Neil Daswani's Blog

Free Stanford Webinar (7/14): The Spread of Web-Based Malware and New Defenses

2009-07-13T10:49:00.000-07:00

Hi Everyone,

Please feel free to join us for a free Stanford Webinar tomorrow-- you still have 24 hours remaining to sign up! We've got a lot of people signed up already, but the great thing about webinars is that we don't have to limit based upon the amount of space in a physical room!

Click here to sign up:

http://scpd.stanford.edu/search/publicCourseSearchDetails.do?method=load&courseId=4131780

Title: The Spread of Web-Based Malware and New Defenses

Abstract: Web sites and web pages have become the new frontier for malware distribution. Over the past two years, there has been a fundamental shift in how malware is distributed -- while teenagers used to write viruses which required users to click on email attachments to propagate, financially motivated cybercriminals now plant malware on legitimate web pages that result in drive-by-downloads when web pages are simply loaded.

In this talk, I will present newly researched data and statistics surrounding the recent distribution trends of web-based malware. I will talk about what trends mean for information technology professionals and engineers, and the process of building and running web applications. Also, I will discuss a variety of existing and novel defenses and their pros and cons, with a focus on how they can be used to prevent, detect, diagnose, and quarantine infections of web applications.

See you then!

Sincerely,

-- Neil
http://www.dasient.com
http://www.neildaswani.com/

Introducing Dasient Web Anti-Malware (WAM)

2009-06-16T14:44:00.000-07:00

posted by Neil Daswani, Ameet Ranadive, and Shariq Rizvi,
Co-Founders, Dasient

If you've been following our blog, you'll know that we've been talking quite a bit about the latest security threats on the web. One of the threats we've been focusing on specifically is web-based malware. This kind of attack -- in which hackers compromise a legitimate site and turn it into a delivery vehicle for drive-by malware downloads -- has long been regarded as an emerging threat.

But one look at the numbers makes it clear that this threat has officially arrived: In the last two years, there's been a 600% increase in the number of malware-infected webpages, and 80% of those pages are legitimate. Google first reported the problem of malware-infected pages exploding from April 2007 to January 2008. Microsoft estimated in an April 2009 report that the total number of legitimate webpages being compromised per month is more than 1 million. And now that search engines like Google and Yahoo; browsers like IE8, Firefox, and Chrome; and desktop AV providers like Norton and McAfee are blacklisting compromised sites, those sites are seeing double-digit losses in traffic and revenue and taking significant hits to their reputation.

Those are just some of the reasons we're proud to be opening up our Dasient Web Anti-Malware service to a broader audience today. Dasient Web Anti-Malware -- or "WAM," as we like to call it -- is the world's first complete anti-malware solution for websites. Dasient WAM monitors, automatically identifies, and quarantines malware on websites, before those sites suffer significant losses in traffic, revenue, and reputation.

We're making the monitoring and diagnostic elements of WAM openly available in public beta today, and making the quarantining element available in private beta. WAM is available both to site owners and to web hosting providers interested in offering their customers protection against web-based malware. If you want to learn more, jump down to the full text of our news release, which we've included below. If you're ready to get started right away, head here to sign up for free blacklist monitoring for your site.

We're excited to be bringing these necessary protections to the web, and are looking forward to your feedback. Stay tuned to this space for more news on Dasient WAM and further insights on the development of new web-based threats.

Here is the press release:

Dasient Introduces First Web Anti-Malware Service

Addresses Growing Need for Protection From New Web-Based Attacks

PALO ALTO, June 16, 2009 – Dasient today introduced the industry's first service to protect companies against a fast-growing class of web-based attacks that compromise legitimate websites and then use them to spread malware to the sites' visitors. Dasient's new Web Anti-Malware (WAM) service continually monitors websites, diagnoses any infections, and helps businesses address the infections, before the sites suffer significant losses in traffic, revenue, and reputation.

"In the last two years, we've seen a fundamental shift in the way malware is spread," said Dasient co-founder Dr. Neil Daswani. "Hackers are using highly automated and mutable attacks to turn websites into delivery vehicles for malicious software. This is a web problem at its core, and it requires a solution that can function at web speed and web scale. That's exactly what we had in mind when we designed the Dasient WAM service."

