Archive for December, 2010

Security Trends

Dec 29

I have been around computers for most of my life and for the past ten years I have been involved in corporate IT on both the network side and the programming side. I was reflecting on some of the changes and trends over the past decade and thought I would share them.

  1. We have realized that network security is important. Every organization I visit seems to have a firewall, antivirus, and windows updates turned on. Ten years ago it was every computer was connected straight to the internet with an exposed c$ share it seems like. Finally most corporate (and many home users) seem to have taken some basic security measures.
  2. Users still click on anything that pops up on the screen until they get the application/website to work. I have tried to educate people on this but it has become apparent to many of us in the industry that users just want things to work and it only when they go wrong that they care. For instance, my parents install every plugin they are prompted to as they feel that if it was bad their antivirus would catch it. I don’t fault them for it, it is just human nature. We expect the locks on our house to keep people out when it is simple to smash a window (or cut a hole in the wall). We are coming around the corner on this one and seeing that we can’t educate everyone and things need to just be more secure by default and leak less information.
  3. People care a lot more about their privacy now. People also don’t realize that most places gathering information don’t care about you as a person, they care about you as a demographic. Granted it is not a happy thought to know how much info about you is floating around but if it personalizes my searches and shows me advertisements for things I am interested in so what? It is only an issue (to me) if that information is used for nefarious purposes.
  4. Many more technologies are shipping with a more “secure by default” mentality. The *nix/bsd attitude has been like this since I can remember and Microsoft has really turned a corner and secured their products. I remember when a new client would tell us they were running an IIS server and we would just laugh, wipe the box, and install FreeBSD/Apache for them. Nowdays I only laugh when people have an Adobe product installed (we all do… so ha ha). Adobe has realized that this is starting to hurt them and are making a big security push like MS did years ago.
  5. Schools have not taught about security and they still don’t. I see a bit of growth in this area but I feel this is incredibly lacking. Every time I give a presentation and ask how many people don’t know about SQL injection someone still raises their hands. It is not acceptable to have developers that don’t even know about the most basic/common security holes and how to prevent them. It is like hiring an electrician that does not know how to use a circuit breaker: they might get by for years without an incident but it is bound to happen eventually.
  6. Phishing/scams/chain letters has risen and fallen a lot. I find most people I talk to realize that people are trying to scam them (or will ask others to see if it is a scam) and that they know if they don’t forward this message to ten other people a kitten will die (except for my sister). 
  7. Piracy became common place. Back in the day it was technically difficult to find the software/music/movies and then crack it if necessary. Now my grandma can run a P2P client (or the vast array of other tools) to get her favorite songs. It is common place and it is sad. Not because I love big rich Hollywood types that complain about the money being stolen from them as they drive through Starbucks in a gold plated Bently. It is the fact that for such a huge market that they continually fail to make it simple to get the content we want quickly, conveniently, and be able to use it how we see fit. If I ran an ice cream store and everyone wanted paint flavored ice cream served off a piece of copper pipe you would see me at the hardware store every day. I think they are starting to get it and I hope to see some progress there so that everyone is happy (except me…. until I get a gold plated Starbucks).
  8. The goal of software development was and still is for the most part to deliver working software. Security takes a huge back seat and is almost never a first class citizen. I don’t see this trend changing much. The nice thing is that many languages are shipping in a more secure configuration which helps developers not leave as many gaping holes but I still feel that education is very important for developers.
Filed Under: General, Security

Fluent Build – Unreleased Features

Dec 24

There are some features not included with the current beta but are available if you download from source.

TeamCityPlugin
This is a plugin that I wrote that allows TeamCity to work with FluentBuild. TeamCity plugins are written in Java and I am not a Java developer but it seems to work quite well in my environment(s) so far but I am still not 100% confident to officially release it.

BuildFileConverter
For my testing I was converting peoples NAnt scripts by hand and it started to get pretty tedious. I decided to create a really quick and dirty converter application. The application works fairly well to get the initial conversion from nant to FB. It will create your variables (and attempting to determine if they are BuildFolders or BuildArtifacts), initialize them, and create methods for each build target that you had. It does not parse build targets and convert them to FB syntax yet though.

BuildUI
I always found reading output on the command line was a pain so I started working on a UI component to run builds. It is in its very early stages but it is much nicer than using most command line applications I hope.

