Monday, April 30, 2012

Fear, Uncertainty & Doubt [FUD]...the Grand Illusion...or...this guy is old enough to know better...

You don't know what you don't know - or why Bruce Schneier's blog is worth reading daily -

FROM BRUCE: JCS Chairman Sows Cyberwar Fears

Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks.

Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race.


What I always want to ask folks who make these cyber-disaster claims is "How?".

What is the use case where a cyber attack has a widespread impact on the lives of Americans? I'm not talking about a cyber attack that's news-worthy, and has "society stopped" because it's watching the drama unfold on TV. I just can't follow the hypothesis that a cyber attack can be more than a massive inconvenience.

Point of calibration: last year my power was off for 5 days because a storm damaged the one-and-only electric power switching sub-station that powers my neighborhood and it wasn't easy to replace the switchgear that failed because adequate parts and skilled workers weren't available. This was a huge problem, forcing me and my neighbors to share gas generators to keep the food in our freezers cold. It cost me hundreds of dollars in food and fuel that I wouldn't normally have bought. That said, it was not an existential threat to the very tracks that society runs on in my neighborhood.

Cyber disaster needs to be more than that!

Case #1: Evil-doers find a flaw in the border gateway protocol and use it to flood the IP routing fabric with incorrect data. This could lead to no practical paths between systems on different subnets, and the end of the Internet as it currently stands.

Outcome: Using our lights, and our phones for those folks who didn't jump to VOIP, the people who make routers have to figure out and fix the problem. It's Cisco, Juniper and a handful of other folks who already know who each other is. Press the answer onto CDs and use FedEx or the Post Office to send them to all your customers. A week later, the Internet is all better, and nobody dies. When I had to live without power, I had to live without the Internet because it seems all my Internet infrastructure runs on electricity.

Case #2: Evil-doers use the Internet connected electric power infrastructure to switch off all the power in the US. I'm not even going to mention how hard this is, every electric power installation is unique, and they all use redundant sources of supply, but SCADA is a potential problem.

Outcome: Lots of angry people, more than Case #1, call to complain that the power is off (unless they went to VOIP). The electric companies unplug their routers and turn the electric power back on. It probably takes 24-48 hours, because those networked SCADA devices are labor saving. Half the impact of my storm.

Case #3: Evildoers mount a sustained, covert, untraceable (ok I'm in sci-fi here) attacks on the DNS infrastructure of the internet block all access to the root server infrastructure. Nobody can figure out what IP goes with "" .

Outcome: Write this down ( Well, what really happens is that the ISP who serves you already has a non-authoritative DNS that it uses to reduce outbound bandwidth. Those folks simply become the decentralized source of your DNS. It doesn't propagate as quickly, and so now it takes a month before some new domain name works everywhere. The Internet is less cool, and the DNS admin industry (or mafia, depending on your point of view) wants somebody's head on a platter. The rest of us are back on the internet, and maybe there is a story on page 6 when the evildoer dies in a house fire with a horse's head on his bed, to mix my mafia metaphors.

Bottom line, Where's the real disaster? It's not time for the annual April 1 contest, but we need to figure out what these generals could be talking about. If it's sci-fi, then it needs to go back to the fiction section.

WWII was an attempt to destroy society, and at least some folks thought the use of nuclear weapons was a reasonable tactic. I want to read the cyber problem for which folks think a 50TJ nuclear blast is the appropriate response. I just don't think it exists.

# # # # # # # # # #

Amen! to that!

As a retired Army Officer I can't say too much negative about General Dempsey, he is after all an Armor Officer, but really? Several Bronze Stars, with "V" for Valor? Other veteran readers hopefully will share my skepticism.


As always, when you want to separate the wheat from the chaff, ask Bruce Schneier (he's the quintessential Chuck Norris of INFOSEC):

Thursday, April 26, 2012

REAL WORLD SOA APPLICATION SECURITY -- PART TWO: Authentication (AuthN) matters, really (no...really)

When we started on our SOA ERP/CRM System Project, I was amazed by the sheer volume of hand wringing from our SOA vendor about "security".

