Several months ago I began research into whether or not IPS is up to the task of web application security. In summary, my initial findings were that IPS could very effectively tackle syntax related web application attacks if IPS products could introduce context into alerting. Specifically IPS products would have to create vulnerability based rules by specifying the exact location of where applications are vulnerable. Sourcefire, in partnership with WhiteHat Security Inc., delivers exactly that capability through a technical partnership that integrates Sourcefire’s SNORT IPS with WhiteHat’s Sentinel vulnerability scanning solution.
Much like the WhiteHat’s partnerships with F5, Imperva, and Breach Security (which can be read about here), the integration of Sentinel and Snort technologies allows end-users to correllate highly accurate vulnerability data with protection capabilities. The key is that WhiteHat’s vulnerability scan reports typically do not include any false-positives. This allows users to leverage those reports to create traffic blocking IPS rules with a high-level of assurance that those rules will not block legitimate traffic to their web applications. Furthermore, those rules will not produce noisy false-positive alerts within the protection technology. SNORT will drastically benefit from these capabilities as their ability to detect and block web application attacks has clearly not been their main focus area.
These blocking capabilities are further complemented by the Denim Group who, through partnership with WhiteHat, is largely responsible for the integration between Sourcefire’s SNORT and WhiteHat Sentinel. The Denim Group leverages Sentinel’s open XML Application Programming Interface (API) to deliver additional services offerings and enhanced Source Code Analysis (SCA) integration capabilities. This assists companies in integrating security in multiple levels of an application, particularly in development, assessment, and defense.
Of course WhiteHat’s partnerships with the Denim Group and Sourcefire are not the only efforts to better address web application protection. Other leaders in IPS have also begun to better address web application security. However, it is my belief that as of the time of this post few vendors have as solid of an offering as Sourcefire does when customers are also utilizing WhiteHat Sentinel. IBM ISS probably has the best arguement against my previous statement with their heavy focus on SQL Injection, XSS, and file include attacks, and of course their integrations with IBM Rational (particularly in the AppScan group). However, while ISS does integrate with the AppScan web application vulnerability assessment product in order to enhance their IPS, the IBM Rational standard offeringl does not include manual testing on top of the AppScan product. This service can be purchased, however, unforunately it comes at a premium price to the costumer. The end result is a better possibility for false-negatives and false-positives in the actual scan, thus offering less protection to customers.
TippingPoint also offers some web application protection in their Web Application Digital Vaccine product through parntership with NTO. However, TippingPoint seems focused exclusively on delivering high quality protection against SQL Injection, XSS, and? malicious PHP file includes. While this capability is highly beneficial and does cover the most common web application security attacks, it does not offer the myriad of protections that customers could gain by using Sourcefire and WhiteHat products in combination. This may shift as TippingPoint and HP’s Application Security Center become more integrated as part of the HP acquisition of 3COM (TippingPoint’s parent company).
The IT security community is a small world, especially within the vendor community. In the security market it is not uncommon for comapnies to be staffed by personnel who maintain close relationships with other personnel of fierce market competitors. Often times this is because those now fierce competitors were once co-workers. This is really no surprise as it is my personal belief that the best security professionals come from environments where they were surrounded by other excellent security professionals. Regardless, in doing a bit of research I have determined that there are industrial centers of excellence that produce highly capable and innovative security professionals. Below are a few of the industrial centers of excellence that I have personally come across (in no particular order).
(IBM) ISS/ISS X-Force
The IBM ISS X-Force is one of the strongest teams of security researchers and developers in the world. More to the poin t, they are possibly the best team of vulnerability researchers outside of government-sponsored hacker teams. Before the saturation of vulnerability research, it would have been difficult to have an in-depth conversation about the IT security market without talking about the heavy influence of the ISS X-Force. Even major conferences devoted entire tracks to topics that amounted essentially to discussion of what it takes to be an X-Force member. There were certainly other teams similar to the X-Force in early on, but few were as large or as prestigious by any means. Today the X-Force still exists but largely exists in an environment where vulnerability research is becoming increasingly saturated. Thus, while much of their work is still of an industry leading caliber, getting the message out is far more difficult. Regardless, the ISS X-Force has graduated many of the industries best known personalities including a few who have had a major impact on the security market. Below are a few notable areas where ISS and especially X-Force alumni can be found making an impact.
