Tuesday 29 September 2009

OWASP Internals: Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships

Following the debate started by this thread OWASP Internals: Leaders participation at OWASP conferences I submitted today the proposal below to the OWASP Board which has just been approved :)

I'm really happy with this model and I hope that this will mean that we will see much more participation from our leaders at our conferences

Guidelines for OWASP leaders’ attendance of OWASP Conferences and OWASP Memberships

In recognition of the enormous value provided to OWASP by its leaders (projects, chapters, committee & board members) , and the fact that it is beneficial for all that these leaders actively participate on one or more OWASP-organized conferences (16 in 2009), OWASP would like to propose the following 'operation guidelines' for facilitating the leaders participation at OWASP conferences:

  • All leaders who currently enjoy an 'OWASP Honorary individual membership' (see details below) apply for a 'FREE' participation on as many Conferences he/she is able to attend
  • By 'FREE' we mean that there is NO (i.e. zero) cost for the OWASP leader, but internally OWASP is marking up this cost between $100 USD and $300 USD (depending on the conference) which cover the 'participation costs' of a conference attendee (venue, refreshments, lunch, etc..) .
  • In order to simplify the process and to remove the potential financial burden, this cost will NOT be allocated/paid by the Conference Organizers, but will be covered by (in order of preference):
    • a local chapter that has funds and wants to 'sponsor' a particular leader to attend a conference (in most cases this should be in 'exchange' of a chapter presentation of a debrief of what happened at the conference). See 'Notes for chapter with budgets' below
    • a direct sponsorship of the leader's main employer or 3rd party company that wishes to sponsor OWASP leaders
    • OWASP on the Move funds
  • In order to maximize OWASP resources and efforts, the following would be expected from the OWASP Leader:
    • Submit a presentation proposal with the conference RFP time period (note that a separate thread (& guidelines) will be required to define the recommended process (for conference organizers) to deal with these OWASP Leaders presentations)
    • Allow the conference to include the leader name in its marketing efforts, i.e.: "...come to the XYZ conference where you will be able to meet personally the following OWASP leaders: {name - project}, {name - project}, {name - project}, {name - project} .."
    • Help as much as possible the local organization team (conferences are a LOT of work, and extra pair of hands are always necessary)
    • If there is an OWASP-Stand, help with the 'manning the stand'
    • Actively promote the conference in Blogs, Tweets, local chapters and press
  • To help with the OWASP Leader participation, and if required, OWASP central (i.e. Kate) can send an 'official invitation letter' requesting that the leader's employer allows the conference participation under company's time (versus holiday time)
    • Depending on the level of sponsorship given to the leader by its employer, the conference organizers should add the leader's employer as a conference sponsor (note: at the moment there is no standard name for these type of sponsorships)

Notes for chapter with budgets:

The chapters that currently have budget available (see this document for the current list of funds available to local chapters), can and is encouraged (at the discretion of the chapter leader AND its local community) to use its funds to:

  • 'Pay' the OWASP internal conference participation cost (100 USD to 300 USD) of the current Chapter Leader(s)
  • Cover part of the current Chapter Leader(s) travel expenses to attend the conference (the current guidelines are 250 USD for local travel (in US or in Europe) and 500 for International Travel (Europe-> US, in Asia, etc)
  • 'Sponsor' a particular OWASP Project leader to attend the OWASP conference in exchange for a participation at their chapter (this could be a presentation, a training session, etc...)

Notes on "Who is eligible for OWASP Honorary individual membership'

Contributions to OWASP are highly valuable, so in order to recognize its effort OWASP is allocating 'Honorary Individual Memberships' (i.e. Free memberships) to:

  • OWASP Board Members
  • OWASP Committee Members
  • OWASP Chapter Leaders*
  • OWASP Projects Leaders*
  • Individuals with Special Contributions to OWASP*

* The allocation of 'Honorary Individual Memberships' is going to be implemented in two phases

  • 'pre AppSec DC conference' (i.e. now) - For historical reasons OWASP chapter and projects leaders were not made OWASP Members in the past. So in an effort to clean up the past and start with a clean state, the OWASP Projects and Membership Committees is currently creating a list of ALL active and past project and chapter leaders who will be given a Free 1 Year OWASP Individual Membership
  • 'post AppSec DC conference' - from Nov 09, and once a year there after, the OWASP Chapter and Project Committees will be expected to first create a criteria to allocate memberships (based on their contributions over the past year) and then use it to produce an annual list of Individuals who should be allocated an Free 1 Year 'Honorary Individual Membership'. This list should then be submitted for vote and approval

Honorary members will be given the opportunity, although not required to “donate” the annual dues to the Foundation.

