onelittlewindow

Well folks, better late than never.

Here’s what I wrote up (and never finished) as a recap of Adam Vincent’s presentation in October. A bunch of things have conspired to keep me from finishing it, so I’m going to post it as is, before I disappear for even longer.

I’ll be travelling for most of the next month, but don’t miss the upcoming CapSec next week, or what looks to be an excellent OWASP meeting in December. Hopefully Mark will keep you posted.

A recap of Adam’s presentation (that ends kind of abruptly) after the cut:

Read the rest of this entry »

I suffered the wrath of the technological gods this week with the one-two punch of a burnt out power supply and a downed DSL line. I’ll be posting the re-cap from last week’s OWASP DC meeting in the not to distant future, once I get some time to catch up.

Thanks for bearing with!

Sorry for the lack of notice, but this month’s Refresh is TONIGHT.

(we don’t seem to get a lot of advance notice about refresh these days, so I try to pass along what I have when I can).

Come see the second part of the two part series, “From Concepts to Code,” where Jason Garber will present discussing taking the output of a designer and turning it into a functioning website.

Refresh DC 7 PM Thursday October 23rd
Fleishman Hillard
1615 L St. N.W., Suite 1000
Washington, DC 20036

The next OWASP DC Meeting will be next week:

OWASP DC
Wednesday October 15th 6:30 PM

Deloitte and Touche
1001 G St NW Washington DC 20001

This month’s agenda is as follows:

• Adam Vincent, Hacking and Hardening Web Services
• Doug Wilson, Report on AppSec NYC 2008
• Open discussion

Adam Vincent will be presenting on Hacking and Hardening Web Services. He has presented this to other OWASP chapters, including NoVa, and we are pleased to have him be able to bring it to our DC audience. I’m hoping to see some faces from Refresh show up in the crowd this time around . . .

Doug Wilson will also be reporting back from the OWASP AppSec NYC 2008 conference. He will cover some of the themes that emerged from that, and talk about some of the directions that OWASP is looking to take in the coming year.

We still need to confirm a few details, but it looks like the next OWASP meeting will be October 15th. Put that evening on your calendars (assume 6:30 PM downtown DC), and I hope to have confirmation in the next 24 hours.

Unfortunately, I’ve seen places where the media is mentioning this as Adobe “announcing flash for the iPhone” which makes it sound like it is imminent. But I still think it’s newsworthy that Adobe is making this announcement publicly.

Apparently at a recent event (Flash on the Beach in the UK), Paul Betlem (a Sr. Director of Engineering at Adobe Systems) made the announcement that there is an internal team at Adobe working on a flash player for the iPhone.

Given the wide variety of technical (and less publicly discussed but political) reasons that Apple has given for not adopting flash, to me this is in no way a guarantee that Flash will actually make it to the iPhone, or if it does, that it will happen any time in the near future. However, if it did, it would have an immense impact on the mobile presence community, marrying the power of flash to the emerging captive (but very specialized in their focus) iPhone user community. The potential for a new generation of mobile presence applications here if flash could be well implemented is staggering. But for now, it’s just a statement that Adobe has something in the works, nothing more.

Still, something to watch.

The first presentation I saw after the Keynote was Ofer Shezaf, presenting an analysis of recent results in the Web Hacking Incidents Database (WHID), a compilation of publicly disclosed Web Hacking Incidents hosted by the Web Application Security Consortium (WASC).

Ofer, who works for Breach Security, discussed the issues of trying to measure the effects and impact of security measures on web security. Documenting actual incidents covers definite risk factors from “real” bad guys, but even so, figuring out metrics for web applications is very difficult to assess.

Many web compromises other than defacements are stealthy in nature, and many organizations are either unaware of web compromises, or do not disclose them unless they run afoul of some regulatory requirement to do so (breach of PII, etc). So, as a result, most statistics on web compromises are skewed towards defacements and information leakage, as those are the only two that are regularly seen by the public.

