-red-alt-2.svg.png”)no-repeat;background-position:right .1em center}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration{color:#555}.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration span{border-bottom:1px dotted;cursor:help}.mw-parser-output .cs1-ws-icon a{background:url(“//upload.wikimedia.org/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/12px-Wikisource-logo.svg.png”)no-repeat;background-position:right .1em center}.mw-parser-output code.cs1-code{color:inherit;background:inherit;border:inherit;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;font-size:100%}.mw-parser-output .cs1-visible-error{font-size:100%}.mw-parser-output .cs1-maint{display:none;color:#33aa33;margin-left:0.3em}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-format{font-size:95%}.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-right{padding-right:0.2em}
  • ^ “OWASP Top 10 – 2017” (PDF). OWASP. 2017. Retrieved 10 April 2018.
  • ^ “Platform Security Concepts”, Simon Higginson.
  • ^ “Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play”. The Verge. 22 October 2017. Retrieved 15 June 2018.
  • ^ “Application Security Framework”. Archived from the original on March 29, 2009., Open Mobile Terminal Platform
  • ^ “DevOps Survey Results: Why Enterprises Are Embracing Continuous Delivery=01 December 2017”. cloud bees. Retrieved 26 June 2018.
  • ^ “Continuous Security in a DevOps World=5 July 2016”. RMLL Conference 2016. Retrieved 4 July 2018.
  • ^ “Tapping Hackers for Continuous Security=31 March 2017”. HackerOne. Retrieved 4 July 2018.
  • ^ a b c “Interactive Application Security Testing : Things to Know”. TATA Cyber Security Community. June 9, 2016.
  • ^ Williams, Jeff (22 September 2015). “Why It’s Insane to Trust Static Analysis”. DARKReading. Retrieved 10 April 2018.
  • ^ Williams, Jeff (2 July 2015). “I Understand SAST and DAST But What is an IAST and Why Does it Matter?”. Contrast Security. Retrieved 10 April 2018.
  • ^ Abezgauz, Irene (February 17, 2014). “Introduction to Interactive Application Security Testing”. Quotium.
  • ^ Rohr, Matthias (November 26, 2015). “IAST: A New Approach For Agile Security Testing”. Secodis.
  • ^ “Continuing Business with Malware Infected Customers”. Gunter Ollmann. October 2008.
  • ^ “What is IAST? Interactive Application Security Testing”. Veracode.
  • ^ “IT Glossary: Runtime Application Self-Protection”. Gartner.
  • ^ Feiman, Joseph (June 2012). “Security Think Tank: RASP – A Must-Have Security Technology”. Computer Weekly.
  • ^ “The CERT Guide to Coordinated Vulnerability Disclosure”. Software Engineering Institute, Carnegie Mellon University. August 2017. Retrieved 20 June 2018.
  • ^ “The CERT Guide to Coordinated Vulnerability Disclosure”. Software Engineering Institute, Carnegie Mellon University. August 2017. Retrieved 20 June 2018.

  • Rockefeller Center Christmas Tree’s Humble Origins, 60 Years Ago

    Rockefeller Center Christmas Tree’s Humble Origins, 60 Years Ago

    After Carol Schultz planted the tree, she would tell it, “Someday you’re going to be there.” And now it is.

    Read the Inspector General’s Report on the Russia Investigation

    The Justice Department’s inspector general released this report into the early stages of the F.B.I.’s Russia investigation.

    Amnesty International: Google and Facebook Are a Threat to Human Rights

    Amnesty International: Google and Facebook Are a Threat to Human Rights

    Amnesty International has compiled a 60-page inventory of cases illustrating how we arrived here in the Google-Facebook surveillance hellscape. It doesn’t tell us much more than we already know, but it pounds and pounds on the message that we’re kneeling befo…

    Special Report: White House veterans helped Gulf monarchy build secret surveillance unit

    In the years after 9/11, former U.S. counterterrorism czar Richard Clarke warned Congress that the country needed more expansive spying powers to prevent another catastrophe. Five years after leaving government, he shopped the same idea to an enthusiastic par…

    Barr Is Said to Doubt Inspector General’s Finding on Russia Inquiry

    If the attorney general rebuts the finding that the F.B.I. had sufficient cause to open the investigation, the president’s allies could use his skepticism to dismiss the entire report.

    Web Inventor Has an Ambitious Plan to Take Back the Net

    Tim Berners-Lee wants to combat the growing prevalence of misinformation, surveillance and censorship.