Friday 25 September 2009

WAFs for OWASP crowd to perform independent tests

Just had this request from one of the best WAF authors & researchers in the world (sorry can't say his name publicly) who asked me this:

"...I am researching WAF evasion and I need access to a commercial WAF. I am finding a lot of interesting things, but without knowing if they are real problems in production that does not mean much.

Do you know someone who could be willing to give me access to a non-production box for testing purposes?..."

From the above, I have two questions:
  1. Anybody form this list can help him? ping me directly and I will put two in touch
  2. Is the WAF industry (both proprietary and open source) mature enough that they can 'lent' an Evaluation WAF (the actual appliance) to OWASP so that OWASP leaders & members can independently evaluate it?
  • If they are, I'm happy to help setting up some rules of engagement, for example: "The WAF will be hosted by an independent (i.e. non WAF vendor) OWASP leader or member", "there are no limitations on the types of Apps that can be 'protected' by the WAF", "if any major issues are discovered, 'responsible disclosure' will be used"

I think if we do this right, it could be a win-win for everybody

Dinis Cruz

Friday 18 September 2009

Email to O2 Account holders with tons of O2 related links

(email just sent to the current O2 website account holders)

Subject: OWASP O2 Platform update and 'WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application'

Hi O2 User (you are receiving this email because you are one of the 70 accounts currently created at the O2 website (if you don't want to receive this type of updates in the future please let me know and i will delete your account))

18 Sep - WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application

(post I just published to a number of web app sec security mailing lists)

I'm going to do an public WebEx on the O2 Spring MVC module tomorrow at 18th Sep at 1pm EST/ 6pm London (see the WebEx details here)

Not sure if still remember this, but I was one of the authors of the two Security issues reported on the Spring Framework MVC by Ounce Labs last year (see PDF here).

At the time we didn't really explained how I found those issues, but since then we released the Open Source OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)

To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClinic demo application that ships as an sample application on Spring 2.5 (you can you can download from here the demo materials I am going to use tomorrow (includes all files required to run a local copy of the PetClinic test application)).

What I really like about the demo that I am going to present, is how I am able to combine both WhiteBox and BlackBox analysis in one single workflow and GUI (i.e. one analysis feeds the other, enabling the quick understanding and exploitation of vulnerabilities in the PetClinic application)

Note that the issues that I am going to find & demonstrate using the O2 Spring MVC module DO NOT require the Ounce Labs product (static source code analysis engine) to work.

In fact, I will be doing my demos from a VM image that doesn't have ounce installed :) .

Of course that there are other types of analysis that you can do if you have access to Ounce's engine (or (eventually) the other engines soon-to-be-supported by O2 (Fortify, Coverity, Armorize, AppScan DE, etc...)), but my point with this presentation is to show how you can do TODAY using the power of the OWASP O2 Platform to perform security engagements on applications that use Spring MVC Annotations-Based Controllers.

I will try to do these types of WebEx on a regular basis, so if you can't make it tomorrow you can join in the next one :)

See you at the WebEx

Dinis Cruz

Thursday 17 September 2009

18 Sep - WebEx: O2 Spring Mvc Module

I'm going to do another O2 Spring MVC WebEx tomorrow 18th Sep at 1pm EST/ 6pm London (see the details here)

Not sure if everybody is aware, but I was one of the authors of the two Security issues reported by Ounce Labs last year (see PDF here). At the time we didn't really explained how I found those issues, but since then we released the OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)

To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClick demo application that ships as sample application on Spring 2.5.

Fortify hands-on demo/session at forthcoming OWASP Northern Virginia Chapter

So, the adventurous OWASP Virgina Chapter (lead by the uncompromising John Steven) are going into uncharted-OWASP waters in their next chapter meeting.

