Thursday 25 November 2010

Mapping Altoro Mutual 'Vulnerable-by-Design' web app (help needed)

I just created a page on the OWASP WIKI for mapping the vulnerabilities,exploits and fixes of the IBM's AltoroMutual application:

http://www.owasp.org/index.php/AltoroMutual

If you have some cycles, please help in completing this page

O2 Platform Videos (Nov 2010)


If you new to the OWASP O2 Platform (or are still trying to get your head around it), here are a number of YouTube videos based on: a) known vulnerable applications (i.e HacmeBank, WebGoat),  b) public websites (GMail, Twitter) and c) O2 scripts that I have written:
  • http://www.youtube.com/watch?v=T2XVufhJLig - Example of Unit Test Execution GUI that can be created using O2. In this example a number of HacmeBank vulnerabilities are shown using browser-automation (some of these vulnerabilities/exploits contain complex workflows, like for example: the 'login into admin section' exploit, which uses a ViewState vulnerability to access the dynamic password required to login as the administrator)
  • http://www.youtube.com/watch?v=MdObVD53Iyg - Full PoC of Sql Injection for developers. Includes an real-time browser automation/animation of the multi-step vulnerability exploit (on the left), followed by an animation (on the right) of the vulnerability taint-flow path (on the source-code). It probably is hard to see on the video, but the trace created using O2 (Open Source modules/scripts) contains the following structure:
    • the trace starts with the 'URL + injection parameter' (which is what a BlackBox scanner will produce) 
    • maps the URL to the entry point on the source-code (at the Web Layer)
    • follows the tainted-data (i.e. the variables with payload) all the way until the call to the Web Services
    • maps the 'Web-Layer Web Services call' with the 'method that is invoked on the Web Services Layer' (i.e. connects the Web Services caller with the callee)
    • follows the tainted-data all the way to the vulnerable Sql Execution (passing by the string concatenation that creates the SQL Injection vulnerability)
  • http://www.youtube.com/watch?v=1bbKNvyvLO0 - A similar example of the Unit test GUI that can be delivered to developers, this time using OWASP WebGoat as the target application
  • http://www.youtube.com/watch?v=DpDiGpzaVw0 - Unit Test created in O2 that tests for a vulnerability in Twitter (the result is green because the vulnerability is currently patched)
  • http://www.youtube.com/watch?v=rTD31e7HY4E - example of a complex browser-automation workflow: Create GMAIL account
  • http://www.youtube.com/watch?v=Gu8Hg02Zv5c  - example of a complex browser-automation workflow: Create Twitter account (different execution GUI from the GMAIL account creation script)
  • http://www.youtube.com/watch?v=YsVX5-nGHWI - example of another type of dynamic GUIs that can be created using O2 (most of O2 GUIs are O2 Scripts dynamically compiled and executed). In this case this GUI allows the easy creation of XSS demos/PoCs
  • http://www.youtube.com/watch?v=j0d3F3wqfRU - using O2 .NET Static Analysis engine to perform source code code reviews and to find vulnerabilities in .Net's Hacmebank
  • To see all O2 related videos, see http://www.youtube.com/user/diniscruz#g/u (most of these videos where created using O2's Video creation tool/script)

Poll: "What do you think the future of software security deliverables will be?"

Matt Parsons who is a long time O2 user (and has even started a new blog that is mainly talking about O2) has published a poll (very inspired by this O2 Platform presentation) where he asks the following question:



Please take a minute and cast your vote here: http://polldaddy.com/poll/4143135/

Thanks

OWASP CALL FOR TRAINERS!

Sandra (OWASP resource hired to create a training model for OWASP materials), just sent this email to the owasp-leaders that highlights the great work she is currently doing:

------------------------------------------------------------------------------------------

Dear OWASP Leaders,

In the context of the effort we are making to stabilize and consolidate an OWASP Training model that can be used as a powerful tool to spread OWASP’s knowledge and message, OWASP is looking for trainers to deliver training under the flag “OWASP projects and resources you can use today”. This is a model of training which is free for OWASP membersdelivered by OWASP Leaders (with only travel expenses paid) and covering OWASP modules and/or projects.

If you are an OWASP Leader and would like to be included in OWASP's pool of trainers, this is your chance - add your name and info to the OWASP Trainers Database and be counted!

Do it now and become an OWASP Trainer! Check the Database and conditions here:

Follow all the developments on the OWASP Training here http://www.owasp.org/index.php/OWASP_Training.

We are looking forward to seeing your names online!