Sharp Increase in Malware-Infected Webpages

Each day, thousands of legitimate websites are infected with malicious code, often without their knowledge. The speed, scale, and complexity of these attacks makes it extremely difficult for website owners to identify and fix the resulting infections, and in some cases to even know they've occurred.

The most immediate result of web malware infection is blacklisting by search engines like Google and Yahoo; browsers like Internet Explorer, Firefox, and Chrome; and desktop anti-virus providers like Norton and McAfee. When blacklisted, a website's visitors are redirected to a warning that the site they're about to visit might be dangerous. In many cases, being blacklisted causes a sharp drop in traffic to the site, depriving the site owner of advertising or e-commerce revenue, damaging the site's brand, and spurring additional support costs.

Dasient Identifies and Contains Malware That Can Infect Site Visitors

Today Dasient is announcing the following updates to its patent-pending Web Anti-Malware service, which has been in alpha testing with thousands of websites since early this year:

Free Blacklist Monitoring: Regularly monitors blacklists from search engines, browsers, and desktop anti-virus companies and provides customers with instant alerts if they've been flagged by those providers. The WAM Blacklist Monitoring service is now in public beta, and is available for free to direct customers and web hosting providers.
Premium Monitoring and Diagnosis: Continuously monitors customer websites for malicious code that can be distributed by web applications, user-generated content, third-party widgets, advertisements, and other vulnerable site elements. When an infection is identified, customers are notified and provided with detailed diagnostic information, including all malicious source code and infected URLs. The WAM Premium Monitoring service is now in public beta, and is available on a subscription basis to direct customers and web hosting providers.
Quarantining: Used in conjunction with the Premium Monitoring service, Dasient's quarantining technology automatically contains infections as soon as they're diagnosed, serving the webpages in question but not the malicious code. Quarantining prevents the site from spreading malware broadly to its visitors and keeps it from being flagged by blacklist providers. The WAM Quarantining service is now in private beta, and direct customers and web hosting providers can sign up to join the beta on the Dasient site.

The Dasient WAM monitoring and diagnostic services are built on a set of behavioral analysis technologies that continually crawl customer sites and the web, identifying new web-based malware infections. The monitoring and diagnostic tools are provided to customers as a web service, and the quarantining technology is made available as a web server module that can be installed by customers or web hosting providers.

More information about the Dasient WAM service and pricing can be found at www.dasient.com.

About Dasient

Dasient is an Internet security company that protects businesses from web-based malware attacks. It is the first to develop a complete Web Anti-Malware service that can monitor, automatically identify, and quarantine malware on websites before it can infect visitors and cause a loss of traffic, reputation, and revenue. Dasient was founded by former Google engineers Neil Daswani and Shariq Rizvi and former McKinsey strategy consultant Ameet Ranadive. They are backed by a group of seed investors who also invested in VeriSign, Citrix, Twitter, Digg, Tumbleweed, Finjan, and more. More information about Dasient can be found at www.dasient.com.

Obama Gets Serious About Cybersecurity

2009-06-02T08:59:00.000-07:00

Late last week, President Obama laid out the White House cybersecurity policy, after a 60-day "clean slate" review. The principles he laid out in his policy (including net neutrality, the necessity to collaborate with the private sector, the importance of protecting privacy, and the need to invest in R & D) have a lot of merit, and I am hopeful that the details that will be fleshed out in the coming months will support them. I have also been glad to see that the President has committed billions of taxpayer dollars behind his principles. My only remaining hope is that these dollars find their way to people and places that can actually help.

Traditional defense contractors have done an amazing job of building systems that have helped us defend in the physical world. That said, the New York Times has reported that cybersecurity is a fairly new area to such contractors. Universities, along with many smaller private sector companies, are where much of the technical expertise lies. In addition, in my past experience at Google, I learned that there is a big difference between simply having security expertise and incorporating that security expertise into large-scale, automated systems that can defend large parts of the Internet at a time.

