Web Admin Blog Real Web Admins. Real World Experience.

13Nov/090

The OWASP Security Spending Benchmarks Project

This presentation was by Boaz Belboard, the Executive Director of Information Security for Wireless Generation and the Project Leader for the OWASP Security Spending Benchmarks Project.  My notes are below:

It does cost more to produce a secure product than an insecure product.

Most people will still shop somewhere, go to a hospital, or enroll in a university after they have had a data breach.

Why do we spend on security?  How much should we be spending?

  • Security imposes extra costs on organizations
  • The "security tax" is relatively well knnown for network and IT security - 5 to 10% (years of Gartner, Forrester, and other studies)
  • No comparable data for development or web apps
  • Regualtions and contracts usually require "reasonable measures".  What does that mean?

OWASP Security Spending Benchmarks Project

  • 20 partner organizations, many contributors
  • Open process and participation
  • Raw data available to community

Reasons For Investing in Security

  • Contractual and Regulatory Compliance
  • Incident Prevention, Risk Mitigation
  • Cost of Entry
  • Competitive Advantage

Technical and Procedural Principles

  • Managed and Documented Systems
  • Business-need access
  • Minimization of sensitive data use
  • Security in Design and Development
  • Auditing and Monitoring
  • Defense in Depth

Specific Activities and Projects

  • Security Policy and Training
  • DLP-Type Systems
  • Internal Configurations Management
  • Credential Management
  • Security in Development
  • Locking down internal permissions
  • Secure Data Exchange
  • Network Security
  • Application Security Programs
Tagged as: , , , , Continue reading
13Nov/090

Securing the Core JEE Patterns

This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company.  My notes from the session are below:

  • Before anyone starts building complex systems, they need to design.
  • We create threat models on completed designs.
  • What about during design?
  • Book: "Core J2EE Patterns Best Practices and Design Strategies"
  • If you use J2EE development, chances are you're using patterns documented here
  • Core J2EE patterns are used extensively
  • Patterns are used in JSF, Velocity, Struts, Tapestry, Spring, and Proprietary Frameworks

Example: Project: Analyze Patterns

Use to Implement:

  • Synchronization Tokens as Anti-CSRF Mechanism
  • Page-level authorizations

Avoid:

  • XSLT and Xpath vulnerabilities
  • XML Denial of Service
  • Disclosure of information in SOAP faults
  • Publishing WSDL files
  • Unhandled commands
  • Unauthorized commands

Project Goals

  • Analyze patterns for security pitfalls to avoid
  • Determine how patterns can implement security controls
  • Provide advice portable to most frameworks

A security pattern is not the same as a security analysis of a pattern.

Uses

  • Designing new web application frameworks (make the next generation of frameworks secure by default)
  • Designing new apps that use the patterns
  • Source code review of existing apps
  • Runtime assessment of existing apps
  • Integrate with threat modeling of new or existing apps

You can help:

  • Tell developers
  • Improve the analysis

Next Steps?

  • Add code review and examples to the existing pattern book
  • Look at other pattern books to see if there are other patterns that we should analyze

Our Dream

  • New web application framework idea + Design-time security analysis = Secure-by-default web application framework
Tagged as: , , , , , , , , , , , , , No Comments
24Sep/080

OWASP Google Hacking Project – OWASP AppSec NYC 2008

This presentation is by Christian Heinrich, the project leader for the OWASP "Google Hacking" project.  Presentation published on http://www.slideshare.net/cmlh  Dual licensed under OWASP License and AU Creative Commons 2.5.

OWASP Testing Guide v3 - Spiders/Robots/Crawlers

1. Automatically traverses hyperlinks

2. Recursively retrieves content referenced

Behavior governed by the robots exclusion protocol.  New method is <META NAME="Googlebot" CONTENT="nofollow">  Not supported by all Robots/Spiders/Crawlers.  Traditional method is robots.txt located in web root directory.  Regular expressions supported by minority only.  "User-agent: *" applies to all spiders/robots/crawlers or you can specify a specific robot name.  Can be intentionally ignored.  Not for httpd access control or digital rights management.

Testing - Robots Exclusion Protocol

  1. Sign into Google Webmaster Tools
  2. On the dashboard, click the URL
  3. Click "Tools"
  4. Click "Analyze robots.txt"

Search Engine Discovery

Microsoft Remote Desktop Web Connection: intitle:Remote.Desktop.Web.Connection inurl: tsweb

VNC: "VNC Desktop" inurl:5800

Outlook Web Access: inurl:"exchange/logon.asp"

Outlook Web Access: intitle:"Microsoft Outlook Web Access - Logon"

Adobe Acrobat PDF: filetype:pdf

Google caught onto this and is now displaying a "We're sorry" message with certain searches.  To get around, use different search queries that returns overlapping results.

Google Advanced Search Operators: "site:" and "cache:"  Two ways of using "site:".  EIther as "site:www.google.com" where you get that specific subdomain's results or "site:google.com" where you get all hostnames and subdomains. Use "cache:www.owasp.org" to display an indexed web page in the google cache.  There is also a site operator labeled "Cached" which will do the same thing.

You can get updates of the latest relevant Google results (web, news, etc) using Google Alerts.

Download Indexed Cache

Google SOAP Search API.  Query limited to either 10 words or 2048 bytes.  One thousand search queries per day and limited to search results within 0-999.  Up to 10K possible results from 10 different search queries.

$Google_SOA_Search_API -> doGoogleSearch( $key, $q, $start, $maxResults, $filter, $restricts, $safeSearch, $lr, $ie, $oe );

See presentation for response.

Proof of concept tool is "dic.pl" or "Download Indexed Cache" that downloads the search results.  Licensed under the Apache License 2.0.  Tool produces a URL and cachedSize response.

OWASP Google Hacking Project

Tools built using Perl using CPAN Modules SOAP::Lite, Net::Google, and Perl::Critic.  Development environmetn is based on Eclipse with EPIC Plug-in.  Subversion repository is at code.google.com.

Roadmap

Upcoming presentations at ToorCon X in San Diego, SecTor 2008 in Toronto, Canada, and RUXCON 2K8 in Sydney, Australia.

"TCP Input Text" Proof of Concept

"Speak English" Google Translate Workaround

Refactor and 3rd Project review of PoC Perl Code with public release at RUXCON 2K8 in November 2008.

Check in at code.google.com after RUXCON 2K8

4 hr "half day" training course Q1 2009

Tagged as: , , , , , , No Comments
   

Recent Posts

Recent Comments

devops

Links

Security

Tags

agile application appsec attack best browser cloud Cloud Computing code computing Conferences cross data devops firewall google hansen internet log Management network Operations owasp PCI penetration performance practices project rsnake SaaS scripting secure Security site strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vulnerability waf web xss

Categories