Application or software security is a field of infinite complexity. All of us know that where there is complexity, security issues lurk around in those dark corners. This post is about my ramblings on how I believe Application Security and Incident Response need to come together to handle incidents. As usual, I make references to the cloud because that’s what I do for my day job but the argument is remarkably similar even for on-premises companies that are not in the cloud.

First came the test….

When software fails, before it is deployed, it is typically deemed to be a “safe” failure i.e., someone who is looking can do something about it. In the cloud, what makes software development easy is that the cloud makes it easy for people to look. In AWS, for example, you have Cloudwatch and you also have things like liveness checks in Load balancers which can “trigger” events and you can create “operational handlers” for those trigger events via technologies like AWS Lambda and AWS Eventbridge. This is not new to security people. For as long as I can remember, Security operations and IT Ops teams (from the pre “cyber” days), always had runbooks on what to do when something did not work as expected. Today, this happens a lot as the complexity of software has increased. The software engineers need to ensure that they have “eyes” in their test environment even more than they have in production because, quite frankly, they can have as much instrumentation as they want in the test environments because who cares if there is a minor performance impact. It’s important to re-architect so that there is no impact due to observability but you can still go to town as long as the means justify the ends. Keeping a close eye on test failures, helps avoid failures in production – this is all captain obvious advice. So in the cloud, what does that translate to? In the cloud, you can tag resources and you can have separate dashboards for those tags. Ensuring that you pay a close attention to “thresholds” on when to alert and what to do when certain measures / thresholds hit. You can also get creative in using anomaly detection tooling or “Machine Learning” (there … I said it!). The core point being – the more you are observing your test environment, the less failures you see in production. And when you see less failures in production you can do what I am going to talk about next.

Then came the failure…

When software fails in production, assuming you have been diligent in your testing and have encountered “exception handlers” either in code or in operations, it is categorized as an incident. While operational incidents are just as important and may have as much impact as security incidents, I will restrict this discussion to security incidents (because that’s what I do). What sets apart organizations such as AWS and other mature software shops from the rest of them is their rigor and approach of blameless post-mortems on security incidents. Everyone, loves to say “there will be no finger pointing” but in reality that’s really, really difficult to implement and that’s where the culture of fact-finding has a big impact on “getting to the bottom of it”. A security incident *never* happens without an error on someone’s part – this is critical to recognize. For a security incident to happen, someone had to make a mistake but its important to realize that in the security world, there is no exact science so mistakes are inevitable – what “security maturity” means is how you don’t make a knee-jerk reaction (aka scorched earth mentality) and recover from it stronger. The more maturity companies show in diving into whether the security incident involved a requirements error, design error, implementation error or deployment error tells application development teams where they can improve their development process and also tells their Application security engineers where they can improve their pre-deployment checkers or integration tests as well as areas where tooling is developed to detect deviations from security expectations (or “security invariants”). This also tells the development teams, where they can improve their developer tooling so the misses don’t recur. Also, the operations teams should determine where their checkers can do better and how the response times can be reduced to say half of what it took. Asking the question “why?” repeatedly on reasoning about the events during an incident can give a unique insight on how to improve.

Then came the win!

The situation where the AppSec, AppDev, SecOps, IT Ops teams collaborate to ensure they can help each other to do such blameless post-mortems end up having better telemetry, better tooling process, better detection when something goes wrong (“alerts”) and also a healthier environment of positive feedback. No one is blameless, recognize it, improve from it and help each other for better organizational security.

Yesterday the whole day was spent in trying to go through the Nutch source code. Chris and Ashish helped me out alongwith this link
Dissecting the Nutch Crawler. This showed me that :
The file Fetcher.java has a reference to the “content” variable (which is of type Content). I found that initially only the URLs are stored during the crawl, then a request is sent. Then based on the MIME type of the content returned, the ParserFactory class creates a parser (html parser, pdf parser etc.). The code for these parsers can be found at nutch-0.6/src/plugin/. These plugins do the parsing and get the content as a “Parse” object. Using the Parse.getText() method (which we also felt was interesting) we can get the text content of any page!!!!!

