Beefed up OWASP 2.0 introduced at BlackHat

By Amber Plante, Contributing Writer 28 Jul 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

LAS VEGAS -- The Open Web Application Security Project yesterday unveiled a revised and more robust popular guide for protecting Web services that reflects best practices, common coding errors and the increasing threat of phishing.

"We are looking to have a standard available through ISO or NIST that's easy to adopt as corporate and government policy," said Andrew van der Stock, technical editor for OWASP's Guide to Security Web Applications and Service 2.0, during a Black Hat Briefings presentation. "We want to secure businesses, not be a checklist to tick off."

OWASP 2.0 is a complete rewrite of the original, coming in at 298 pages compared to version 1.0's scant 90 and including nearly 350 controls. Improvements to the each chapter's organization include a list of best practices and common coding errors, utilizing OWASP's "Top 10" approach of how to deal with vulnerabilities.

The most important control in 2.0 is in the overhauled Data Validation chapter, which is a tight 10 pages of state-of-the-art validation strategies. "Sanitize" is no longer an acceptable choice, and advice is offered in multiple languages.

Also a significant addition to the guide is the full chapter dedicated to securing and properly writing PHP scripts. According to Stock, PHP is by default a highly insecure program; he also acknowledges that chapters dealing solely with ASP.NET and J2EE will be included in future versions of the standard. Other new sections include a look at Microsoft's Threat Risk Modeling Process and secure methods of credit card processing.

Emphasis in 2.0 has been heavily placed on phishing, with major rewrites and additions to the Authentication and Authorization chapters, which together include over 30 new controls and best practice tips on how to implement password security and prevent failed pen tests.

Read more from this week's Black Hat Briefings conference Security researcher causes furor over disclosing Cisco exploit Users in uproar over Cisco/ISS legal threats VoIP to have Pretty Good Privacy

Also stressed is the chapter on Error/Log/Auditing. "I'm not of the belief that logging everything is appropriate," Stock said. "We encourage you [in the guide] to spend the right amount of money on the right amount of logging." Advice on traceability aims to improve corporate SOX compliance, and logging noise is not recommended.

Interpreter Injection is the revamped home for SQL, User Agent, ORM and OS Command injections, but missing are the previously supplied instructions on how to pull off these attacks. "What we are doing is not teaching you how to do the injections, but how to secure against it," Stock, who also is a member of the Anti-Phishing Work Group, explained. Links to articles explaining various attack methodologies are included in the guide as recommended reading.

Other noteworthy improvements to OWASP 2.0 include COBIT bullet points listed at the beginning of each chapter to allow for quick referencing, 14 anti-phishing guides, and improvements/rewrites to the Buffer Overflows, Cryptography, Web Services, Session Management and Canoncalization chapters.

Also announced at the BlackHat conference were plans for OWASP 2.1 to be published and available in November 2005 through No Starch Press.

Although just released, the open-source OWASP 2.0 is still in need of revisions in the form of peer reviews. "OWASP 2.0 is most definitely still a .0, so we realize that there might be things missing," Stock said, "but, it's still much better than 1.1.1; it's the new gold standard."

Amber Plante is associate editor of Information Security magazine.

Tags: Web Services Security and SOA Security,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Services Security and SOA Security Information security book excerpts and reviews Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Web Application Security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary