Tuesday, 29 September 2009
OWASP Internals: Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships
I'm really happy with this model and I hope that this will mean that we will see much more participation from our leaders at our conferences
Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships
Friday, 25 September 2009
Friday, 18 September 2009
18 Sep - WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application
Not sure if still remember this, but I was one of the authors of the two Security issues reported on the Spring Framework MVC by Ounce Labs last year (see PDF here).
To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClinic demo application that ships as an sample application on Spring 2.5 (you can you can download from here the demo materials I am going to use tomorrow (includes all files required to run a local copy of the PetClinic test application)).
Thursday, 17 September 2009
Not sure if everybody is aware, but I was one of the authors of the two Security issues reported by Ounce Labs last year (see PDF here). At the time we didn't really explained how I found those issues, but since then we released the OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)
To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClick demo application that ships as sample application on Spring 2.5.
You can read more about it on the chapter home page on their [Owasp-wash_dc_va] OWASP Session - Fortify 360 - Thursday, September 17, 2009 mailing list announcement or at the Secure Coding Mailing list
Basically what they are doing is allowing a vendor (Fortify) to come to an OWASP meeting and present their product! Shock Horror!!! Doesn't this break OWASP values, principles and independence!!!
Well, it depends :)
OWASP is not Anti-Vendor! In fact most of OWASP members and users are either direct connected to a vendor or use vendor's products/services (disclosure one of my contacts is with Ounce labs (now IBM)). In fact vendor presentations at OWASP happen ALL the time (see for example this presentation delivered at the last OWASP London chapter Using Surrogates to Protect from Application Data Breach ).
The issue is not IF OWASP should have 'vendor' presentations but HOW we do them. My view is that as long as the 'snake oil & marketing' content is kept under control, what is presented is an 'accurate' representation of that technology and there is interest of the OWASP community in it, then it is OK.
The fear is that OWASP become an 'vendor driven' organization and becomes 'infiltrated' with people who have direct & short-term commercial priorities. The good news is that I think OWASP has a long and ingrained tradition of 'keeping the vendors under control' and as we grow we need to create 'environments' where the vendors can show where they add value in a way that is compatible with OWASPs values and principle.
And in my view, John is trying to create this environment using a 'real-world' case study (btw, this is what I love about OWASP, our leaders have the ability to be proactive and creative (we just need to make sure they are going on the right direction :) ))
So, back to the subject at hand, here are a couple points and ideas about allowing vendors to provide 'hands-on sessions at OWASP Chapters and conferences' (I would like to see at the end of this thread a nice list of 'rules of engagement' for other chapters/conferences that want to organize similar events):
1) this is not a new idea, we have had many numerous talks in the past about helping to create at OWASP conferences an 'open & independent lab environment where people can try technology', and in fact I organized a while back a bake-off between WAF vendors in London (see London_Chapter_WAF_event),
2) The vendor should provide unrestricted and uncontrolled access to the technology to the participants,
3) On the other hand, since the value derived from these tools is usually very dependent on them being used by 'experienced users' and the fact that there is a section of the OWASP community that is very technical (& historically very skeptical about the REAL value that these tools can provide), the vendor (ideally) in partnership with an independent service provider, should also show how their tool is used in real world scenarios by its users,
4) The attendees should be allowed to take with them an evaluation version of the product without having to provide any information in return (business cards, names, mobile phones, social security numbers, bank account details, etc... :) )
5) Pending technologically or licensing problems, the vendor should provide a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything needed to evaluate this technology (for windows, I think we could use 30/60/90 day evaluation versions of the required OS)
6) Pending bandwidth or logistical issues the event should be broadcasted live and remote users should be give access to virtual images
7) Pending technological or logistical issues the event should be recorded in video/audio and made available to OWASP users
8) Final and very important, the final decision if one of these events is 'successful and respects OWASP's values and principle', should be made by the local OWASP 'non-vendor' members (i.e. people from local companies that are trying to buy, develop or maintain secure web applications). What I found in the past, is that the threshold for 'vendor pitches' is very dependent on geographical locations (i.e. the same presentation in NYC and in Milan will have very different reviews (and sometimes the non-US chapters tend to be much more 'vendor' friendly)). So I would look at the local chapter (users and leader(s) ) for guidance about the event's outcomes.
If this is popular, we should make these activities/events into an 'OWASP Project' since we will need to keep a tight control on these rules and ensure that this doesn't get abused.
BUT, if we get this right, we will be able to leverage much more the energy/motivation that the vendors have in promoting their products, with the energy/motivation of the consulting companies that know how to use those products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and issues that the users/clients have.
What do you think? This is a though issue, but it is HAPPENING, so we might as well agree on the 'rules of engagement'
From the current description of the 'Fortify at Virgina chapter' event, I think they meet just about all the items I propose. Any comments?