You can read more about it on the chapter home page on their [Owasp-wash_dc_va] OWASP Session - Fortify 360 - Thursday, September 17, 2009 mailing list announcement or at the Secure Coding Mailing list

Basically what they are doing is allowing a vendor (Fortify) to come to an OWASP meeting and present their product! Shock Horror!!! Doesn't this break OWASP values, principles and independence!!!

Well, it depends :)

OWASP is not Anti-Vendor! In fact most of OWASP members and users are either direct connected to a vendor or use vendor's products/services (disclosure one of my contacts is with Ounce labs (now IBM)). In fact vendor presentations at OWASP happen ALL the time (see for example this presentation delivered at the last OWASP London chapter Using Surrogates to Protect from Application Data Breach ).

The issue is not IF OWASP should have 'vendor' presentations but HOW we do them. My view is that as long as the 'snake oil & marketing' content is kept under control, what is presented is an 'accurate' representation of that technology and there is interest of the OWASP community in it, then it is OK.

The fear is that OWASP become an 'vendor driven' organization and becomes 'infiltrated' with people who have direct & short-term commercial priorities. The good news is that I think OWASP has a long and ingrained tradition of 'keeping the vendors under control' and as we grow we need to create 'environments' where the vendors can show where they add value in a way that is compatible with OWASPs values and principle.

And in my view, John is trying to create this environment using a 'real-world' case study (btw, this is what I love about OWASP, our leaders have the ability to be proactive and creative (we just need to make sure they are going on the right direction :) ))

So, back to the subject at hand, here are a couple points and ideas about allowing vendors to provide 'hands-on sessions at OWASP Chapters and conferences' (I would like to see at the end of this thread a nice list of 'rules of engagement' for other chapters/conferences that want to organize similar events):

1) this is not a new idea, we have had many numerous talks in the past about helping to create at OWASP conferences an 'open & independent lab environment where people can try technology', and in fact I organized a while back a bake-off between WAF vendors in London (see London_Chapter_WAF_event),
2) The vendor should provide unrestricted and uncontrolled access to the technology to the participants,
3) On the other hand, since the value derived from these tools is usually very dependent on them being used by 'experienced users' and the fact that there is a section of the OWASP community that is very technical (& historically very skeptical about the REAL value that these tools can provide), the vendor (ideally) in partnership with an independent service provider, should also show how their tool is used in real world scenarios by its users,
4) The attendees should be allowed to take with them an evaluation version of the product without having to provide any information in return (business cards, names, mobile phones, social security numbers, bank account details, etc... :) )
5) Pending technologically or licensing problems, the vendor should provide a VMWare/VirtualPC/XEN/OWASP_Live_CD image containing everything needed to evaluate this technology (for windows, I think we could use 30/60/90 day evaluation versions of the required OS)
6) Pending bandwidth or logistical issues the event should be broadcasted live and remote users should be give access to virtual images
7) Pending technological or logistical issues the event should be recorded in video/audio and made available to OWASP users
8) Final and very important, the final decision if one of these events is 'successful and respects OWASP's values and principle', should be made by the local OWASP 'non-vendor' members (i.e. people from local companies that are trying to buy, develop or maintain secure web applications). What I found in the past, is that the threshold for 'vendor pitches' is very dependent on geographical locations (i.e. the same presentation in NYC and in Milan will have very different reviews (and sometimes the non-US chapters tend to be much more 'vendor' friendly)). So I would look at the local chapter (users and leader(s) ) for guidance about the event's outcomes.

If this is popular, we should make these activities/events into an 'OWASP Project' since we will need to keep a tight control on these rules and ensure that this doesn't get abused.

BUT, if we get this right, we will be able to leverage much more the energy/motivation that the vendors have in promoting their products, with the energy/motivation of the consulting companies that know how to use those products, and (MORE IMPORTANTLY OF ALL) with the needs, requirements and issues that the users/clients have.

What do you think? This is a though issue, but it is HAPPENING, so we might as well agree on the 'rules of engagement'

From the current description of the 'Fortify at Virgina chapter' event, I think they meet just about all the items I propose. Any comments?