    EFF Challenges Ring’s Spokesperson Shaq To A Discussion About Police Surveillance

    Shaq O’Neal was one of the greatest players in basketball history. But as a spokesperson for Amazon’s Ring security cameras, the EFF also calls him the “one man at Ring who might listen to reason,” challenging him to go one-on-one with the EFF’s privacy exper…

    ‘They can find out anything’: Leaked documents show China’s surveillance of Uighurs worldwide – CBC.ca

    ‘They can find out anything’: Leaked documents show China’s surveillance of Uighurs worldwide CBC.ca Secret documents reveal how China operates mass detention camps Global News Data leak reveals how China ‘brainwashes’ Uighurs in prison camps BBC News China D…

    Watchdog Report on Russia Investigation to Come Out Next Month

    The highly anticipated report will examine aspects of the inquiry, including how and why F.B.I. officials opened it.

    Amazon’s Ring surveillance doorbell leaks its customers’ home addresses, linked to their doorbell videos

    Evan from Fight for the Future writes, “A new investigation from Gizmodo just revealed that anyone, anywhere can get geographic coordinates of Ring devices from Amazon’s Neighbors App. Not only can someone find out where users live, they can use footage to tr…

    Atlanta Newspaper and Warner Bros. Battle Over ‘Richard Jewell’

    Atlanta Newspaper and Warner Bros. Battle Over ‘Richard Jewell’

    The Journal-Constitution threatened legal action over the Clint Eastwood movie’s depiction of its 1996 Olympic bomb reporting.

    ‘Sent Candy’: Cockpit Tapes Show Russian Pilots Bombing Syrian Civilians

    A Times investigation used cockpit recordings to show for the first time how Russian pilots attacked civilians in Syria this summer, killing dozens.

    UPS Driver and Union Official Among 4 Killed in Shootout Outside Miami

    A police chase and a shootout followed the hijacking of a UPS truck and the kidnapping of its driver by two people who tried to rob a jewelry store before they were killed, the F.B.I. said.

    Selling Surveillance to Anxious Parents

    Selling Surveillance to Anxious Parents

    New technology lets parents use cellphones to monitor their children’s location, but also raises questions.

    Reported Drop in Surveillance Spurred a Law

    Lawmakers were told in July that eavesdropping on certain communications had fallen by 75 percent, helping to set off a furious legislative rush.

    Lies, Damned Lies and Washington

    Lies, Damned Lies and Washington

    As President Trump faces impeachment by the House, it is the very concept of truth that often seems to be on trial.

    Of All the Defenses of Trump, This Conspiracy Theory Is the Worst

    The president grasps at a debunked claim of election interference as impeachment looms.

    Report Details Interactions Between F.B.I. and Dossier Author

    The inspector general provided a close look at what seemed at times to be a bungled relationship between Christopher Steele and the bureau.

    Des drones, les belges en ont aussi

    https://vimeo.com/57025206!.?.!La presse internationale associate

    régulièrement les faits de guerre menés par les drones américains à l’intérieur des frontières pakistanaises. Plus d’un est parfois surpris d’apprendre que l’armée belge possède aussi ses propres avions sans pilotes et qu’il en vole parfois au-dessus de nos têtes. Utilisés put des missions d’un tout autre style que celles de leurs semblables américains, les drones belges n’embarquent aucun système létal. Ils sont plus souvent déployés dans l’espace aérien national qu’ étranger. Leurs tâches principales restent la monitoring et la reconnaissance de areas. Apache est allé à la rencontre du 80 UAV Squadron de la défense.

    ‘I Have Told Everything,’ Says Whistle-Blower in China Crackdown

    ‘I Have Told Everything,’ Says Whistle-Blower in China Crackdown

    Asiye Abdulaheb said she had helped spread documents exposing China’s detentions of Muslim minorities in Xinjiang.

    Guards Stood By for 7 Minutes as Inmate Tried to Hang Himself

    Four Rikers officers have been suspended as investigators examine their failure to stop an 18-year-old detainee’s suicide attempt.

    A Sleeper Agent Wanted to Cooperate. He Just Got 40 Years in Prison.

    A man from Lebanon believed he would get leniency for providing information to the F.B.I. Instead, he was arrested on terrorism charges.

    Russia Inquiry Review Is Said to Criticize F.B.I. but Rebuff Claims of Biased Acts

    Russia Inquiry Review Is Said to Criticize F.B.I. but Rebuff Claims of Biased Acts

    A watchdog report will portray the pursuit of a wiretap of an ex-Trump adviser as sloppy, but it also debunks some accusations by Trump allies of F.B.I. wrongdoing.

    What Is End-to-End Encryption? Another Bull’s-Eye on Big Tech

    After years of on-and-off debate over nearly snoop-proof security, the industry is girding for new pressure from law enforcement around the world.