- before, I describe why I don't agree with having the requirement for owasp-leaders to 'find two ticket buyers', I just want to make clear that this decision falls into the responsibility of the AppSec DC conference since they are the ones that are managing the budget for this conference :) . And remember that NOTHING in OWASP is set in stone, so if something make sense, IS DOABLE and respects OWASP's values, then it is better to change it sooner rater than later
- one more point on owasp leaders. As a sign of recognition of their great work and contributions, at the last OWASP board meeting we (finally!!!!!!) decided to make OWASP members ALL active & past owasp project & chapter leaders. There is currently a work thread at 3 Committees (Membership, Chapters and Projects) to try to figure out the criteria to do this, but basically the idea is to give all selected individuals (or companies) the option to: a) receive a free 1 year membership or b) pay for it. The irony is that I (Dinis) am not an OWASP member :) , and the main reasons is because I had no requirement to become one. Now with the forthcoming elections and this offer, I will HAVE to become a member, and I will gladly pay the 50 USD membership fee, since even adding the time I put in OWASP, I still have enough value received from OWASP to justify the 'business expense' of 50 USD :) :)
- finally, on the issue of owasp-leaders having to 'find two ticket buyers to get a free ticket for the AppSec DC' (and even other OWASP conferences
g) back to the topic of the OWASP leader participating on OWASP AppSec conferences:
- this is something we should actively encourage and promote (it even has 'marketing value' : "come to the OWASP AppSec XYZ conference where you will be able to meet 15 OWASP Project and Chapter leaders!!"
- they (the leaders) should participate on the keynote OWASP presentation (representing his chapter or project)
- if it is a project leader he/she should be given a 5m/10m/15m/30m/45m' slot to present his work
- if it is a chapter leader he/she should be given a 5m/10m/15m/30m/45m' slot to present what happens at his/hers chapter, and give an 'quick' preview of the presentations that happened there on the last 6/12 months
- we have to remember that in a lot of cases (take Matt Tesauro case) in order to participate on these conferences they have to use their 'Holiday/Vacation' days (which can be quite a large personal sacrifice)
- as OWASP grows and is more and more successful, we have to make sure that we keep managing the expectations and views of the 'VERY IMPORTANT' OWASP contributors that happen NOT to be involved in a particular conference. I really worry when I hear comments like 'I work so HARD for OWASP and I have to PAY!! to attend a conference that exists (in part) of my contributions!'
Wednesday, 16 September 2009
Tuesday, 15 September 2009
- they can’t really trust the data that they get from those systems,
- that they can’t really trust the authenticity or integrity of the data that comes from these systems,
- the Attacker's business model has not evolved to a stage where they are building services on top of what XSS allows them
- most (with some notable exceptions) clients buying these tools don't care or don't have the resources to gain the required understanding of the security implications of what they are buying
- the government, standard's body and insurance companies are not focused on this problem (which they will eventually)
Monday, 14 September 2009
- The OWASP Top Ten is a great place to start; it gives you the main issues that you should be looking at.
- Projects like the SAMM, Software Assurance Maturity Model allows you to measure and model your company to a world where you can have different maturity models based on what you want to achieve.
- The ASVS Application Security Verification Standard allows you to map in a much more focused way, your software assessment (and verification) practices to an 'official' verification standard
- The ESAPI project is trying to create a template of good security controls that you should be able to (re)use. Ideally you (or the Frameworks you use) should adopt the code and make sure that all the areas covered by ESAPI are handled by your application (remember security doesn’t happen by accident)
- Also very useful (specially on 'outsourcing development' scenarios) the legal project can really help you to ensure the inclusion of 'security related clauses' in the software development contracts (this project will give you background information and templates that you can use on your legal contracts)
- On the actual 'hands-on' testing and web application review you have the testing guide, code review guide and the developer's guide ; which are documents that allow you to understand how to test (and secure) web applications.
- And finally a project like WebGoat is a great project because it allows people to gain awareness of security implications. One of the things a company should do is to 'make every major developer to go through the WebGoat exercises' (this will have a dramatic effect in helping them to understand the security implications of web applications security vulnerabilities)
- Note I: that there are many more OWASP Projects (the above are just a small sample)
- Note II: As a big company, you are going to have employees spread across the globe that you need to ensure have up-to-date skills. The OWASP chapters (154 at last count) and OWASP AppSec conferences (15 in 2009) are a great way to get your people involved raise their security knowledge.
One important issue to raise, is that today, there are already a lot of 'security related' activities done internally within companies and big corporations.
In practical terms this means that today, substantial funds (i.e. money) are already spent in develop standards or documents, that would be much better served, if they were done in an open environment, with the results shared back to everybody (this would also allow those companies to leverage the knowledge of the OWASP community.
One of the things I would hope to see more and more in the future, is companies doing some (or all) of their internal 'web application security' research through OWASP.
This could be done by a) paying internal staff (i.e employees) to work on OWASP projects or by b) giving OWASP grants (which would help OWASP to do a greater job).
