LAS VEGAS -- The Open Web Application Security Project yesterday unveiled a revised and more robust popular guide for protecting Web services that reflects best practices, common coding errors and the increasing threat of phishing.
"We are looking to have a standard available through ISO or NIST that's easy to adopt as corporate and government policy," said Andrew van der Stock, technical editor for OWASP's Guide to Security Web Applications and Service 2.0, during a Black Hat Briefings presentation. "We want to secure businesses, not be a checklist to tick off."
OWASP 2.0 is a complete rewrite of the original, coming in at 298 pages compared to version 1.0's scant 90 and including nearly 350 controls. Improvements to the each chapter's organization include a list of best practices and common coding errors, utilizing OWASP's "Top 10" approach of how to deal with vulnerabilities.
The most important control in 2.0 is in the overhauled Data Validation chapter, which is a tight 10 pages of state-of-the-art validation strategies. "Sanitize" is no longer an acceptable choice, and advice is offered in multiple languages.
Also a significant addition to the guide is the full chapter dedicated to securing and properly writing PHP scripts. According to Stock, PHP is by default a highly insecure program; he also acknowledges that chapters dealing solely with ASP.NET and J2EE will be included in future versions of the standard. Other new sections include a look at Microsoft's Threat Risk Modeling Process and secure methods of credit card processing.
Emphasis in 2.0 has been heavily placed on phishing, with major rewrites and additions to the Authentication and Authorization chapters, which together include over 30 new controls and best practice tips on how to implement password security and prevent failed pen tests.
Read more from this week's Black Hat Briefings conference
Also stressed is the chapter on Error/Log/Auditing. "I'm not of the belief that logging everything is appropriate," Stock said. "We encourage you [in the guide] to spend the right amount of money on the right amount of logging." Advice on traceability aims to improve corporate SOX compliance, and logging noise is not recommended.
Interpreter Injection is the revamped home for SQL, User Agent, ORM and OS Command injections, but missing are the previously supplied instructions on how to pull off these attacks. "What we are doing is not teaching you how to do the injections, but how to secure against it," Stock, who also is a member of the Anti-Phishing Work Group, explained. Links to articles explaining various attack methodologies are included in the guide as recommended reading.
Other noteworthy improvements to OWASP 2.0 include COBIT bullet points listed at the beginning of each chapter to allow for quick referencing, 14 anti-phishing guides, and improvements/rewrites to the Buffer Overflows, Cryptography, Web Services, Session Management and Canoncalization chapters.
Also announced at the BlackHat conference were plans for OWASP 2.1 to be published and available in November 2005 through No Starch Press.
Although just released, the open-source OWASP 2.0 is still in need of revisions in the form of peer reviews. "OWASP 2.0 is most definitely still a .0, so we realize that there might be things missing," Stock said, "but, it's still much better than 1.1.1; it's the new gold standard."
Amber Plante is associate editor of Information Security magazine.