OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] Kaminsky Issues Developer Tool To Kill Injection Bugs

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jun 16 2010 - 00:22:44 CDT


http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225700088

By Kelly Jackson Higgins
DarkReading
June 14, 2010

Renowned security researcher Dan Kaminsky today went public with the
launch of a new venture as well as its first deliverable -- a tool for
application developers that helps prevent pervasive string
injection-type attacks, such as SQL injection and cross-site scripting
(XSS).

Kaminsky says his New York-based startup, Recursion Ventures, will
productize research that breaks new ground in both security and
technology, in general. His first deliverable is Interpolique, a tool
that offloads much of the security responsibility from the developer,
which he considers crucial to yielding more secure applications.
"Security development tends not to care how inconvenient it is for
developers," Kaminsky says. "[This is] about meeting developers
halfway."

The trouble with today's model for writing more secure code and
sidestepping known injection attacks, Kaminsky says, is it makes
development much more difficult and requires more work for developers.
The result: Developers often don't bother adopting these practices at
all, resulting in insecure code, he says. "A lot of advice we give in
security tells people to write things in a way that makes code hard to
work with and use ... I think that's unnecessary," he says. "Our hope is
to make an easier way to write code that's also the most secure."

Interpolique -- which was released for security experts and IT to poke
around at and analyze, but not to use operationally -- is basically a
framework that lets developers continue to write code the way they
always have, but with a tool that helps prevent them from inadvertently
leaving string injection flaws in their code. It requires developers to
use different prefixes that describe variables of the strings, without
requiring any major changes to their coding style, he says. And the
resulting code is automatically formatted in such a way that can't be
easily abused by the bad guys.

[...]

_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com