Dinis Cruz

OWASP Internals: Leaders participation at OWASP conferences

Email I sent earlier today to the owasp-leaders list with some comments about the idea of 'giving free conference tickets' to active OWASP leaders


Hey Rex, AppSec DC team and owasp leaders

First I just would like to second (i.e. agree with) Jeff's earlier email (sent to Rex & AppSec DC team directly) saying that:
"...From my perspective, the planning of AppSec DC 2009 has been conducted with an extraordinary amount of professionalism and diligence. The Board is 100% behind your efforts. Please let us know how we can help promote the conference and make it an even bigger success. Thank you for all your great work on this..." (Jeff Williams)

That said :) and on the topic of giving Free attendance to active owasp-leaders, I would like to add a couple more points (which I'm doing here on the owasp-leaders list since (I think) this is owasp community wide issue):

  1. From my (personal) point of view OWASP is about building a great community of talented people which is focused on solving the ('small') problem of application security
  2. Although we have a great community with tons of great people across the world, I don't think we (OWASP as an organization) do ENOUGH to thank our most active contributors (who are, lets not forget, who make OWASP OWASP)
  3. I am also very aware that although we are all quite individual talented/knowledgeable (each with its own unique areas of expertise), there is ONLY SO MUCH we can do as INDIVIDUALS, and is it only when two-or-more OWASPers talk to each other and COLLABORATE that real MAGIC occurs
  4. Taking the view that in order to increase OWASP productivity, quality and 'products' we need "OWASP to work better with OWASP" and "OWASP to work better with the WORLD" (something we are not as good we should be), I view (as a Board member) my responsibility to help making these CONNECTIONS and help taking OWASP to the next level
  5. So when I asked the question on "... 'owasp chapter leaders to have to recruit other two attendees to get a free ticket?.." my objective was not to undermine or put in question the GREAT WORK REX AND THE APPSEC DC ARE DOING, but :) , to 'gently' raise the issue and see if we can help the 'owasp chapter/project' leaders to attend this conference.
  6. before, I describe why I don't agree with having the requirement for owasp-leaders to 'find two ticket buyers', I just want to make clear that this decision falls into the responsibility of the AppSec DC conference since they are the ones that are managing the budget for this conference :) . And remember that NOTHING in OWASP is set in stone, so if something make sense, IS DOABLE and respects OWASP's values, then it is better to change it sooner rater than later
  7. one more point on owasp leaders. As a sign of recognition of their great work and contributions, at the last OWASP board meeting we (finally!!!!!!) decided to make OWASP members ALL active & past owasp project & chapter leaders. There is currently a work thread at 3 Committees (Membership, Chapters and Projects) to try to figure out the criteria to do this, but basically the idea is to give all selected individuals (or companies) the option to: a) receive a free 1 year membership or b) pay for it. The irony is that I (Dinis) am not an OWASP member :) , and the main reasons is because I had no requirement to become one. Now with the forthcoming elections and this offer, I will HAVE to become a member, and I will gladly pay the 50 USD membership fee, since even adding the time I put in OWASP, I still have enough value received from OWASP to justify the 'business expense' of 50 USD :) :)
  8. finally, on the issue of owasp-leaders having to 'find two ticket buyers to get a free ticket for the AppSec DC' (and even other OWASP conferences
a) OWASP leaders are NOT paid for they contributions, so any successful OWASP leader has stories of sweet,blood,tears, long-hours, etc...
b) some OWASP leaders are able to 'work' on OWASP while on their employers time (sometime that we still fail to recognize is most cases), but I think it is fair to say that MOST of the work done is executed outside the work environment and in exchange for family/leisure/relaxing/sport time or (for independent contractors) in exchange for working on paid engagements (i.e. there is a significant PERSONAL or (short term) FINANCIAL cost in being an active OWASP leader
c) we can't underestimate the work and value created by these owasp leaders (both chapters and projects) since they are the reason for our success and for the fact that we have tons of exciting projects, conferences and chapter meetings
d) although OWASP is not a wealthy organization with Millions of Dollars in funds (like Mozilla or Wikipedia), and there WAS a significant DROP in INCOME of Corporate memberships in 2009 due to the (correct) decision to simplify the corporate membership to 5k USD and allocate 40% of it to the local chapter. That said OWASP DOES have (some available) funds, and it is our (the Board and you all) responsibility to make sure we use those funds wisely
e) so, on the question of 'giving free conference tickets to OWASP leaders' the question that I would like to see an answer is 'How much does that cost to OWASP?
f) maybe the solution is to push this cost to the OWASP Board (or even the local chapter if they have funds to support its chapter leader to participate on OWASP AppSec conferences (tickets, travel and accommodation)
g) back to the topic of the OWASP leader participating on OWASP AppSec conferences:
- this is something we should actively encourage and promote (it even has 'marketing value' : "come to the OWASP AppSec XYZ conference where you will be able to meet 15 OWASP Project and Chapter leaders!!"
- they (the leaders) should participate on the keynote OWASP presentation (representing his chapter or project)
- if it is a project leader he/she should be given a 5m/10m/15m/30m/45m' slot to present his work
- if it is a chapter leader he/she should be given a 5m/10m/15m/30m/45m' slot to present what happens at his/hers chapter, and give an 'quick' preview of the presentations that happened there on the last 6/12 months
- we have to remember that in a lot of cases (take Matt Tesauro case) in order to participate on these conferences they have to use their 'Holiday/Vacation' days (which can be quite a large personal sacrifice)
- as OWASP grows and is more and more successful, we have to make sure that we keep managing the expectations and views of the 'VERY IMPORTANT' OWASP contributors that happen NOT to be involved in a particular conference. I really worry when I hear comments like 'I work so HARD for OWASP and I have to PAY!! to attend a conference that exists (in part) of my contributions!'