This is not a post but nostalgia. This post is actually a transcript of the first interview of my life. It was for a top Indian Software Consultancy Company (referred to as “XYZ” from now on). I remember that it was July 9th, 2001 and it was a really rainy day in Bombay. While coming to the college I was totally drenched and was looking rather distraught! I cleared the aptitude test and then came the Big One – The Interview!
I went to the interview thinking that i wanted to completely screw up the interview (coz I was interested in some other company) so i went there casually dressed with a demonic smile on my face >:-) . In hindsight, I think the way I appeared for this interview was really gutsy for me and I probably couldn’t have done that had I been craving to get a job in this company. Here is the transcript of the interview.

XYZ: So Mr Rajat … tell me about urself and ur family in *short*
Me : In the year 1980 i was born in allahabad and spent the initial yrs of mylife in blah blah blah ….and completed my schooling in Shree Ram Welfare Society’s High School, Andheri(W), Mumbai . therafter i went to Sathaye College….(blah blah blah) and i came to this college thinking that this college would be good.
XYZ: & how did u find this college?
Me : (thinkin for a while and then with a heavy heart ) ok !
XYZ: Rajat y did u chose our company (XYZ) instead of other companies.
Me : i did not choose XYZ i’ve just come for this interview ! In fact u guys have come to our college (for on-campus placements) i haven’t come for this interview.
XYZ: but would u like to join our co.?
Me: i’ve come for this interview ! what does this indicate to u?
XYZ: give me one reason why u want to join XYZ?
Me: i don’t want join XYZ… i’ll goto any other co. that comes next…as a matter of fact any other co. will take me!
XYZ: Mr Rajat in this form (these guys had given us a form to fill in whichwe were supposed to write the salary we desired which i forgot to fill… oops faux pas ? well not quite) which we have given to u , uhaven’t mentioned the salary u want…. what r ur expectations?
Me : I want more!
XYZ: MORE !%#$%$#$ y do u want more?
Me: because i know i’m worth it!
XYZ: u say so but it is for us to see whether u r worth it!
Me: put me to test and i’ll prove i’m worth it !
XYZ: but why do u want more ?
Me : everybody wants more so what is wrong if i want more!(the guy seems to be pissed off to my delight)
XYZ: but u must be having some expectations , don’t u?
Me : yes of course , i have . but u r not gonna live up to them. u had made it quite clear the salary u’ll be offering to us … so it doesn’t matter what my expectations are u r gonna give only what *you* want to give us , so there rests the matter.
XYZ: tell me about this person whom u know & works in XYZ.
Me : He is my cousin and he stays at andheri.
XYZ: so what have u heard from him about our co. ?
Me : NOTHING!
XYZ: but u might have heard something at least!!!!!
ME : we meet at social gatherings and the last thing we want to speak about is XYZ!!!
XYZ: ok tell me about ur project … this assembler
Me : blah blah blah
XYZ: ok … so in ur form u write u want “A GOOD NETWORKING PROJECT PREFERABLY BASED ON NETWORK SECURITY” . what do u know about networking?
Me : NOTHING!
XYZ: (a very surprised Mr. Sleepy said) NOTHING !?!? then how can u say u want a project in it?
Me: well , i’ve attended a few seminars @ IIT and it ensured me that that was the only field i’m interested in.
XYZ: then ur interest may change after studying the subject!
Me : No, it won’t change!!!!
XYZ: wat do u know bout networkin?
Me: latest happenings … blah blah blah
XYZ: suppose that we don’t have a project in network securities for you then what will u do?
Me: i have written that it is my ambition to work on a networking project…AMBITIONS ARE NOT ALWAYS FULFILLED.
XYZ: Rajat … there is a rule in ur college that if u get 1 co. u r noteligible for the rest.we offer u 16k .. so if tomorrow infosys comes and offers u 20k wat will u do?
Me : I WILL GO !!!!!
XYZ: u’ll go !?! that means you are after money ?
Me : who said that !? i never said that ! i want more money but more important than that is the work environment & the kind of projects i get. if i getbetter projects there i’ll go money is secondary but still important .
XYZ: (as if trying to juistify a lesser salary) u know rajat that on paper their (Infosys) salary may look large but 20% blah blah blah ….. 12.5 % blahblah blah …6% blah blah blah … (and lots more statistics which lasted foran eternity as far as my viewpoint goes)
XYZ: do u realise that XYZ has a 3yr. service agreement or u r chargedRs.50,000/- . what are your feelings about that?
Me : it is absolutely wrong.
XYZ: why?
Me: The word “bond” itself says that u r “bound” to the co. no matter what.
XYZ: that is why we don’t call it a “bond” we call it a “service agreement”.
Me: ok…that’s just another name for it. i personally think that instead of”binding” people to ur co. u should create such an environment that people like to stay in ur co. with their wishes and so the co. will benefit if peoplework with their wishes.
XYZ: do u havre any questions for us?
Me: yes , sir i do! in ur qns a few minutes back u mentioned infosys and in ur pre-placement talks u said u r no.1 software co. of india. how can u say thatwhen all that we see in the newspapers is infosys and with u comparing urself to infosys?
XYZ: infosys is 12% blah blah blah … 19% blah blah blah …(and lots morestatistics that made me feel as miserable as our indian cricket team witheverything out of control)does that answer ur qn?
Me: ya! sir may i ask another question ?
XYZ: ya sure! (with some uneasiness)
Me: sir, this yr. we have seen our seniors get whole lot of “back out” letters! what r ur feelings about that?
XYZ: OUR FEELINGS !!??!
Me: i mean r u people going to do the same with us?
XYZ: (i think this was it and he lost his complete cool and he pointed to me & said sternly) till this date our company has not given any “back-out” letters to anybody.
Me: Thank u .sir. it was a pleasure!