The best part of this model, is that everyone, including the original company, would benefit.
In fact, in most cases (I believe) it will be more cost effective (from a value for money / ROI / Deliverables point of view), to do these engagements through OWASP , rather than independently at the company.
Friday, 11 September 2009
Thursday, 3 September 2009
A good definition is: 'O2 is an Open Platform for automating application security knowledge and workflows'
Although it was originally designed to enhance source code analysis, it has evolved into more of a "static, dynamic, real time" analysis environment and platform.
In a nutshell, O2 is a bunch of (about 25) open source modules/tools that help with the multiple aspects of performing application security engagement (in most cases by extending the capabilities of a several Commercial and Open Source tools).
There is a large number of O2 modules that are designed to work specifically with the Ounce 6.x product (Ounce Labs Static Analysis engine), and several other O2 modules which are 100% independent and can be used using only freely available or Open Source tools.
One of the most powerful features of O2 is its scripting and customization capabilities. Currently O2 supports scripting in
- any .Net language (with an O2 module dedicated for coding and debugging C#),
- Java using IKVM
- Pyhton & Java with a via Jython and
- Python & .NET via Iron Python.
Ultimately the power of O2 is that you can script the security consultant’s brain and really help him to become more productive.
Here is usual workflow for advanced O2 users:
- It starts with a PROBLEM (something the security consultant wants to do, but the available tools can't do)
- in order to figure out a SINGLE SOLUTION for the problem, a number of scripts are written (in O2) to solve (or partially solve) the problem, with the core-objective at this stage being to allow the security consultant to continue with his/hers job (which is completing the security engagement)
- after a couple generations of 'script writing' , they usually can be automated, and become part of an existing (or new) O2 module
- eventually this script/module/capability fully matures and becomes a fully working prototype,
- which might (depending on "customer demands + product roadmap", and, after a rewrite by the product team) end up in a commercial product (by IBM or others) in a format usable by non-security-knowledgeable users
- Over the last couple weeks I've spent quite a lot of time with the multiple IBM AppScan groups/teams, and I have to say that they have a very impressive group of people and technology over there, who is dedicated to solving the "application security assessment problem" and build powerful, simple to use and effective tools for mass usage.
- Although my contract is not (yet) signed (bunch of legal and processes hoops to jump over) it looks like I will have a deal that allows me to continue to be independent and:
- continue my active participation at OWASP and its projects
- continue my active development of O2 (which will now become an OWASP project called 'OWASP O2 Platform'
- continue to consult with other companies - for example I already have a long term (non IBM) contract to work on MOSS (SharePoint) security and am open for other projects (so if you have interesting and challenging projects where can I be involved on 5 to 10 working days a month, ping me with the offers :) )
- In terms of where I fit in IBM, there are lots of VERY interesting possibilities, but in the short term the focus will be on using O2 to write 'integration prototypes' between the multiple AppScan products and in helping the Ounce team productizing some of the most mature features of O2
- As I mentioned above, IBM does have a VERY impressive line-up of products and technologies in the Application Security space. With the Ounce Labs acquisition they now have just about all pieces of the puzzle (the challenge now is integrating them and making them all work as a team)
- And when I mean ALL pieces, I am thinking much bigger than just static or dynamic analysis. If you look how how Application Security engagements are carried out today, you will see enormous gaps in:
a) the current workflow,
b) how data is handled,
c) how users that access the code & results are authenticated & authorized,
d) how findings are created,
e) how findings are presented (to management and developers) ,
f) how findings are remediated,
g) how findings are retested,
g) how findings status is tracked, etc ...
- What really struck me when I started looking at IBM's software portfolio, namely the Rational tools and the new IBM Jazz platform, is that we can use (for example) a combination of "Jazz Foundation + AppScan / Ounce (i.e. multiple engines) + Rational Team Concert + Rational BuildForce + Rational Test Lab Manager" to create an environment that would REALY allow (in a scalable and repeatable way) to perform "focused, meaningful and actionable" Application Security Assessments.
In fact, when looking at both solutions was when I realized that O2 was actually a 'Platform' and could be extended to 'glue' and integrate multiple Open Source projects the same way it already integrates with multiple Source Code (and soon Black Box) analysis tools (both commercial and open source).
The good news is that once O2 is able to 'talk Jazz' and leverage its available services, O2 can actually be one of the 'bridges' into/from the JAZZ world (i.e. once a particular Open Source or Commercial tool is integrated with O2, then it will be 'consumable' from JAZZ)
This is really very exciting times, and I really look forward to what is happening next :)
Here are a couple links with good info on Jazz:
- From the Eclipse Platform to the IBM Rational Jazz Platform (April 2009) great article
- The IBM Rational Jazz Strategy (pdf, july 2008)
- https://jazz.net/community/academic/?p=openSourceUse - the bit that explains how Open Source projects can have access to some free Jazz (note to self: need to see how this fits with OWASP)