[ISN] Kaminsky Issues Developer Tool To Kill Injection Bugs

From: InfoSec News <alerts_at_private>
Date: Wed, 16 Jun 2010 00:22:44 -0500 (CDT)
http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225700088

By Kelly Jackson Higgins
DarkReading
June 14, 2010 

Renowned security researcher Dan Kaminsky today went public with the 
launch of a new venture as well as its first deliverable -- a tool for 
application developers that helps prevent pervasive string 
injection-type attacks, such as SQL injection and cross-site scripting 
(XSS).

Kaminsky says his New York-based startup, Recursion Ventures, will 
productize research that breaks new ground in both security and 
technology, in general. His first deliverable is Interpolique, a tool 
that offloads much of the security responsibility from the developer, 
which he considers crucial to yielding more secure applications. 
"Security development tends not to care how inconvenient it is for 
developers," Kaminsky says. "[This is] about meeting developers 
halfway."

The trouble with today's model for writing more secure code and 
sidestepping known injection attacks, Kaminsky says, is it makes 
development much more difficult and requires more work for developers. 
The result: Developers often don't bother adopting these practices at 
all, resulting in insecure code, he says. "A lot of advice we give in 
security tells people to write things in a way that makes code hard to 
work with and use ... I think that's unnecessary," he says. "Our hope is 
to make an easier way to write code that's also the most secure."

Interpolique -- which was released for security experts and IT to poke 
around at and analyze, but not to use operationally -- is basically a 
framework that lets developers continue to write code the way they 
always have, but with a tool that helps prevent them from inadvertently 
leaving string injection flaws in their code. It requires developers to 
use different prefixes that describe variables of the strings, without 
requiring any major changes to their coding style, he says. And the 
resulting code is automatically formatted in such a way that can't be 
easily abused by the bad guys.

[...]


_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com
Received on Tue Jun 15 2010 - 22:22:44 PDT

This archive was generated by hypermail 2.2.0 : Tue Jun 15 2010 - 22:28:35 PDT