Best regards,
Sandra

Sandra Paiva

O2 Platform presentation

Hi, here are the slides from the O2 Platform presentation I delivered at the OWASP Brazil AppSec: OWASP O2 Platform - November 2010 




I really like the first part of it (until the 'Real-world O2 usage'  in slide 69), since I think I finally documented my key positioning for O2 (Note: the reason why there are a lot of pages is because the "Keynote to PDF" export created one PDF page per slide transition)

In Brazil I didn't made it to till the end, since I did a bunch of O2 demos and run out of time :)

I also did a full day of O2 Training which went very well (the students were new to O2, and by the end of the day they were all trying to figure out where to use O2 in their day-to-day jobs)

Starting an OWASP Chapter

Last week, while I was at the OWASP AppSec Brazil, it was decided to break the existing OWASP Brazil chapter into 5 new chapters (each focused on a Brazilian city).

This is something that should happen more often, since we have a very low 'barrier of entry' for the creation of OWASP Chapters (usually all we need is one local person that is motivated to do it).

So here is what you can do if you don't have a local active chapter in your area and want to create one (in the case of an inactive local chapter, then you should be joining the leadership of the existing chapter (note that each chapter should have at least 3 leaders, until there is a need to have elections)):

  • Start by reading the info here: http://www.owasp.org/index.php/Category:OWASP_Chapter , specially the Chapter Leader Handbook: http://www.owasp.org/index.php/Chapter_Leader_Handbook
  • Get an Wiki account on www.owasp.org
  • If you want, once you have that Wiki account you can create create the Wiki page for your chapter (if you don't, Kate will create this for you)
  • Email Kate with your request
  • Start planning your first meeting and creating a target list for the people you want to invite once you have your mailing list in place
  • Eventually Kate will create your Chapter mailing list, create/update the WIKI page, and add the new chapter to the list of OWASP Chapters (note that this might take a couple of days, depending on how busy Kate it)
  • Once you have your new chapter mailing list, you will be automatically subscribed to the owasp-leaders list and it is usually a good idea to write a little intro about you and what are your plans/ideas for your chapter

That's it.

Thursday 4 November 2010

OWASP and certifications

(based on my answer to an email thread about OWASP Certifications started by  SI)

Certification has historically been a hot topic at OWASP, with the reasons being a mix of 'alergy' to certifications by a considerable part of our community and the problems in creation an OWASP Certification that is compatible with OWASP Openness model.

James McGovern (a couple years ago) did a an amazing job at trying to create a Certification for OWASP, unfortunately it was probably too soon for the OWASP community and we (at the time) didn't have a good picture of how it could be made to work (and part of that is my fault since I was part of the group that had a problem with the 'need to have closed questions and answers' requirement).

Here are a couple comments, which will hopefully clarify the current situation:

  • There is no problem in creating Certifications around OWASP materials (i.e. not 'OWASP Certifications' but 'Certifications on OWASP {put project name here}' (we could even have an generic 'Certification on OWASP'))
  • The problem is in OWASP running this certification (which mainly for the need to have 'closed' questions is a non-starter)
  • The only way I could see an 'OWASP Certification' to be created is one were ALL Questions and Answers are publicly available in the OWASP Website (and if you think about this idea for a bit, you'll see that it should work once the number of questions is significant larger than the questions asked the in exam)
  • Even in the case where there is an 'OWASP Certification' or 'Certification around OWASP materials', there is no structure at OWASP that can handle the exam and certification process (and there is no plans to create on in the short to medium term)
  • The best (and most realistic) scenario is one where 3rd party commercial companies (like SI) use OWASP as the 'body of knowledge' and manage themselves the Question generation, Certification brand and Exam process (of course that OWASP Leaders could be independently involved in this process (for example helping writing questions) but it is very important to understand that there is no structure at OWASP that could be officially involved in this process (for example if SI wants to hire an OWASP Leader to participate that will need to be a commercial arrangement between SI and that OWASP Leader)
  • In terms of the focus of the Certifications, I would add another audience that Robert Hansen as tried to push OWASP to do, which is the QA professionals. I.e. create a 'OWASP for QA' Certification that focus on the minimum WebAppSec knowledge that these key SDL players should have.
  • Ultimately there should be a number of 'OWASP based' Certifications in the market, and it should be the market to decide which one they trust.
  • Although It would be hard for OWASP to 'officially' endorse a certification, we now have (in 2010) a number of ways that OWASP can give a lot of visibility to Certifications that are created around OWASP materials
    • Public reviews of certifications delivered at OWASP Conferences (created by an OWASP Leaders who go through the proccess)
    • Create an 'OWASP Quote' where OWASP Board+Leaders can make an 'on the record' comment on an OWASP-based certification. See http://www.owasp.org/index.php/Quotes for an example
    • List Certification(s) on a 'Commercial Services' registry that is still under development but is a perfect medium for this (see http://www.owasp.org/index.php/OWASP_Related_Commercial_Services)
So in a nutshell. Certifications are very important to OWASP and is something that if done correctly would had tremendus value to OWASP's community and help to reach a much wider audience.