My hope indeed is that taxpayer cybersecurity dollars go toward building large-scale, automated defense systems that can defend large parts of the Internet at a time. Employing large numbers of human "hacker soldiers" is not an approach that can work and scale up against automated attack systems that include million-machine botnets and malware variant generators that produced more malware in 2007 than the world saw in the twenty years prior to that. The nature of web security has changed, and our defense strategies need to change with it -- at the very least, our defenses need to work at web speed and web scale.

I am thrilled that the Obama administration seems to be taking a more aggressive approach to cybersecurity than any previous administration, and over the next few years I look forward to working together with businesses, universities, and (now more than ever) the government to help the Internet continue to grow as a platform that enables us to safely communicate, collaborate, and conduct commerce.

Sincerely,

Neil Daswani, PhD
http://www.dasient.com
http://www.neildaswani.com

Web-Based Malware Attacks at an All-Time High

2009-05-27T12:01:00.000-07:00

Over the past couple weeks, there has been more web-based malware activity than in any previous similar period this year. The size of Google malware blacklist, which is used to mark sites with a "This site may harm your computer" annotation in their search results, exceeded 200,000 sites for the first time last week, reaching an all-time high of 229,980 today. This increase was due in part due to the rapid propagation of a drive-by-download virus named Gumblar. Compromising legitimate sites to serve malware to unsuspecting users has long been regarded as an emerging trend, but numbers like these make it clear that this attack vector is already a significant threat -- and as web applications become more and more sophisticated, the attack surface for this vector will only increase in size. Existing solutions have so far not been able to keep pace with this fast-moving threat, and new solutions may be required.

-- Neil
http://www.neildaswani.com

Time To Mobilize!

2008-12-17T19:56:00.000-08:00

It is interesting to note that in the current down economy, physical crime rates are going up (as one might expect).

There are also indications that *cyber*-crime rates are following the same trend, and have also been going up as per McAfee's 2008 Virtual Criminology Report, and a Panda Labs study that found a correlation between stock market drops and the continued rise of malware. In addition, the New York Times reports that the bad guys are winning, in large part to the spread of malware.

While the global markets have been contracting, Symantec estimates that cyber-criminal economies are booming, and the Germans believe that cybercrime is likely to wreak as much havoc as the credit crisis in the coming years if international regulation is not improved.

So that's the bad news.

The good news is that the good guys are starting to mobilize! For instance, the FBI is reaching out beyond U.S. borders (as the Internet has no borders), and is helping organize law enforcement, academia and industry develop international solutions to the problem. This coming January 6 - 9, the FBI, together with Fordam University, have organized the first International Conference on Cyber Security (ICCS 2009) in New York City. In some of the conference sessions, Sandra Stanar-Johnson, a senior executive at the NSA, will be talking about the US Comprehensive National Cyber Security Initiative, and Darren Mott, special agent with the FBI Cyber-Division, will be talking about The Rise of Eastern European Organized Cyber Crime. I will also be giving a talk on Protecting Your Organization From Cybercrime to tie up the conference, so please feel free to register for the conference if it is something you might be interested in.

Also, StopBadware.Org, a joint partnership between the Berkman Center for Internet & Society and the Oxford Internet Institue, along with its industry partners (Google included), has been doing a great job of working to raise awareness of the problem and build community to address the problem.

Last but not least (for those of you that were not already aware), I have left my lofty post at Google to help. Together with two stellar co-founders, I have started Dasient, a company that is helping businesses with revenue loss problems that can arise as a result of cyber-criminal activity. I can't say too much more than that right now as we are in stealth-mode, but you can undoubtedly expect that there will be more news to come!

Sincerely,

Neil Daswani, PhD
http://www.dasient.com
http://www.neildaswani.com

Rampant Malware Drive-by-downloads

2008-11-11T07:03:00.000-08:00

Hi Folks,

Drive-by-downloads are rampant. They infect your machine with malware when you simply visit a website. No clicking on links or user interaction is required; you simply get infected when your browser loads the page. Following is a link to an article about such a sample attack from last month:

http://www.theregister.co.uk/2008/11/10/drive_by_download_mass_attack/

And, the cybercrime economy is growing due to the economic downturn:

http://arstechnica.com/news.ars/post/20081023-malware-writers-ratchet-up-attacks-as-stock-market-tanks.html

http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml;jsessionid=Y132JJQO0YUMIQSNDLRSKH0CJUNN2JVN?articleID=212101494&cid=tab_art_int

Google is doing some great work in this area by flagging web sites that get infected so that you are protected while you are searching by displaying a message saying "This site may harm your computer" below infected links in their search results:

Google also provides the list of infected sites to Firefox and Chrome browsers, so that users can be protected not only while they are searching but can be protected wherever they happen to be browsing on the Internet.