This was the first interview of my life and I ended up getting selected for this company. It was a great experience working there and I realized that money is not everything! At the end of it I think I was not rude but dangerously honest in giving my answers and this plan could have backfired on me but it didn’t … may be I was lucky or may be this was destiny!

Cisco ASDM is quirky in the sense that if the right Java version is not found it will just puke with errors that make no sense. This is what my java log looks like:
Application Logging Started at Fri Aug 01 11:01:11 EDT 2010
---------------------------------------------
Local Launcher Version = 1.5.41
Local Launcher Version Display = 1.5(41)
Cannot read profile file C:\Documents and Settings\abcdef\.asdm\data\deviceinfo.conf.
OK button clicked
Trying for ASDM Version file; url = https://www.example.com/admin/
Server Version = 6.2(1)
Server Launcher Version = 1.5.41, size = 476672 bytes
Launcher version checking is successful.
invoking SGZ Loader..
Cache location = C:/Documents and Settings/abcdef/.asdm/cache
Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NoSuchFieldError: b
at dac.setLevel(dac.java:65)
at dac.(dac.java:44)
at gd.(gd.java:78)
at f5.a(f5.java:117)
at com.cisco.dmcommon.util.DMCommonEnv.(DMCommonEnv.java:38)
at com.cisco.pdm.PDMApplet.updateProgress(PDMApplet.java:300)
at com.cisco.pdm.PDMApplet.init(PDMApplet.java:63)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:409)
It happens because the ASDM launcher is not capable of running on newer JVMs. Since I had older JVMs, I went into Control Panel -> Java. Click on the Java tab, followed by clicking the “view” button. This will show you the current JVM being used. If you have older JVMs click on Find (you will have to select the folder where you suspect older JVMs to be…which in my case was c:\Program Files). If you don’t find an older JVM then just install an older version and it will work.

I started downloading rainbow tables LM Hashes for all symbols. They were 120 GB big and were available for download via torrent. But I’d been stuck at 92.2% of the download forever thinking that there were no seeders. As it turns out, the problem was in the torrent file. The torrent for the 120 GB LM Hashes all symbols can be obtained from 120 GB LM Hashes [all english characters] Rainbow Tables.

A simple way to install Backtrack 4 on a USB stick is to use UNetBootin. UNetbootin can be used to create live (i.e., bootable images with a fully functional OS on it) USB images. This is the first time I tried this route and it seems to work alright.
Otherwise, if you are the linux fans, our good old friend dd does a great job.

dd if=bt4-final.iso of=/dev/sda bs=4096 conv=noerror,sync

If you are installing Windows Driver Kit (WDK) from Microsoft and you choose to install the Device Simulation Framework (DSF) for USB and such devices, then you need to have the DCOM Server Process Launcher service running otherwise you get errors as cryptic as:
Unexpected Installation Error. Error in installing.
I wish there was more information that could be given in the error. Since I figured this out with only trial and error, I thought I’ll post the solution to this error.