Their flagship SOA security project was an OEM from "AmberPoint", when SUN purchased AmberPoint, well, that went out the window. So, not being dead from the neck up, I went looking for options (though my vendor assured me that, within two years, they would have a replacement product that would be amazing! Eighteen months later, I am still waiting, to be amazed that is).

In the world of SOA security, there are many players, but a few really stand out. We have a substantial investment in Oracle products, some that have been implemented well, some that have not been implemented well. To be fair, Oracle stuff, by and large works as advertised, and then some, if you can stomach the price point. From my vantage point, it was not about cost, but about risk. What would be the risk of having our authoritative source for the user object having an Oracle System of Record (SOR) and the authoritative source for authentication being an Oracle product?

Too much for my blood. Something about eggs and baskets my Mother taught me about.

We then bumped into a vendor, "Layer 7 Technologies". From a due diligence perspective, we had a side-by-side bake off: Oracle Corporate, with some excellent Systems Engineering talent; and Layer 7 Tech with their top Ninja, "Ben". Some high stakes technical guy, dog on the street butt sniffin' later, we had validated that the Layer 7 SOA Gateway would meet or exceed all our CY 2011 ~ 2013 requirements.

So, being good Corporate Citizens, we scheduled a "bake off". NOTE TO SELF: Never bring a feather duster to a knife fight.

After the bake off, during the integration proof of concept (POC) the Oracle integrator (name withheld to protect the innocent) with five weeks of prep time, could not stand up the Oracle Identity Mgmt Suite during the five day on site POC. Finally, on day five, at 6PM, the system engineer from Layer 7 walked the Oracle integrator team members thru setting up their products and they were able to connect (this did though, highlight the level of expertise that Layer 7 brought to the dance). Needless to say, I went looking for another integrator on Monday morning.

That leads me to the most stellar Identity Management Integrator team I have ever worked with, IDMWORKS, (but that is another story...).

So, our ERP/CRM application we are building is replacing a pool of ERP/CRM systems in use by companies we've purchased over the last fifteen years (one ring to rule them all!). When we purchase someone, it's about profit (as it should be) so we are slow to re-brand them (or mess with them), as long as they stay profitable. If that slips, we assimilate them in a BORG'ish fashion. So, the short version: our shiny new web user interface requires the consumer/user to enter their USERID in the form of an LDAP "UserPrincipalName" (UPN), which allows the system to differentiate an external actor in an easy manner. Our logon sequence has a few steps:

(1.) we validate the credentials from our Apache front end;

(2.) we pass these thru our Layer 7 SOA Gateway (recursive data validation and payload inspection) via SSL;

(3.) then Layer 7 hands the credentials off to Oracle Virtual Directory(OVD) over SSL;

(4.) then OVD passes the credentials to Oracle Internet Directory (OID) (this step will make integration with Oracle Financials later, easier) over SSL;

(5.) then OID uses the credentials to bind to Microsoft Active Directory, over SSL. If the bind is successful, OVD queries it's subordinate ATTRIBUTE stores for ATTRIBUTES associated with the UPN and passes this back to the web U/I which caches the ATTRIBUTE(s) and/or ENTITLEMENTS.

The web U/I can use the cached ROLE and ENTITLEMENT data, based on the relative risk rating of the business process and associated SERVICE(s) and/or OPERATION(s). The web U/I does some rudimentary ROLE to UPN, ATTRIBUTE matching before passing a request to a back end SERVICE or OPERATION, however, our Layer 7 SOA gateway protects each service and/or operation individually by validating the ROLE, UPN and/or ENTITLEMENT ATTRIBUTE data presented (as well as the source of the request), before allowing the customer/user to call the back end SERVICE or OPERATION.

This pattern is in response to several OWASP "top ten risks".

For inter-process or service to service communications we require a UML Sequence Diagram from the development team to document the communication pattern and AUTHENTICATION token requirements, before we can set up and enforce technical controls between these forms of system level communications. Our Layer 7 SOA Gateway device(s) can craft a custom token (STS) based on the WSDL of the SERVICE or OPERATION being consumed.

