Thursday, July 1, 2010

Notes from OWASP Bay Area Security Summit

I attended the OWASP Bay Area Security Summit today and wanted to share some notes from the talks.

Drive By Downloads- How to Avoid Getting A Cap Popped in your App - Neil Daswani, Co-founder, Dasient
- Lots of information in this talk. However the portion on dynamic identification and quarantine of malicious scripts was very interesting. Mod Anti-Malware was created which will analyze dynamic content within a webpage to determine if remotely linked content is malicious. If the remotely linked content is malicious then the mod will strip the include or src link to that content in real time.  The idea is pretty interesting and I can see it being applicable to help stop malicious JavaScript via ads.  Neil mentioned he'll be talking more about this at blackhat.

Building Secure Web Applications In a Cloud Services Environment - Misha Logvinov, VP of Online Operations, IronKey and Alex Bello
This was a talk on securing the SDLC that provided a good overall look at the SDLC and how security should be integrated into each phase.  Several OWASP resources were mentioned that can be used to assist in securing various portions of the SDLC including: ESAPI, ASVS, Top 10 and OpenSamm. The talk also touched on cloud services but really didn't dive into too much depth. During Q&A someone did ask how they should verify or test a cloud service providers security? The answer provided by Misha was to ask for proof in the following formats: SAS70, ISO 27001, or 3rd party penetration test reports.  This is a challenging issue and one that will need to be addressed as cloud services grows.  I think the ideas provided by Misha are a good starting point for the security conversation between the client and the cloud services  provider.

Cloudy with a Chance of Hack Lars Ewe, CTO and VP of Engineering, Cenzic

-Lars reviewed several statistics from Cenzic's Trend Reports on web application security. The data clearly showed, not to anyone's surprise, that there are still a large number of vulnerabilities in most web applications.  While the data was interesting, I did have some disagreements on the methodology. For example, Information Leakage was reported as the most prevalent vulnerability within property applications (Q3-Q4 report pg 10) and was reported as being present in 93% of all applications in the study (Q3-Q4 report pg 11). This percentage seemed a bit high and we soon found out why. Information leakage includes the standard things like detailed error messages, but also includes HTML comments (pg 15).  This explains why the results seemed off, any website with an HTML comment was dinged for Information Leakage.  The other statistic that I questioned was CSRF. The report states that CSRF is an issue in only 14% of applications (pg 11). This is an odd result because CSRF has been widely discussed as a tricky issue to automatically test for.  With that in mind, I'm confused how the report obtained some CSRF vulnerabilities but not the quantity we would expect.  In my experience nearly every site has CSRF flaws, so I'd expect a percentage between 85 and 90%.

These discrepancies made me think twice about the overall statistics and conclusions of the report. However, I shouldn't derail the issue too much. Any study will always have its limitations and biases.  And even if the methods used to collect data are slightly off, if they stay consistent then the trends over time do provide some value.  Either way, the overall point is clear - we still have a lot of work to do to clean up our applications.

Two other presentations were in the summit lineup. Unfortunately I did not have enough time in my schedule to catch these two talks.
 
Application Security Deployment Tradeoffs - Anoop Reddy, Senior Manager, Products, Citrix


MashUp SSL - Extending SSL for Security Mashups - Siddharth Bajaj, Principal Engineer, Verisign

In the bay area and interested in OWASP? Sign up on the mailing list for event notification.


-Michael Coates

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.