Rex & Others, sorry for only sending these ideas and comments now (in an ideal world I should have been more involved with this conference organization), but as with everybody, I find it very challenging to find the time to participate and contribute as much as I should.

Again, the AppSec DC team is doing a GREAT Job (in a tough climate) and they deserve our maximum support!!!

Dinis Cruz

Wednesday 16 September 2009

WebEx on 'O2 Spring Mvc Module'

WebEx on 'O2 Spring Mvc Module' at 6pm today (London time, i.e. in 1h 40m) open http://bit.ly/2i1R6m and use the password O2Platform

Tuesday 15 September 2009

OWASP driven Jobs

While looking at the SpringSource Training/Certification page I noticed this very cleaver link to a graph comparing spring and developer, EJB and developer job opportunities.

I was then curious to see what were the results for OWASP, and was really (positively) surprised with the results:

OWASP Job Trends:


OWASP Salaries:

OWASP has a job board which is sort of getting there :)

Spring MVC 3.0 MVC Binding rules

Following the work done on the O2 Cmd - Spring MVC module and the conversations we had at OWASP AppSec Ireland about the security implications of the Spring Framework MVC, I spent some time today looking at what is happening at its next major release (3.0.x)

From the MVC documentation section Supported handler method arguments and return types section in Spring 3.0 (see 15.3 Implementing Controllers ) we can see (included at the end of this post) the Spring MVC rules to:

a) map web data into controllers and
b) send data from controllers to the views.

There are quite a number of new features/capabilities, and most have security implications!

How Dangerous is XSS on web based CMS (Content Management Systems)

I was recently talking to a product manager of a large (and popular) commercial web based CMS (Content Management System or Documents Management Center or Records Management Center, etc...), who was saying that he doesn't think that XSS (Cross Site Scripting) is a problem or (at least from his point of view) something that needs addressing in the short-term in his product.

This shows a serious lack of understanding of the implications of XSS on these types of web applications which (by design) collect, edit and present user data back to its users (supported by all sorts of built-in collaboration tools).

The fundamental problem is that what client's browser receives from the server contains a mix of both data & code (i.e. content & scripts). It like we keep going back in circles, just like buffer overflows, the problem here is lack of separation between CODE and DATA

The moment the attacker is able to control (or inject into) those scripts, the attacker can do everything that the user is able to do on that application! In addition to the fact this blows out of the water any CIA (Confidentiality, Integrity and Availability) and Non-Repudiation guarantees provided by the application, the attacker will also be a couple of degrees of separation away from being able to gain administrative privileges.
And how is that possible (gain administrative privileges)? Well, if you to add up everything that the user is able to do, you will see that once the attacker is able to edit the user's content, he will be able to put payloads on pages that will be seen by (or exposed to) other users. Eventually the attacker will reach a point where the payloads are executed by with people with higher privileges than the current user (eventually reaching a user with administrative control on that application).

