How AV can open you to attacks that otherwise wouldn’t be possible

The attack worked first by getting Bogner’s malicious file quarantined by the AV program running on the targeted computer. The pentester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner’s choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner’s malware ran with full privileges.

Source: How AV can open you to attacks that otherwise wouldn’t be possible | Ars Technica

The Basics of Web Application Security

Security is a massive topic, even if we reduce the scope to only browser-based web applications. These articles will be closer to a “best-of” than a comprehensive catalog of everything you need to know, but we hope it will provide a directed first step for developers who are trying to ramp up fast.

Source: The Basics of Web Application Security

Docker’s Unikernel Purchase and the Changing Role of the OS

It isn’t really as if the operating system ceases to exist. More to the point, it ceases to be a separate entity from the compiled application. A unikernel, therefore, is an indivisible unit of computing logic. As a microservice, it carries the promise of unlimited scalability. And as a virtual machine, it is designed to run under the Xen Type 1 (hardware-level) hypervisor.

Source: Docker’s Unikernel Purchase and the Changing Role of the OS

Big Ball of Mud

These patterns explore the forces that encourage the emergence of a BIG BALL OF MUD, and the undeniable effectiveness of this approach to software architecture. What are the people who build them doing right? If more high-minded architectural approaches are to compete, we must understand what the forces that lead to a BIG BALL OF MUD are, and examine alternative ways to resolve them.

A number of additional patterns emerge out of the BIG BALL OF MUD. We discuss them in turn. Two principal questions underlie these patterns: Why are so many existing systems architecturally undistinguished, and what can we do to improve them?

Source: Big Ball of Mud

Why I Hate Frameworks

“Well, the problem with hammers is that there are so many different kinds. Sledge hammers, claw hammers, ball-peen hammers. What if you bought one kind of hammer and then realized that you needed a different kind of hammer later? You’d have to buy a separate hammer for your next task. As it turns out, most people really want a single hammer that can handle all of the different kinds of hammering tasks you might encounter in your life.”

Source: The Joel on Software Discussion Group (CLOSED) – Why I Hate Frameworks

Interfaces last longer than code

How do you recognize a good API? It’s tough, but one thing is sure, a good interface allows easy swapping of components. If it doesn’t allow easy swapping of components, it’s not a good interface.

Source: 9 – systemD: Interfaces last longer than code – Slashdot

Throughout systemd there is a lack of understanding of proper interfaces. Making the GUI depend on a particular init system is a particularly obvious example of poor design, but the code was written from a ‘code first’ perspective rather than an ‘interface first’ perspective.

You Can’t Backdoor a Platform

Cryptographic backdoors will not work. As a matter of technology, they are deeply incompatible with modern software platforms. And as a matter of policy and law, addressing those incompatibilities would require intolerable regulation of the technology sector. Any attempt to mandate backdoors will merely escalate an arms race, where usable and secure software stays a step ahead of the government.

The easiest way to understand the argument is to walk through a hypothetical. I’m going to use Android; much of the same analysis would apply to iOS or any other mobile platform.

Source: You Can’t Backdoor a Platform | Web Policy

CoreOS is building a container runtime, Rocket

What is Rocket?

Rocket is an alternative to the Docker runtime, designed for server environments with the most rigorous security and production requirements. Rocket is oriented around the App Container specification, a new set of simple and open specifications for a portable container format.

via CoreOS is building a container runtime, Rocket.

IEEE Guides Software Architects ToSecure Software Design

The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration. The 10, in no particular order, are:

  • Earn or give, but never assume, trust
  • Use an authentication mechanism that cannot be bypassed or tampered with
  • Authorize after you authenticate
  • Strictly separate data and control instructions, and never process control instructions received from untrusted sources
  • Define an approach that ensures all data are explicitly validated
  • Use cryptography correctly
  • Identify sensitive data and how they should be handled
  • Always consider the users
  • Understand how integrating external components changes your attack surface
  • Be flexible when considering future changes to objects and actors

via IEEE Guides Software Architects ToSecure Software Design | Threatpost | The first stop for security news.