Where these features will go, I am not sure but if you want to play around with them then feel free.

Filed Under: FluentBuild

Fluent Build Beta

Dec 19

For those of you that follow me on twitter (@gotwoods is my handle) you may have seen that I have been working on a new open source project called FluentBuild which I am happy to announce is in Beta. This project has kept me quite busy lately but the core of the app is now done.

FluentBuild is a .NET fluent language around builds. It makes doing builds way easier than in Nant, MsBuild, and (in my mind) other build languages. With it you can now write a build file in C# (other language support on the way) within visual studio which allows you to get intellisense, refactoring support, and you are even able to debug your build files.

The project site is http://code.google.com/p/fluent-build/

I just finished putting together a demo video. I recorded my screen at high resolution so full screen viewing is recommended and the volume recorded a bit loud so turn down your speakers to start.

 

Filed Under: FluentBuild

WCF Security – Part 1: Message & Transport Security

Dec 16

WCF has a huge security component to it (as rightly it should). The technology is massively configurable to support almost any security scenario one can dream up. Unfortunately this also makes it massively hard to learn and implement successfully and many developers tend to work around the security rather than learn how to implement it correctly. With a bit of knowledge WCF security is not nearly as intimidating as one may think.

There are several security concerns to deal with in any communication technology. The top two most common concerns  are: making sure that no one can read, modify, or replay a sensitive message and ensuring that a caller is authenticated  to use the system and authorized to access the resources they are allowed to access (and denied access to the ones they are not allowed to access of course). The other concerns are usually around Availability (i.e. making sure the service is resistant to Denial Of Service attacks) and Auditing (being able to log and monitor security events).

Message Protection

Protection of the traffic in transit is easy to use and is typically turned on by default (basicHTTPBinding has no security by default). There are two choices to make with securing traffic: Transport or Message security. Transport security relies on security builtin to the protocol you are using (e.g. HTTPS for HTTPBindings and TLS for TCP bindings). Message security lets WCF sign and encrypt messages and then sends it across the transport.

Transport Security:
+Interoperability: Neither party in a communication need to support WS-Security specifications
+Potentially better performance
-Security is point to point. If a message is routed through an intermediary it will not be guaranteed to be secure (i.e. many load balancers accept SSL traffic, decrypt it, and send it unencrypted to a node in its array)
-Supports a smaller set of credentials and claims used for authentication
-All or nothing: A message is either encrypted or it is not

Message Security:
+End to end security: message security survives being routed through intermediaries
+Allows partial message signing/encryption so that only messages that need protection can be protected
+Transport independent: Message security can be used with any transport protocol
+supports a large set of credentials and claims
-May reduce performance as each message is secured and can not take advantage of hardware acceleration
-Not as interoperable as both sides must implement the WS-Security specification

 

Binding

Transport mode support

Message mode support

basicHTTPBinding

HTTPS

HTTP basic authentication
WS-Security

wsHTTPBinding

HTTPS

WS-Security
SOAP message with credentials sent over HTTPS transport security

wsDualHTTPBinding

None

WS-Security

netTCPBinding

TLS over TCP

WS-Security

netNamedPipeBinding

Negotiated (best compatible support is used)

None

netMSMQBinding

RC4 or AES (default is RC4). Messages signed with receiving queues public certificate.

WS-Security

wsFederationHttpBinding

HTTPS

WS-Security

 

There are also a few other approaches as well. There is the hybrid TransportWithMessageCredential which the client credentials are provided at the message level and the remainder (the message itself and service authentication) is secured by the transport. The other type is TransportCredentialOnly which is ONLY for basicHTTPBinding that does mutual authentication at the transport level.    

Binding

Transport mode support

Message mode support

TransportWithMessageCredential support

BasicHttpBinding

Yes

Yes

Yes

WSHttpBinding

Yes

Yes

Yes

WSDualHttpBinding

No

Yes

No

NetTcpBinding

Yes

Yes

Yes

NetNamedPipeBinding

Yes

No

No

NetMsmqBinding

Yes

Yes

No

MsmqIntegrationBinding

Yes

No

No

wsFederationHttpBinding

No

Yes

Yes

From http://msdn.microsoft.com/en-us/library/ms731172.aspx

Up Next: Authentication


Filed Under: Security, WCF