And even if you take the view that it is not possible for one user to affect another user and the attacker is not able to gain more privileges, just the fact that it is now NOT POSSIBLE to guarantee/prove/show HOW, WHEN and WHAT user(s) did on the system creates an UNACCEPTABLE scenario for most BUSINESS OWNERS.

Basically, once we lose the ability to track activities back to users (i.e. track behavior back to real users) we really lose the ability to trust the system.

And once you don’t trust the system, what do you have left?

If you actually show most C-Level business buyers that:
  • they can’t really trust the data that they get from those systems,
  • that they can’t really trust the authenticity or integrity of the data that comes from these systems,
most of them would seriously (re)consider the wisdom of implementing such solution!

If fact, depending on the values of the assets & business processes stored/handled by those systems, most of them should say "if I can’t trust the data that is in here, then I can't afford to depend my organization on top of it".

And that is the problem with XSS! Is not about little Javascript alert pop up box , but about the fact that malicious attackers can get users to do actions as the user themselves.

But WHY isn't XSS taken more seriously today?

I think it is because:
  1. the Attacker's business model has not evolved to a stage where they are building services on top of what XSS allows them
  2. most (with some notable exceptions) clients buying these tools don't care or don't have the resources to gain the required understanding of the security implications of what they are buying
  3. the government, standard's body and insurance companies are not focused on this problem (which they will eventually)
Finally, I will argue that in 2009 the 'I was not aware of the problem' excuse is no longer a valid excuse!

I really wished the discussion would move from "I don't care! / why is it a problem?" to "How to we solve it? / How can clients measure when we get it right?"

Monday 14 September 2009

What is OWASP's Value for Global Corporations

If you take a global corporation point of view, (a company with tens of thousands of employees, who develop lots of software internally and who needs to take control of their 'application security world') OWASP is a great asset that they should leverage better!

We need to create a win-win relationship, where they view OWASP as an organization, that not only can help them to achieve their security goals (for example achieve higher visibility into what they are doing), but also helps them to define better coding practices and better solutions. The final objective would be to enable them to develop /purchase securer software and reduce their risk.

Available today, and if you are a corporate employee, here are a number of projects where OWASP adds value to your corporation:

  • The OWASP Top Ten is a great place to start; it gives you the main issues that you should be looking at.
  • Projects like the SAMM, Software Assurance Maturity Model allows you to measure and model your company to a world where you can have different maturity models based on what you want to achieve.
  • The ASVS Application Security Verification Standard allows you to map in a much more focused way, your software assessment (and verification) practices to an 'official' verification standard
  • The ESAPI project is trying to create a template of good security controls that you should be able to (re)use. Ideally you (or the Frameworks you use) should adopt the code and make sure that all the areas covered by ESAPI are handled by your application (remember security doesn’t happen by accident)
  • Also very useful (specially on 'outsourcing development' scenarios) the legal project can really help you to ensure the inclusion of 'security related clauses' in the software development contracts (this project will give you background information and templates that you can use on your legal contracts)
  • On the actual 'hands-on' testing and web application review you have the testing guide, code review guide and the developer's guide ; which are documents that allow you to understand how to test (and secure) web applications.
  • And finally a project like WebGoat is a great project because it allows people to gain awareness of security implications. One of the things a company should do is to 'make every major developer to go through the WebGoat exercises' (this will have a dramatic effect in helping them to understand the security implications of web applications security vulnerabilities)
  • Note I: that there are many more OWASP Projects (the above are just a small sample)
  • Note II: As a big company, you are going to have employees spread across the globe that you need to ensure have up-to-date skills. The OWASP chapters (154 at last count) and OWASP AppSec conferences (15 in 2009) are a great way to get your people involved raise their security knowledge.

One important issue to raise, is that today, there are already a lot of 'security related' activities done internally within companies and big corporations.

In practical terms this means that today, substantial funds (i.e. money) are already spent in develop standards or documents, that would be much better served, if they were done in an open environment, with the results shared back to everybody (this would also allow those companies to leverage the knowledge of the OWASP community.

One of the things I would hope to see more and more in the future, is companies doing some (or all) of their internal 'web application security' research through OWASP.