### More on this topic later ###


Michael Becher's excellent and timely reference on Web Application Firewalls:

Erl Thomas on SOA GOvernance, another timeless reference:

Thursday, April 19, 2012


"...Every great magic trick consists of three parts or acts..."

The first part is called "The Pledge". The magician shows you something ordinary: a deck of cards, a bird or a man. He shows you this object. Perhaps he asks you to inspect it to see if it is indeed real, unaltered, normal. But of course... it probably isn't.

The second act is called "The Turn". The magician takes the ordinary something and makes it do something extraordinary. Now you're looking for the secret... but you won't find it, because of course you're not really looking. You don't really want to know. You want to be fooled. But you wouldn't clap yet. Because making something disappear isn't enough; you have to bring it back.

That's why every magic trick has a third act, the hardest part, the part we call "The Prestige." ..."

Wirespeed -- AutnN, AuthZ, SAML, RESTFul Services, Certificate Services, XACML, Cloud Sourced Data, a virtual directory integrating numerous attribute stores, controlling access to master data, etc...with less than two milliseconds of latency?

With 150 SOA services and over 600 operations?

 Across eleven different software development teams, on five continents?

That, my son is the Prestige!

The passing of the "...thin, white Duke..." will be felt for a long, long time...


-- In my INFOSEC Shop we have few rules, but the ones we have are iron clad:

(1.) No F.U.D., ever;

(2.) If you don't have a business driver, then it's a Science Fair Project and we don't do that;

(3.) If you can't take the time to refine your requirements, we have a problem;

(4.) Everyone On the INFOSEC team is a customer service professional first, if the CISO can go to an employees desk to answer questions, you better believe you can too. Our customer service mindset is a non-negotiable condition of employment, if you can't live it, you won't be happy here, and I want my folks to be happy here.

It's no secret that I have a military background. Some would say that that has a downside in the Corporate Boardroom, I'm not sure that I agree. It teaches you how to lead people, NOT manage people. You can manage resources: budget; widgets; time, but not people. People are smart, they will allow themselves to be lead, by a leader that they respect. If they don't respect you, they will fight you, passive aggressive behaviors will set in and then comes entropy.

As a leader, you cannot be the sheepdog with your people, you need to be the wolf. If you have people that cannot be motivated, you need to cull the heard or the productive people will notice and know that you are weak and tolerant of non-performers.

Every non-performer makes the workload of each performer that much harder. Tolerating sub-par performance creates a poor work environment for your team.

Remember why, you, the leader were hired, to deliver RESULTS, not to molly coddle under achievers.

Granted, there is probably a seat for everyone at the great banquet table of life, that is any large Corporation. Let the under achievers migrate to, say, the HR Department?

Holy Cow! Did I say that out loud?!?!


An excellent book by a man who knows what it means to lead from the front, Mr. Kyle Lamb:

My all time favorite, and timeless reference on the Art of Leadership:

REAL WORLD SOA APPLICATION SECURITY -- PART ONE: gain and maintain, vendor control.

"...The stories you are about to hear are true, the names have been changed to protect the innocent..."

What do I mean by, "...gain and maintain, vendor control?..". It's a take off of the sales guy mantra, "...gain and maintain, customer control...". I once sold Encyclopedia's for a living (after watching, "Glengary, Glenross", I just had to experience this mindset on my own). People who make their paycheck, selling you stuff are a unique category of life form, we classify them as human, but this, in retrospect, may be a mistake. When we started down this path with our main "...two second advantage..." vendor, they put their hearts and souls into a valiant attempt to "...gain and maintain, customer control...". When they finally realized that WE had turned the tables, and "...gained vendor control....", the look on their faces told me that we had crushed their very souls. Oh well. They aren't paying me, my current employer is paying me, to deliver.

The crying, hand wringing, and actual screaming by the vendor employees was impressive. At the end of a meeting on Information Security Planning, one of the lead vendor System Engineers stayed behind, closed the door and told me (while screaming), "...I hate you, I hate working with you, I hate every breath I have to take on this project...", he was quite animated and quite serious. He actualy looked releived when Security walked him off the property that day, the stress of having to actualy deliver and NOT dictate to the customer was more than he could bear.