Notable Companies Founded By ISS X-Force Alumni:
- Cambia (now a division of nCircle)
- Endgame Systems
- Errata Security
- Spi Dynamics (now HP Application Security Center)
Noteable Companies With ISS X-Force Alumni Working at Top-Levels:
- Axis Capital
- Breach Security
- TopLayer Security
- Immunity Security
- IBM (Obviously)
SPI Dynamics, currently HP Application Security Center, is an industry leading web application security vendor. In it’s pre-acquisition form, SPI employed some of the industries best and brightest security researchers, product managers, and evangelists. After the acquisition of SPI Dynamics, a number of noteable employees left to start their own companies or take on leadership roles within other security firms. Furthermore, HP ASC still employs several noteable people such as SPI founder Caleb Sima and Matt Wood with whom the industry can still expect big things from. While SPI Dynamics could technically be seen as an extension of the ISS as founders Brian Christiansen and Caleb Sima are both ISS alumni, SPI grew to a large enough company and has had enough alumni make an impact on the industry to be noted in their own right. Today SPI alumni can be seen taking on the difficult task of trying to attain application security from very high ranks within notable companies. Furthermore, these professionals have combined with o ther groups noted in this list here to work on avant-garde technologies that the industry should fully expect to see more of in the future.
Noteable Companies Founded By SPI Alumni:
- GOTO Metrics LLC
Noteable Companies With SPI Alumni Working at Top-Levels:
- FishNet Security
The United States Air Force Computer Emergency Response Team (AFCERT), Office of Special Investigations (AFOSI), and Information Warfare Center
There are several notable US government Computer Emergency Response Teams and Incident Response Teams that are highly recognizable and extremely capable. However, few command the same level of respect as the team that was previously known as the United States Air Force Computer Emergency Response Team. Of the few CERT’s, CSIRT’s, and CIRT’s of such a caliber, I run into AFCERT alumni most often in my analyst coverage. I do not pretend to know why this is the case, it could be because AFCERT has graduated more alumni, it could be strictly coincidence.
What I do know is that these alumni have made major waves in the information security market, both from a financial perspective and from an industry wide education perspective. As you may note, I have also included the Air Force office of Special Investigations and Information Warfare Center ?in this section. I honestly do not know what the relationship of these teams has been or how closely those specializing in computer security and digital forensic investigations worked together while within the military. I do however, know that in the private sector, as alumni, they have together produced ground breaking research and capabilities. I personally spent a great deal of time reading the books and periodicals these alumni have published in order to gain a better understanding of major security issues, especially relating to incident response.
Noteable Companies Founded By AFCERT Alumni:
- Denim Group
- Wheel Group(Now a part of Cisco)
Noteable Companies With AFCERT Alumni Working at Top-Levels
- Cisco (obviously)
- General Electric
- Bank of America
- Federal Data Systems, Inc.
- Various other defense contractors
@stake (now a part of Symantec, also back on it’s own in L0pht, and in Veracode)
I honestly do not know how to characterize the @stake story, it’s happy, it’s sad, it’s happy again, I really don’t know. For those who have followed closely they saw one of the industries best security teams swallowed up by the giant that is Symantec. Next followers saw that team more-or-less fade into oblivion. Then followers saw the @stake team re-emerge in the form of L0pht, iSec Partners, Veracode and others. Each of these organizations produces products or services that are innovative and industry leading. I previously worked in an organization where I am proud to say my colleague purchased the last copy of LC5 before Symantec murd—-ugh–discontinued support due to US Government export regulations. Regardless, @stake members have left a heavy footprint on the IT security market from both a business perspective and from a historic perspective. In all honesty, if you have not yet run into some version of SQL Slammer (a warm created based on code demonstrated in an @stake Blackhat presentation) in your studies or in security monitoring or you haven’t snickered at the backdoor program Back Orifice (a program created by an @stake alumnus), you probably need to hit the security books. (much of this came from?http://en.wikipedia.org/wiki/@stake yes I used Wikipedia as a reference)
Noteable Companies Founded By @stake Alumni:
- iSec Partners
- Security Objectives
Noteable Companies With @stake Alumni Working at Top-Levels
- BBN Technologies
- Application Security Inc.