Yahoo provides similar protections through a feature called SafeSearch that they have deployed in partnership with McAfee. Finally, Microsoft is also slated to provide anti-malware protection as part of the next version of Internet Explorer.

There is much good work that search engines and browsers are doing to help protect users! Detection systems are working to avoid false positives (when a web site gets blacklisted even though they are not really infected), potentially at the expense of false negatives (in which a web site does not get blacklisted even though it is infected). I hope that over time Google, Yahoo, and Microsoft crack down even more aggressively on this problem so that unsuspecting users don't get infected, and the growth of botnets resulting from such malware infections can be curtailed.

Thoughts? Comments? Questions?

Let's keep fighting the fight!

Sincerely,

-- Neil
http://www.neildaswani.com

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on http://tinyurl.com/2286xw for more information.

My book, "Foundations of Security: What Every Programmer Needs To Know" is available at http://tinyurl.com/33xs6g

Crimeware: It's out!

2008-04-13T21:07:00.000-07:00

Over the past few years, one of the biggest shifts impacting security online has been that the attacks are no longer primarily conducted by teenagers writing viruses and worms to make a name for themselves, but instead are executed by financially motivated cybercriminals.

A book entitled Crimeware: Understanding New Attacks and Defenses by Markus Jakobsson and Zulfikar Ramzan (to be officially released this week) is the most comprehensive compilation to-date that I am aware of cataloguing the many different ways that cybercriminals manipulate web sites, software, and people to make money online. While the book is to be officially released on April 19, I was able to pick up a copy at the on-site bookstore at the RSA conference last week!

A chapter co-authored by yours truly and a distinguished team of Googlers on "Online Advertising Fraud" appears in the book, along with chapters on topics such as "Crimeware in the Browser" (Dan Boneh, et al.), "A Taxonomy of Coding Errors" (Gary McGraw), and "Technical Defense Techniques" (Peter Ferrie, et. al)

The chapters in the book provide deep dives into topics that not only describe the vulnerabilities that cyberattacks prey on, but also provide a guide to high-level defenses. As such, the book is a great read for CIOs and CSOs in addition to security researchers-- I highly encourage checking it out!

CIA: Hackers Shook Up Power Grids

2008-01-20T10:49:00.000-08:00

For those of you that saw the movie "Matrix Reloaded," you may (or may not) remember a 3-second scene in which Trinity, played by Carrie-Anne Moss, takes advantage of a buffer overflow exploit as part of an attack to shut down a power grid. (Matrix Reloaded was one of the first movies, I believe, to get some of the technical details right on the big screen-- see "Matrix Sequel Has Hacker Cred" at the Register for more details-- whereas most other movies show silly animations for cyberattacks.)

Well, it seems that the CIA tells us that attacking power grids via the Internet is possible, and has been attempted (albeit outside the U.S.). I'm not sure if the technical details have been disclosed (yet?), but there's some rumblings that the attacks required some insider information, which is not surprising but no less comforting, and that extortion has been the attackers' goal to date. Here's an article:

CIA: Hackers Shook Up Power Grids
http://blog.wired.com/defense/2008/01/hackers-take-do.html

(Similar articles are available at http://news.google.com/news?hl=en&ned=us&ie=UTF-8&ncl=1126553310 )

Report: TSA Site Exposed Travelers To ID Theft

2008-01-12T11:04:00.000-08:00

Report: TSA Site Exposed Travelers To ID Theft

Check out the following report on a TSA sponsored web site that exposed citizen's PII (personally identifiable information) including social security numbers to identity theft:

http://tinyurl.com/yp5j3e

-- Neil

Security tidbits from the past month...