The primary vendor's issue was that, " one does security like that!...", oh, well we are going to do it that way, "...we do security for Banks for crying out loud and even they don't want this much security...", oh, well I came from two of the worlds largest financial services institutions and sadly for YOU, I refuse to recreate the mistakes I saw there! In the end, the CIO and CTO backed my play with the purse strings and off we went. After briefing the CIO and CTO this week on progress with the Global User Provisioning Project (based on Oracle's IDM stack, more on this later), they were ecstatic, INFOSEC that delivers key business functionality is a new dynamic in the Board Room, bundle that with zero tolerance for F.U.D. and people get kinda jiggy about INFOSEC, it warms the cockles of my cold dark heart.

Sadly (for them)[my vendor], our approach to SOA and Web Services Security (right out of the OWASP and OASIS-OPEN playbooks) slowly began to gain traction, and surprisingly, that tired old horse, actually waddled over to the trough and began to drink [the vendor that is].

Over the last two years, we've made dramatic strides to the point where we had a nice, relaxing lunch meeting with that Vendor, and a few other big dogs in the Identity Mgmt space and our primary vendor offered, on their own dime, to code up a XACML PeP to live in their JAVA Message Bus. No doubt, they have big plans for selling this to other customers, no doubt they will forget all about that quiet afternoon long lunch, but in the end, it's all about business requirements and results.

I wonder where that screaming vendor System Engineer is now?...


"SOA Security" an outstanding reference by Mr. Ramarao Kanneganti, available on Amazon here:

"Total Vendor Management: getting what you pay for" by ICN Inc, is also another excellent reference:


There is an amazing dichotomy to all things Human Resources.

There is what we think the HR Department is there for, and what the HR Department is really there for. Not to mention the wise old Warrant Officer truism, "...there are always three sides to every story: yours; mine; and the cold, hard, inconvenient truth.

Our Company, though it's been around now for over seventy years now, has not taken the HR functions particularly seriously. PII data protection aside, we've always been pretty loosey goosey about employee data. This is manageable though. The real problems come from beauracracy for the sake of beauracracy. The Harvard Business review's number one reason that employees leave their current employer.

Human nature is so, sadly predictable by those of us with children.

If you don't get what you want by asking Mommy, go ask Daddy. Why is it that the folks that inhabit the dark cabal of the HR Department, forget these basic tenets of human nature when they walk through the doors in the morning, on the way to the coffee machine?

As an International Company, our propensity to foster the "...absentee Manager..." dynamic, just exacerbates the problems, like David Bowie so aptly put it, "'s like putting out a fire, .... with gasoline...".

Our INFOSEC team is hard at work doing a XACML implementation in our home grown SOA Services, ERP/CRM system. They are learning alot and making daily break through's. But they are not alone, like most business's today, we form matrix'd teams that are task organized, coming together for projects or chunks of projects.

And, if you are the absentee Manager of one of these matrix'd teams, and you're on site, those very same front line leaders are working on their loaner brains (well, the cat IS away...).

How do you hold folks feet to the fire?

How do you (parents, cover your children's ears please) hold folks RESPONSIBLE for their tasks?

Not easy in our overly "political correct" world of today...because, when you attempt to hold them responsible (which is by the way, the filthiest work in the English language, RESPONSIBILITY!)...they run to the HR Department and file a compliant.

Yes, (insert heavy sigh and eye rolling here), the minions don't really like working for a living, so they file a complaint with the HR Department, and the HR folks, stampede to the kitchen to search for a bigger spoon with which to lap up the complaints. What can I say? After explaining to the HR folks that since the complainer, actually sat in a daily meeting for thirty days, I oddly enough assumed that they clearly understood their role, deliverable's and responsibilities in the project. Imagine my surprise after being told that this was NOT the case (not a reasonable expectation on my part??), and that since I thought that it WAS the case, I would be enrolled in "...sensitivity training..."? This is not a joke...

Needless to say, I will be a wee bit "...HR prickly..." for a while, but, INFOSEC in general is a thankless business. If you can't pat yourself on the back and like it, you need another job.