Friday, March 21, 2008

A Security Mindset

Bruce Schneier and I do not always agree but I think in this case he nails it when he discusses what is takes to think like an attacker.

http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320

I not only offer this in defense of how my brain works but also offer that it may give you some additional insights on how to be proactive about security.

Thursday, March 20, 2008

Single Site Browsers (SSB) to mitigate CSRF attacks

In Jeremiah Grossman's recent Unsolved Problems blog post:

http://jeremiahgrossman.blogspot.com/2008/03/unsolved-problems.html

Jeremiah lists the following:

- Develop a CSRF defensive measure that’s effective in the presence of an XSS vulnerability on the same target domain


My thought is to use Single Site Browsers (SSBs) to mitigate CSRF attacks. Unfortunately, I don't think I am the first to think of this since after a quick Google search, it looks like others have already begun to consider this as well.

In any event, I have been playing with Fluid for Mac OS X (http://fluidapp.com/) and the idea of offering a SSB for a specific site now makes a lot more sense to me. Even though Fluid is based on Safari, the thought of offering something similar with a security focus had me pretty intrigued. In theory, if each SSB has its own cookie space, then CSRF-style attacks become more difficult.

It seems to me that forward thinking companies may at some point begin to offer SSBs to their users (might be perfect for SaaS) if the SSB did not offer less functionality in terms of user experience. Essentially what you would need would be some type of 'jail' for the SSB cookie space.