Monday, May 18, 2009

OWASP AppSec Poland in Review

I just got back from OWASP Poland. I was there for a week and taught the 2 day advanced course class, attended 2 days of OWASP talks and gave my own presentation on Thursday.

Just wanted to let everyone know that the conference was a huge success. I was very impressed with the presentations and the planning/delivery of the conference. Having now attended a few OWASP conferences and a several other popular security conferences, I would definitely recommend an OWASP conference over the others any day.

In addition to the presentations, it was great to talk with others that focus on app sec all day too. There were some great people there and it’s always good to pick their brains a bit too.

The presentations are all online now (Day 1, Day 2). I’d recommend you take a look at a few of them.

• OWASP Live CD (PPT) – Matt Tesauro
Whenever attempting to run a new OWASP tool, start here. Its probably already installed and working.

• Threat Modeling (PPT) - John Steven
Always good to get some more feedback and consideration on how to increase the quality of threat diagrams for architecture type assessments.

• O2 - Advanced Source Code Analysis Toolkit - Dinis Cruz
No slides available, but this talk was really interesting. Dinis is moving towards a tool which blends static and run time analysis via breakpoints. The demo showed some very interesting call flow graphs to help analyze data from source to sink.

• The Software Assurance Maturity Model (SAMM) (PPT) - Pravir Chandra
Definitely should take a look at SAMM if you haven’t already.

• HTTP Parameter Pollution (PDF) - Luca Carettoni, & Stefano Di Paola
This was an interesting talk. It could have used a little more organization and clarity to drive home the root issue. However, what I took away was that different application servers handle the presence of duplicate URL parameters differently (ie

Some app servers take the first, others take the second, and some concatenate. This can be used maliciously in two different ways.
1. Bypass URL filtering put in place by WAFs (ie user,pass,&var1=dob From USERS).
2. It can be used to potentially overwrite statically defined URL arguments if a dispatcher model is used in code. Ie

protected void doGet(HttpServletRequest request, HttpServletResponse response){
//dispatch request
String URL=""+request.getParameter("query");

Which would be attacked by the attacker sending the following (attacker adds bold text)

• Real Time Defenses against Application Worms and Malicious Attackers (PPT) - Michael Coates
My talk went very well. Feel free to take a look at the slides. Lots of good things in store for AppSensor. I’m planning to make some big updates to the book and get a new version out in the next few months. ESAPI integration is also in the plans.

I'm always looking for new contributors, reviewers, and feedback. If you're interested post to the mailing list or shoot me an email.

-Michael Coates