Rogan Dawes talked about the OWASP project. OWASP stands for “Open Web Application Security Project” and is a non-profit organization dedicated to “enabling organizations to develop, purchase, and maintain application that can be trusted” (cites from the website).
One important publication is the “OWASP Guide to Building Secure Web Applications” with examples in various programming languages.
OWASP Local Chapters
- Encourage local discussion of application security around the world
- Free and open to anyone
- Meet monthly or quarterly
Historically 2 annually (USA and Europe)
OWASP <Season> of Code
- Modeled after Google’s Summer of Code
- Encourages existing (and new) participants to work on OWASP projects
- So far, “Autumn of Code”, “Spring of Code”
- Examples: OWASP Testing Guide, OWASP Anti-Samy project (inspired by the myspace-Incident), OWASP WebGoat Solutions guide
- More than $100,000 paid out
So what’s the problem again?
- Many organizations simply trust their developers to produce secure code. Or they even don’t think about it at all.
- In many cases, that trust is misplaced (search engines are part of the problem. Reason for this is because you google for examples of how to code something and copy it over. And you might not choose the complicated solution because there is a simpler looking around which might lack security though. Security is not usually mentioned and thus awareness is lacking.)
- Lack of awareness of the problem is part of the problem.
How can this be fixed?
- Education (Documentation, Training (WebGoat))
- Code review
- Penetration testing (WebScarab)
- He worked on it from 2003 onwards.
- Flagship OWASP tools
- Written in Java, thus cross platform
- Key features: Direct access tp te underlying HTTP protocol, Intercepting proxy (including SSL), Session history, Spider, Fuzzer (tries various input variations and checks what comes back from the server), WebServices, Scripting (BSF)
- Drawbacks: Clunky, Memory Leaks
- better User Interface
- Proxy Toolbar (switch intercepting on/off) always on top
- Different views of the same data now consistent
- New ContentType editors
- Dockable Views
under the hood:
- Using proper DB (HSQLDB) to store history
- Using Spring Framework (DB, internal wiring)
- Fewer leaks – hopefully
What he demoed was WebGoat, a Java based set of web application which are aimed at people who want to learn about the various vulnerabilities. It is divided in lessons which tell you about XSS attacks, SQL injection and all the other things. WebGoat provides example applications with security flaws which you then have to exploit. They created this because testing these things on other people’s server can bring you all sorts of troubles (he gave an example of some guy who wanted to donate money and tested the site before if his credit card number is also securely stored. He was happy that he did not find any security flaws and provided his name and CC number. Unfortunately his tests triggered some alerts in the system and he was then convicted).
He also noted that WebScarab-NG does not yet have all the modules available which the classic version does have but that they are ported one after another (or re-implemented).
Definitely an interesting talk and these tools seem rather good. Everybody doing web development should probably have a look at the guide and those tools esp. if you use web frameworks and basically have to build all of your forms etc. yourself. Some attacks are prevented already by the framework (e.g. SQL injection) but some others might not. Of course the same is true for people implementing such frameworks.