This week on reflection we have Ryan Barnett from breach security. Ryan is a well respected figure in web application security and is well known for his book “Preventing Web Attacks with Apache”. He is a faculty member for SANS institute and a WASC officer. He is also the Project Lead for the Center for Internet Security Apache Benchmark Project. Ryan has a passion for web application security and has made several contributions to the community. Today he shares with us how he got into the webappsec field and his journey so far. In his own words
“I first realized that I had the hacker’s mindset back in 1999. It was at this time that I got my first real IT consulting gig which was testing a Federal Government’s software for Y2K compatibility. What I found was that I had a knack for identifying input validation issues beyond just whether or not the application would implode if the date field went to 00. After Y2K came and went, the company that I worked for appreciated my Y2K efforts so much that they offered me another position as a Unix Administrator with the same client. I knew a little bit of Unix but not too much about its security. That is when I went to Borders and stumbled upon the two books that would change my career path: Practical Unix and Internet Security and The Cuckoo’s Egg. After gobbling up those books, I was hooked. I wanted to be in security. My first step on this path was when I joined my client’s Computer Security Incident Response Capability (CSIRC) Team. Around this time is also when the SANS Institute was starting to really take off. I took the Hacker Techniques and Incident Response course and obtained the GCIH certification. After successfully helping the client respond to a number of incidents, we then ran into a misconfigured web server allowing anonymous FTP and it quickly turned into a Warez depot. This proved to be a pivotal incident as I was able to work with both the client’s Web Server Admins to track down and fix the problems and setup new monitoring systems (Snort) to identify future issues. It was after this incident that I was offered the position of Web Security and IDS Admin. Basically, they wanted me to be in charge of security within the DMZ segments.
My first real taste of web security came as I was monitoring Snort sensors in DMZ segments and I was constantly weeding out false positives with the web attack signatures. In December of 2001, I was presenting at the SANS Cyber Defense Initiative Conference in Washington D.C. At this conference, they set up a hacker network called ID-Net and I wanted to test the TCP session-resetting capabilities of Snort vs. web attacks. My goal was to try and create a whitelist of allowed URLs and then have Snort pass on these requests. If a requested URL was not listed in the whitelist, Snort would use its Flexible Response capabilities with Libpcap to craft TCP reset packets and try to kill the connections. So, how did Snort perform while under attack on the ID-Net? It did reasonably well; however, the session sniping was not able to effectively terminate all requests that were not in the whitelist file. This was due to a few variables, such as the low network latency and the placement of Snort. One of the main limitations was the actual flexible response code itself. Snort creator Marty Roesch was actually at the SANS CDI conference/ID-Net and I showed him my idea. He liked the concept, but confessed that the Snort session sniping capabilities were probably not fast enough to terminate a malicious HTTP request before it got to the web server. We ran some tests to prove his theory and he was correct. Snort was not able to stop the inbound requests. It did, however perform rather well on the outbound data returned after the web server processed the request. This test did get Marty's wheels turning as he spent a good deal of time while on the ID-Net re-coding the flexible response portion of Snort.
After my adventures with attempting to use Snort for HTTP protection, I realized that in order to provide the best identification and protection, I need to either be inline (reverse proxy) or on the web server itself. I then set out to learn all that I could about Apache security. The research led me to create a hardening checklist for Apache that included many tweaks to the configurations and attempted to leverage Mod_Rewrite for URL filtering and CGI scripts for alerting on malicious traffic. These new configurations proved their worth the next time the Government auditors came a round and attempted their pen-tests. My client was ecstatic that we were able to quickly identify the auditor’s traffic, implement blocking rules and notify them through the proper incident response channels within 5 minutes. After successfully passing that audit, I was flattered to learn that my client’s CSO had provided my hardening information to the other Department Bureaus. Not soon afterwards, I was asked to give a number of presentations on Web Security to the Department and also participating in other Government Security Technical Conferences. A short time later, I met the fine folks at the Center for Internet Security and accepted their offer to lead the Apache Benchmark Project. Over the next few years, I worked my normal job and I also freelanced with the SANS Institute where I both developed and taught classes on Web Security.
It was around 2003 when I had another career altering encounter, even if I didn’t know it at the time, when I was doing research for new Apache Intrusion Detection information and I found an application called ModSecurity. At this time, it was in its early stages however it included many of the advancements and features that I had been left wanting after trying to squeeze every possible ounce of configuration voodoo that I could out of other modules. I immediately started testing it and a kinship with Ivan Ristic quickly developed. I would test ModSecurity and would find bugs and/or request features and Ivan would crank it out almost immediately. As ModSecurity progressed, so did our working friendship as we both wrote separate books on Apache Security and helped each other with reviews and answering questions. We had discussed the possibilities of working together in some capacity but it never worked out. That is until Breach Security acquired Ivan’s company Thinking Stone in late 2006. And that is how I came to work for Breach as the Director of Application Security Training and ModSecurity Community Manager.
Based out of Falls Church, Virginia, Ryan is only 34 years old. Below is a list of his contributions to the webappsec community.
Preventing Web Attacks with Apache (Addison-Wesley)
Sample Chapter/Article: Mitigating the WASC Threat Classification with Apache
May 15, 2007 – InfoWorld (ZeroDay) – “WASC Details Honeypot Project”
May 4, 2005 – SANS NewsBytes – “Web Server Attacks and Web Site Defacements Up Thirty-Six Percent”
January 16, 2004 – ComputerWorld – “Opinion: Sticky Security”
ModSecurity Community Manager
WASC Distributed Open Proxy Honeypot - Project Leader
WASC Threat Classification: Contributing Author
WASC Web Application Firewall Evaluation Criteria: Contributor
The Center for Internet Security’s Apache Benchmark Document and Scoring Tool
The SANS Institute’s Top 20 Vulnerabilities Team
Sponsored the Honeynet Project’s Scan of the Month Challenge #31
SecureWorld Conferences - http://www.secureworldexpo.com/
Panel: Facing Off With the Digital Dozen-Technology Challenges Of PCI DSS 1.1
Panel: The Tangled Web: Web Security 2007
(ModSecurity Cool Rules, Web Security Threat Report)
Web Application Security Workshop (Developer/Instructor)
Building a Web Application Firewall Workshop (Developer/Instructor)
Web Intrusion Detection and Prevention with Apache (Developer/Instructor)
Securing and Auditing Apache (Developer/Instructor)
Secure Internet Presence – LAMP (Developer)
Web Server Fingerprinting
Preventing Website Defacements
Catching Intruders with Snare
ModSecurity: Web Intrusion Detection and Prevention
SANS Institute: Courseware Developer, Instructor and Local Mentor
The Center for Internet Security: Apache Benchmark Project Leader
Member of the Counterpane Intelligence Committee
Companies worked for:-
Universal Systems and Technology (Unitech), RS Information Systems, EDS, Breach Security
Company working for:-
Breach Security: http://www.breach.com/
Position Title: Director of Application Security Training
Personal : RCBarnett__@__gmail_dot_com
Ryan has a vast knowledge on web application defense strategies and is also involved in mod security cool rules project. He has started blogging recently and I am sure we will start to see a lot of his original thoughts being shared with the community through his blog.
Last Week – Caleb Sima
Next Week – Stefano Di Paola