2007-12-03T09:18:00.000-08:00

Web applications and Microsoft Office are the current major pain-points:

http://www.washingtonpost.com/wp-dyn/content/article/2007/11/29/AR2007112900062.html?wpisrc=newsletter

"Developers aren't using secure coding techniques to create Web applications, giving hackers an opportunity to tap the rich databases of information connected to them, according to SANS, a computer training and security organization."

The TJX hack just keeps getting worse:

Update: TJX Victim Tally Rises to 94M
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=306333&intsrc=news_ts_head
"In an affidavit, the bankers said that "TJX continues to downplay the seriousness of the situation."

Details emerge on TJX breach
http://www.boston.com/business/globe/articles/2007/10/25/details_emerge_on_tjx_breach/
"Spokespeople for Visa and MasterCard said they wouldn't comment on the matter, or on a Visa official's estimate of losses to banks that issued cards to be between $68 million to $83 million."

"Visa fined TJX's card processor $880,000 last summer, and said it would continue to fine the retailer's card processor $100,000/month, for TJX's role in the worst data breach in the payment industry's history, according to documents filed in federal court Oct. 26."

VISA Fined TJX Processor for Security Breach
http://www.eweek.com/article2/0,1895,2208927,00.asp
TJX IT staff knew about the vulnerabilities, but continued to ignore them because they wanted to save money...

TJX violated nine of 12 PCI controls at time of breach, court filings say
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044321&intsrc=hm_list
"these additional facts materially support the claim that TJX's
conduct generally" violated laws governing unfair trade practices,
they said.

Court filing: TJX was warned about lax security before massive breach
http://www.mercurynews.com/business/ci_7290184

It's completely online!

2007-10-18T15:03:00.000-07:00

Dear Readers in the Blog-o-sphere,

Over the past few years, I have been helping Stanford build a hands-on advanced secuirty certification program to arm new and existing software engineers with what they need to know to mitigate cyberattacks. Today, Stanford announced that they have made the entire program available online, whereas students typically had to come to campus to complete the program.

The certification program provides hands-on training to geographically distributed engineering and IT staff to help them defend their companies against the changing landscape of Internet threats. More information and the press release are available at:

http://tinyurl.com/25eujb

Specific topics covered in the certification program include:

emerging threats such as botnets and phishing and defenses against them,
the most recent growing web vulnerabilities, such as cross-site
scripting, SQL injection attacks, and distributed denial-of-service
(DDoS), and
traditional topics such as buffer overflows, dictionary attacks,
authentication, access control, data integrity, symmetric encryption,
public-key cryptography, and much, much more.

Please feel free to contact Eve Byer (ebyer@stanford.edu) for more information about the program!

Sincerely,

-- Neil
http://www.neildaswani.com

My new book, "Foundations of Security: What Every Programmer Needs To Know" is available at http://tinyurl.com/33xs6g

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on http://tinyurl.com/2286xw for more information.

What does Neil work on at Google?

2007-08-19T14:32:00.001-07:00

Hi Folks,

Some of you have complained that I don't tell you about what I work on at Google... well, I certainly can't tell you about everything that I work on, but here is some info about a "launch" that I contributed to...

Google launched the "ad traffic quality" center late last week featuring articles by yours truly:

http://www.google.com/adwords/adtrafficquality/tech.html

More articles about the launch are at:

http://news.google.com/news?hl=en&ned=us&q=%22ad+traffic+quality%22&btnG=Search+News

So, please... no more complaints! You now know something about what I work on!

Sincerely,

-- Neil
http://www.neildaswani.com

My new book, "Foundations of Security: What Every Programmer Needs To Know" is available at http://tinyurl.com/33xs6g

Learn more about security from Stanford's Advanced Computer Security Certificate Program-- click on http://tinyurl.com/2286xw for more information.

The iPhone has been hacked!