Most assessments are biased, Ofer said, based on the role of who is doing the assessment. Most vendors are going to emphasis “FUD factors” or the results of automated tools, and many times developers reviewing their own code are going to be over-confident in their abilities and not give it the scrutiny it deserves. Lots of vulnerabilities are reported due to applications having a large attack surface, but the validity of the actual Risk and Threat are not considered in most listings of vulnerabilities.

As a case in point, most statistics from vendor tools and top ten lists are based on easily found and discovered vulnerabilities, and so the output of these is vulnerability only.

The OWASP Top Ten is vulnerable to this as well, Ofer claims. Having had some of the results tweaked by the OWASP board (such as the inclusion of CSRF) has helped, but he still feels that it is not an accurate depiction of what to worry about when actually calculating Threat and Risk. Analysis of the WHID shows that some “old” vulnerabilities are still alive and kicking — a large chunk of the last year’s WHID results show misconfiguration of servers as a main avenue of attack, and yet that was phased out of the last OWASP top ten (2007).

He acknowledged that WHID shows the same defacement and information leakage skew mentioned above due to sources, and also that most disclosed hacking incidents are against government and educational organizations. He doesn’t feel that this is necessarily accurate, but more because of requirements for disclosure and transparency in these organizations.

The next “targets” in priority in the WHID are retail institutions, followed closely by internet companies themselves — ISPs and others who influence the traffic of the internet themselves. He thinks that that niche may be the next big target, because of the use that their resources can be put to.

Having evaluated the 2007 data and what he’s seen for 2008, he points out the following trends from the past year:

There are finally large scale business models taking advantage of web application vulnerabilities. Web Hacking is replacing traditional spam methods as the most prolific way of propagating malware. In this process, the web site is the intermediary, not the end target, serving as a mechanism to infect clients. The “business” of malware has shifted its focus to this mass hacking as well, so targeted assaults on specific websites are less frequent (compared to overall incidents), but by no means have they gone away.

Sites are now valued by the loyal customer base that they have, rather than specific content — the larger the infection vector for the site, the more useful it is in the new model. However, small sites are hit constantly now by the mass SQL injection packages, which take over mom and pop sites by the millions.

And, as mentioned above, hacking service providers are increasing as well, with hacking of boxes that are network providers or ISPs.

So, in summary, trends indicated on the vulnerability front don’t always match what is happening in the real world, and investing protection dollars may be better done following the real world trends than trying to match vulnerability lists. Threat modeling should be done to include real risks and threats for your organization, not just the latest research discoveries.

The keynote for this year was a tag team of various OWASP board members.

Tom Brennan played host to the panel, as he was not only on the board, but a local chapter lead and primary organizer of the conference.

Jeff Williams started the keynote out by discussing the promise of software, and how we are not fulfilling that promise. Currently, Jeff said, the security community is failing. The focus is on penetration testing and exploits, and not how code is written, and researchers are chasing obscure problems, and not looking at the “big questions” (which are also the hard questions) with research.

Repeating some of the mantras oft heard from myself and many others, Jeff pointed out that we can turn Application Security from a “black art” into a science, by organizing and exposing the knowledge required. He mentioned the OWASP is attempting an “OWASP in schools” program that will attempt to get lecturers to do free lectures on application security at different colleges and universities.

Jeff stated that the industry needs to promote secure coding — to the point that it becomes a primary requirement of building any software. “Breaking is easy, building is hard,” he said, but he felt that the collective we at the conference can fix the software market. OWASP is attempting to reach out to groups who build languages and standards and help them build new projects securely with “Intrinsic Security Working Groups” so that new software will be build properly.

Jeff closed by saying that making Application Security into a movement is the only way that it’s going to succeed.

Dave Wichers then discussed OWASP projects and where they are at in the evolution of OWASP. This was the first mention of the “more structure” that OWASP is moving towards — a stricter application of criteria for qualities of release, for all types of projects, and a desire to require that projects advance a level of quality every “season of code” that they are put through.

