Thursday February 28th (Hartford, CT) – The Hartford chapter’s first Open Web Application Security Project (OWASP) conference was hosted at The Hartford and sponsored by Ounce Labs (with Pizza!!!). The two presentations tackled web application security from very different angles …..
How Web 2.0 Has Changed the Landscape of Application Security
Presentation by Chenxi Wang, a principle analyst from Forrester Research .
Chenxi began her talk by base lining the audience on what Web 2.0 entailed (while “Web 2.0″ is a somewhat hated ‘marketing’ term, it’s now the common name and frame of reference for people to understand this point in the internet’s evolution) – collaboration, user generated content, collective knowledge, social networks, changing people and technology interactions, yadda yadda.
From there she dove into some of her research statistics…
Of the firms surveyed:
- IM is the #1 Web 2.0 technology
- Efficiency is the #1 reason to adopt Web 2.0
- 43 of 69 people stated security was a top concern
- The number of malicious URLs rose from 0.3% in Apr ’07 to 1.3% in Jan ’08
- 67% of all 2007 vulnerabilities were web app related
- “All your iFrames point to us”
- “Attacks are no longer ad hoc – there are malware infection infrastructures going online”
Due to the collaborative, decentralized nature of Web 2.0, establishing trusted relationships becomes very important. However, there will still be vulnerabilities and so security becomes an even larger issue. The emergence of bi-directional content increases attack surface. More processing is required by the role of the client. Cross-site scripting is the hot item to watch.
So, how can these issues be dealt with?
Design and Development – Implement static analysis and perform “threat modeling”
Quality Assurance – Do black-box and Penetration Testing
Deployment – More Penetration Testing and have a Web App Firewall in place
Also,
- outline contractual SDLC best practices
- have quality based, instead of time-based outsourcing goals
- focus on stacks instead of point solutions (to reduce integration security holes)
- have incident response plans and remediation processes
- do code acceptance testing
More information about Chenxi’s research can be found by heading over to the Forrester site
Exploiting Online Games
Presentation by Gary McGraw, CTO of Cigital.
Gary’s method of attack was from a whole different side of web application security – he outlined some of the fun (and potentially profitable, albeit unethical/illegal) things you can do with online games (specifically World of Warcraft)
I’ve seen Gary speak on a number of occasions, and again, he did not disappoint. Gary is a very engaging speaker – effectively using humor and real-life situations to interact with the audience. Because of this, I remember very little about the specifics of what he covered, but know he outlined many of the tactics used in his book “Exploiting Online Games” and related them back to application security in general.
Listening to how online games can be exploited for fame, money, fun or interest highlights a good point: motivation is a key ingredient in the recipe of hacking, but shouldn’t we be considering security anyway?
Swing over to Cigital’s website if you need help with security and want to hire them or do some reading.
And finally….remember: “No user will ask for security, they expect it.”