2007-07-23T08:04:00.000-07:00

It was only a matter of time, I guess-- a buffer overflow vulnerability has been found against the iPhone:

http://www.securityevaluators.com/iphone/

From the article, the researchers were able to "get access to the log of SMS messages, the address book, the call history, and the voicemail data" by sending an attack string to the iPhone via a wireless access point, a web site, or an SMS message. If you have an iPhone:

"

Only visit sites you trust. If you don't visit attackers' sites, you give them one less attack vector.
Only use WiFi networks you trust. If attackers have control of your Internet connection, they have the ability to insert exploits into any website you visit.
Don't open web links from emails. Many current viruses send links to malicious sites in emails that look like they are from trusted contacts."

Recent Security Events

2007-06-18T21:15:00.000-07:00

It has been a while since I last wrote a blog entry, so I'll summarize some recent events:

* It was revealed that the TJX / Marshalls hack involving over 45 million credit card numbers occurred due to the fact that they were using WEP, a protocol that the security community has been known to be broken since 2001 (see page 219 of my book, and Slashdot for more info). Don't forget to get credit monitoring if you have ever shopped at a TJ Maxx or Marshalls department store! A group of banks has organized a class-action lawsuit against TJX, the criminals have gone on million dollar shopping sprees, and the FTC investigation is in progress.

* In Bruce Schneier's May CRYPTO-GRAM, he asked the question of whether or not we should have a security industry. While this might sound odd at first, if hardware and software products were designed correctly (securely), we perhaps wouldn't need additional hardware and software to secure our systems, nor an industry that produces such additional hardware and software. Applying his argument to programmers, writing secure code could be part of every programmer's job, and we hopefully shouldn't need so many "software security" experts in some hopefully not-too-far future. The goal would be to, as per Bruce's suggestion, "make IT products and services naturally secure out of the box." Of course, we may potentially need a few specialists to advance the "state-of-the-art," but largely I'd love to see safety and security be a regular part of every software engineer's job. "Foundations of Security: What Every Programmer Needs To Know" makes a contribution to move the world in that direction by making security part of every programmer's job.

* I helped co-author and publish a paper entitled "The Anatomy of Clickbot.A." (The paper is mentioned on Google's Blog and also got some press coverage.) It is a good read if you want to learn more about botnets.

TJ Maxx, Marshalls, and other dept. stores hacked!

2007-04-08T12:38:00.001-07:00

In Chapter 8 of my book, I discussed what was the largest cyberattack at the time of its writing. That attack was against CardSystems, a credit card payment processor, in 2005 in which 43 million credit card numbers were exposed to attackers (but only about 263,000 were stolen). In late March of this year, the TJX group of retail department store companies (which includes TJ Maxx, Marshalls, HomeGoods, A.J. Wright, and Bob's Stores, etc.) announced they were the victim of what is being called by some as the largest cyberattack of all time in which over 45.7 million credit and debit card numbers was actually stolen.

The attack against the TJX group of companies reminds us that security vulnerabilities are still very prevalent, and the attacks due to them are getting worse because of systems with security design and implementation flaws. From my reading of various articles and TJX's SEC filing on the issue, it seems that there wasn't just a single flaw that resulted in the security breach, but that there were many flaws in TJX's security practices, which together resulted in such a spectacular attack. The data stolen even dates back to transactions from 2002. In the coming months, a Federal Trade Commission investigation will take place. If you ever shopped at any of these retail chains, you may want to consider keeping an eye on your credit report and credit/debit card statements to watch out for fraud and identity theft.

How much security is enough security?

2007-03-25T16:44:00.000-07:00

For most businesses, it is important for security to be "good enough" and to make sure that you are investing enough to mitigate risk.

Of course, for some companies, such as those in the payment and financial spaces, just one exploited security vulnerability could severely impact customer confidence and result in loss of business. In 2005, for instance, CardSystems, a credit card payment processor, got hit with a SQL injection attack that allowed the bad guys to steal 263,000 credit card numbers over a period of six months, and a total of 43 million unencrypted credit card numbers were exposed to the attack. Visa and Mastercard canceled their contracts with the company, the incident was investigated by the FTC and Congress, and CardSystems' assets were sold off.