Dave said that most OWASP documents are available through LuLu as bound documents in addition to electronic format, and that OWASP has taken the steps of adding staff for various administrative purposes as the organization grows.

In the document arena, OWASP is looking to create an “Application Security Desk Reference,” designed to be a one stop shop for discussion of concepts of application security, which could then be referenced internally in other documents. This would allow a “one stop shop” for people seeking core knowledge, and allow other projects to reference back to it instead of having to duplicate boilerplate on basic concepts.

OWASP is also looking towards having more and more conferences and open events to attempt increase visibility and awareness.

Dinis Cruz then took the stand, and discussed another facet of OWASP’s growth — the formal adoption of a grants program for funding projects — things like “season of  codes” now have a formal review process with a review board, to attempt to be more evenhanded and fair in terms of what is handed out, and to attempt to focus and steer the growth of the organization by weighing if projects are pertinent to the mission.

Dinis also echoed the need for an increase in events and visibility, stating that often folks who did OWASP had it as a volunteer “second job” that was completely virtual, and that real world interaction helped promote better communication and interaction between people working towards a common goal.

He ended by discussing the upcoming OWASP summit in Portugal, which will be taking place in November, and how there will be a two-day set of working sessions for OWASP leadership and contributors to set goals and projects for the next year.

I attended the annual US OWASP conference in New York City this past week.

The conference was moved at the last minute to a different venue that allowed for a larger number of attendees, due a surge in registration, so instead of taking place at Pace University as planned, it was instead at the Park Plaza Hotel, a few blocks off of Central Park.

As with most security conferences, when you take a cross section of the industry with similar interests, you start to see themes echoing out across all the presentations to form a cohesive message that has more credence than if it just came from one presenter.

The first and foremost of this year from the “security” standpoint is that the cries of “SQL Injection is dead” are not only too early, they are about as wrong as you can get. We were told by a wide variety of presenters looking at different sets of data that SQL Injection is not only alive and well, but it’s probably the most dangerous and prolific attack vector out there today. That then carried the secondary message that the Web App Sec space suffers a bit from the same problems that have been seen at Black Hat and the growing market of city-specific hacker cons (ShmooCon, ToorCon, etc) — that the hype and what the attack-based researchers are working on may show new, large vulnerability surfaces that no one has defense against, but those vulnerabilities are not where the threat is being applied, and do not equate to a realistic amount of risk commensurate with their hype. Where the real world has to focus has a bit of a disconnect with what gets the hype and the press on the research side, and where professionals are working on defense day to day does not always involve what it looks like on paper.

This in turn reinforced an underlying message that has been entrenched in OWASP for a while — that glory of the ’sploit aside, the real, ultimate, and very difficult work is find solutions, and solutions that can be easily deployed, taught, and replicated. This is an extremely difficult goal, but one that the organization is dedicated to working towards, and revelations such as the above help keep things on track, rather than devolving into the next big exploit of the week, and I think the presentation content at the conference reflected this.

An organizational take-away from the conference is that OWASP is not only growing rapidly, but is aware of this fact and taking steps to manage their growth, so that the increase in resources can be focused and put to work for the organization, rather than being unfocused and wasted, and possibly losing momentum. There is still a lot of work to go (as evidenced in some of the discussion behind the scenes), but I felt energized after attending, and that the growth of OWASP (which, like many other open-source and contributor based entities) which has felt very organic up to now, may be getting some structure. OWASP is trying to get a lot of its leadership and active/influential members to participate in the next big OWASP event, which is a summit in Portugal in November, and there set the tone and goals of the organization for the next year.

In the near future, I’ll try to make a few more posts and cover some of the presentations in detail — the organizers have promised to put recordings of many of them online in the next week or so.

This evening, Nguyet Vuong will be presenting the first half of “from concepts to code”

Come by!!

www.refresh-dc.org