- L.E.K Consulting
- Safelight Security Advisors
- Forrester Research (although it pains me to do so they are a competitor of mine at EMA, I’ll give a nod to Andy Jaquith)
- Endgame systems
The NSA/ NSA Intern Programs
By this I mean the actual NSA, not an NSA center of excellence or some type of certified academic program. I’ll be honest, this is an arena where I don’t particularly have too much insight and I don’t want any insight. I’ll merely say this, the NSA has over the years employed a lot of smart people, a lot of smart people. Sometimes these people don’t advertise their work background and sometimes they do. The gentlemen who gave me my start in information security very proudly lets people know that he began his career at the NSA. During my analysis I have often heard of graduates of the NSA Summer Intern program and of NSA alumni in general. I do know that these folks have proliferated all throughout the industry in a manner that I could spend hours listing out all the notable companies they now work for. However, given the cloak and dagger nature of the company I will merely close with, they could be anywhere (and I hope you realize that’s a joke)
Noteable Companies Founded By the NSA Alumni:
- Immunity Security
- Stach and Liu
Noteable Companies With NSA Alumni Working at Top-Levels:
- Various Defense contractors
- State of Michigan
- Accuvant Labs
Other Notable Organizations that Have Made Major Contributions
- Ernst and Young: Alumni founded several companies including Foundstone and now work all throughout industry
- Trident Data Systems: Alumni founded several companies, however Trident Data Systems was a second stop for many AFCERT alumni. Trident Data Systems Alumni also started notable consulting practices, including Deloitte’s security consulting practice with ERS and the Denim Group.
- Various government agencies: Too many to name here but the problem is that this again is an environment that over the years has been highly diluted.
- Stanford University: Alumni have founded several notable companies including Dasient and Coverity
- Carnegie Melon: Former home of US-CERT is certainly a top-tier University for security professionals. However, outside of federal government I run into these graduate less often.
- The Sourcefire Vulnerability Research Team (VRT): This is an extremely passionate team of people who are all focused on security. That many passionate people working together on a regular basis is bound to advance them professionally in their skills capabilities and innovative thoughts. Although not quite the caliber or maturity of the X-Force these talents are likely to have a growing impact on industry.
- Trustwave and especially Spiderlabs: Again a vulnerability research team much like the X-Force although not quite on the same level of maturity as of yet. Regardless, the Spiderlabs team has been an extremely attractive place for passionate security researchers to land. If these professionals ever leave, they will no doubt have a large effect on the industry (which is easy to say because several of them have already). Alternatively, if they should chose to stay at Trustwave, ?you should expect to hear more about these professionals which includes David Byrne (one of the authors of Grendel Scan).
- WhiteHat Security: Excellent environment for training web application penetration testers and researchers. Lead by Jeremiah Grossman, Arian Evans, Bill Pennington, and previously Trey Ford, WhiteHat is pulling in young talent and training those talents to be better. The program is likely to produce highly qualified people.
- Rapid7: With the acquisition of Metasploit Rapid7 combines several notable industry figures with a hacker rockstar persona. These are attractive traits for young passionate security professionals. One could easily expect many talents to migrate towards this company and should those talents ever leave, they could do very interesting things.
- Any major vulnerability research team should they have a large exodus. There are a lot of other highly capable vulnerability research teams whose alumni could have a major impact on the security industry should there be any type of exodus. These teams include but are not limited to what was formerly McAfee Avert labs, MSRC, and Trend Micro’s research team.