There is debate as to whether or not CardSystems was compliant with all of the existing VISA and Mastercard data security requirements prior to the attack. After the attack, the requirements for such compliance were beefed up, but it also demonstrates that compliance, certifications, and audits may have limited value. There is a significant difference between being able to pass an audit and having "real" security. In layman's terms, it is sometimes easier to "talk the talk" than it is to "walk the walk." ;-)

Help Secure The Internet!

2007-03-25T14:10:00.000-07:00

Hi Everyone,

Welcome to my blog! From time to time, I'll post interesting tidbits of info and/or opinions. For now, check out the new book that I have co-authored with Christoph Kern and Anita Kesavan entitled "Foundations of Security: What Every Programmer Needs To Know" (now available at Amazon at:

http://www.amazon.com/gp/product/1590597842?ie=UTF8&tag=learnsecurity-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1590597842

or at your local bookstore).

*** If you know or work with programmers, please let them know about it. ***

Summary of the Book

The book teaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems – making them highly marketable to companies and employers.

Why Security Is So Critical

Chances are that unless we all learn something about security, the Internet will continue to be a very vulnerable place in which cybercriminals thrive.

* The number of security vulnerabilities reported to the federally-funded Computer Emergency Response Team (CERT) at Carnegie-Mellon University climbed from 5,990 in 2005 to 8,064 in 2006.

* According to IBM's Internet Security Systems division, 88.4 percent of all 2006 vulnerabilities could be exploited remotely, and over half the vulnerabilities would allow an attacker to gain access to the host (e.g., your computer) after successful exploitation.

Many of these vulnerabilities are used by cyberthieves to commit identity theft, steal credit card numbers, and launch online attacks using malware and botnets. That's really bad. So bad that popular technology websites like C|net dedicate an entire section of their sites to high-profile threat announcements, and they are filled with new articles every single day.

What's the Root Cause of Security Failures?

Software. Software with security design flaws and software with implementation bugs. As a technologist, given my love for software and my embarrassment at the current state of the world, I worked with the Stanford Center for Professional Development (SCPD) near the tail end of my PhD to help create a Computer Security Certification program ( http://proed.stanford.edu/?security) that has to-date helped many companies and software professionals mitigate security flaws in software.

The courses that make up the certification program became the basis for the material in this book. Given the importance of the material in this book to the security of the future of the Internet, I was extremely honored to have Dr. Vint Cerf, often called one of the "Fathers of the Internet" (due to his work on the original design of the TCP/IP protocols) and a recipient of the Presidential Medal of Freedom, write the foreword to this book.

Detailed Information About the Book

This book takes a principled approach to helping you design and implement your applications to be secure from the ground up, and illustrates these principles using running examples of web applications throughout the book. Just as you might use object-oriented design principles to achieve extensibility and code-reuse, you need to learn about security design principles, such as the principle of least privilege, fail-safe stance, and securing the weakest link to achieve security, all of which is covered in this book. This book does not just focus on merely teaching you "tips" and "tricks" that allow you to "band-aid" the security of your systems. Instead, it illustrates how security principles can be employed to prevent some of the most significant, current day attack types such as SQL injection and cross-site scripting (XSS) as well as more traditional attack types such as buffer overflows. We also cover session and password management, and show you how you can use cryptography to help achieve various security goals.

How to Get Your Copy

To help aggressively disseminate knowledge about the techniques and practices that programmers need to know to achieve security, I have worked with the publisher to provide this book to the market at a low price of $40 retail, or only $26 on Amazon. If you are a teacher or an IT decision maker potentially interested in buying copies for your students or your organization, respectively, I would be more than happy to have the publisher provide you with a free evaluation copy of the book. The book's web site ( http://www.learnsecurity.com/ntk) provides slides and source code that you are free to use for your own courses and needs. Also, those who enroll in the SCPD Advanced Security Certification ( http://scpd.stanford.edu/scpd/courses/proed/CompSecCampus/) will receive the book for free.

I look forward to your help in making the Internet more secure such that it can continue to transform global commerce, communication, and entertainment. Please feel free to let me know if you have any questions or feedback by dropping me an email at daswani@learnsecurity.com, and I look forward to working together with you to continue to secure the Internet!

Sincerely,

Neil Daswani, PhD
http://www.neildaswani.com/