onelittlewindow

The first presentation I saw after the Keynote was Ofer Shezaf, presenting an analysis of recent results in the Web Hacking Incidents Database (WHID), a compilation of publicly disclosed Web Hacking Incidents hosted by the Web Application Security Consortium (WASC).

Ofer, who works for Breach Security, discussed the issues of trying to measure the effects and impact of security measures on web security. Documenting actual incidents covers definite risk factors from “real” bad guys, but even so, figuring out metrics for web applications is very difficult to assess.

Many web compromises other than defacements are stealthy in nature, and many organizations are either unaware of web compromises, or do not disclose them unless they run afoul of some regulatory requirement to do so (breach of PII, etc). So, as a result, most statistics on web compromises are skewed towards defacements and information leakage, as those are the only two that are regularly seen by the public.

Most assessments are biased, Ofer said, based on the role of who is doing the assessment. Most vendors are going to emphasis “FUD factors” or the results of automated tools, and many times developers reviewing their own code are going to be over-confident in their abilities and not give it the scrutiny it deserves. Lots of vulnerabilities are reported due to applications having a large attack surface, but the validity of the actual Risk and Threat are not considered in most listings of vulnerabilities.

As a case in point, most statistics from vendor tools and top ten lists are based on easily found and discovered vulnerabilities, and so the output of these is vulnerability only.

The OWASP Top Ten is vulnerable to this as well, Ofer claims. Having had some of the results tweaked by the OWASP board (such as the inclusion of CSRF) has helped, but he still feels that it is not an accurate depiction of what to worry about when actually calculating Threat and Risk. Analysis of the WHID shows that some “old” vulnerabilities are still alive and kicking — a large chunk of the last year’s WHID results show misconfiguration of servers as a main avenue of attack, and yet that was phased out of the last OWASP top ten (2007).

He acknowledged that WHID shows the same defacement and information leakage skew mentioned above due to sources, and also that most disclosed hacking incidents are against government and educational organizations. He doesn’t feel that this is necessarily accurate, but more because of requirements for disclosure and transparency in these organizations.

The next “targets” in priority in the WHID are retail institutions, followed closely by internet companies themselves — ISPs and others who influence the traffic of the internet themselves. He thinks that that niche may be the next big target, because of the use that their resources can be put to.

Having evaluated the 2007 data and what he’s seen for 2008, he points out the following trends from the past year:

There are finally large scale business models taking advantage of web application vulnerabilities. Web Hacking is replacing traditional spam methods as the most prolific way of propagating malware. In this process, the web site is the intermediary, not the end target, serving as a mechanism to infect clients. The “business” of malware has shifted its focus to this mass hacking as well, so targeted assaults on specific websites are less frequent (compared to overall incidents), but by no means have they gone away.

Sites are now valued by the loyal customer base that they have, rather than specific content — the larger the infection vector for the site, the more useful it is in the new model. However, small sites are hit constantly now by the mass SQL injection packages, which take over mom and pop sites by the millions.

And, as mentioned above, hacking service providers are increasing as well, with hacking of boxes that are network providers or ISPs.

So, in summary, trends indicated on the vulnerability front don’t always match what is happening in the real world, and investing protection dollars may be better done following the real world trends than trying to match vulnerability lists. Threat modeling should be done to include real risks and threats for your organization, not just the latest research discoveries.

The keynote for this year was a tag team of various OWASP board members.

Tom Brennan played host to the panel, as he was not only on the board, but a local chapter lead and primary organizer of the conference.

Jeff Williams started the keynote out by discussing the promise of software, and how we are not fulfilling that promise. Currently, Jeff said, the security community is failing. The focus is on penetration testing and exploits, and not how code is written, and researchers are chasing obscure problems, and not looking at the “big questions” (which are also the hard questions) with research.

Repeating some of the mantras oft heard from myself and many others, Jeff pointed out that we can turn Application Security from a “black art” into a science, by organizing and exposing the knowledge required. He mentioned the OWASP is attempting an “OWASP in schools” program that will attempt to get lecturers to do free lectures on application security at different colleges and universities.

Jeff stated that the industry needs to promote secure coding — to the point that it becomes a primary requirement of building any software. “Breaking is easy, building is hard,” he said, but he felt that the collective we at the conference can fix the software market. OWASP is attempting to reach out to groups who build languages and standards and help them build new projects securely with “Intrinsic Security Working Groups” so that new software will be build properly.

Jeff closed by saying that making Application Security into a movement is the only way that it’s going to succeed.

Dave Wichers then discussed OWASP projects and where they are at in the evolution of OWASP. This was the first mention of the “more structure” that OWASP is moving towards — a stricter application of criteria for qualities of release, for all types of projects, and a desire to require that projects advance a level of quality every “season of code” that they are put through.

Dave said that most OWASP documents are available through LuLu as bound documents in addition to electronic format, and that OWASP has taken the steps of adding staff for various administrative purposes as the organization grows.

In the document arena, OWASP is looking to create an “Application Security Desk Reference,” designed to be a one stop shop for discussion of concepts of application security, which could then be referenced internally in other documents. This would allow a “one stop shop” for people seeking core knowledge, and allow other projects to reference back to it instead of having to duplicate boilerplate on basic concepts.

OWASP is also looking towards having more and more conferences and open events to attempt increase visibility and awareness.

Dinis Cruz then took the stand, and discussed another facet of OWASP’s growth — the formal adoption of a grants program for funding projects — things like “season of  codes” now have a formal review process with a review board, to attempt to be more evenhanded and fair in terms of what is handed out, and to attempt to focus and steer the growth of the organization by weighing if projects are pertinent to the mission.

Dinis also echoed the need for an increase in events and visibility, stating that often folks who did OWASP had it as a volunteer “second job” that was completely virtual, and that real world interaction helped promote better communication and interaction between people working towards a common goal.

He ended by discussing the upcoming OWASP summit in Portugal, which will be taking place in November, and how there will be a two-day set of working sessions for OWASP leadership and contributors to set goals and projects for the next year.