This could be done by a) paying internal staff (i.e employees) to work on OWASP projects or by b) giving OWASP grants (which would help OWASP to do a greater job).

The best part of this model, is that everyone, including the original company, would benefit.

In fact, in most cases (I believe) it will be more cost effective (from a value for money / ROI / Deliverables point of view), to do these engagements through OWASP , rather than independently at the company.

OSA+O2 questions and Python/C# findings filtering sample

Just posted on the O2 site a long post with answers to common questions about OSA /O2, and also a couple sample scripts (in C# and Python) which show the power of O2 to perform finding's filtering : OSA+O2 questions and Python/C# findings filtering sample

Friday 11 September 2009

6 more OWASP conferences still on the Agenda for 2009

This is great, just come back from OWASP AppSec Ireland conference (which was great) and there are still 6 more to go:

Thursday 3 September 2009

O2: 'Open Platform for automating application security knowledge and workflows'

O2 (which stands for Ounce Open), soon to become the 'OWASP O2 Platform' , is an open source project designed to improve the productivity and capabilities of security consultants who perform application security engagements.

A good definition is: 'O2 is an Open Platform for automating application security knowledge and workflows'

Although it was originally designed to enhance source code analysis, it has evolved into more of a "static, dynamic, real time" analysis environment and platform.

In a nutshell, O2 is a bunch of (about 25) open source modules/tools that help with the multiple aspects of performing application security engagement (in most cases by extending the capabilities of a several Commercial and Open Source tools).

There is a large number of O2 modules that are designed to work specifically with the Ounce 6.x product (Ounce Labs Static Analysis engine), and several other O2 modules which are 100% independent and can be used using only freely available or Open Source tools.

One of the most powerful features of O2 is its scripting and customization capabilities. Currently O2 supports scripting in
  • any .Net language (with an O2 module dedicated for coding and debugging C#),
  • Java using IKVM
  • Pyhton & Java with a via Jython and
  • Python & .NET via Iron Python.
Everything in O2 is exposed via powerful object models and schemas (which are designed to make the security consultant much more productive).

Ultimately the power of O2 is that you can script the security consultant’s brain and really help him to become more productive.

Here is usual workflow for advanced O2 users:
  • It starts with a PROBLEM (something the security consultant wants to do, but the available tools can't do)
  • in order to figure out a SINGLE SOLUTION for the problem, a number of scripts are written (in O2) to solve (or partially solve) the problem, with the core-objective at this stage being to allow the security consultant to continue with his/hers job (which is completing the security engagement)
  • after a couple generations of 'script writing' , they usually can be automated, and become part of an existing (or new) O2 module
  • eventually this script/module/capability fully matures and becomes a fully working prototype,
  • which might (depending on "customer demands + product roadmap", and, after a rewrite by the product team) end up in a commercial product (by IBM or others) in a format usable by non-security-knowledgeable users
The power of O2 is that it allows the security consultant to be in CONTROL by allowing/empowering him/her to be able to solve their problems NOW (and not when the product team is able to allocate the resources).

Update #2 on O2 & IBM - 02 Sep 09

Following Update on O2 & Ounce & IBM here is what is happening (2nd Sep 09) with me & O2 & IBM
  • Over the last couple weeks I've spent quite a lot of time with the multiple IBM AppScan groups/teams, and I have to say that they have a very impressive group of people and technology over there, who is dedicated to solving the "application security assessment problem" and build powerful, simple to use and effective tools for mass usage.

  • Although my contract is not (yet) signed (bunch of legal and processes hoops to jump over) it looks like I will have a deal that allows me to continue to be independent and:

    • continue my active participation at OWASP and its projects
    • continue my active development of O2 (which will now become an OWASP project called 'OWASP O2 Platform'
    • continue to consult with other companies - for example I already have a long term (non IBM) contract to work on MOSS (SharePoint) security and am open for other projects (so if you have interesting and challenging projects where can I be involved on 5 to 10 working days a month, ping me with the offers :) )

  • In terms of where I fit in IBM, there are lots of VERY interesting possibilities, but in the short term the focus will be on using O2 to write 'integration prototypes' between the multiple AppScan products and in helping the Ounce team productizing some of the most mature features of O2

  • As I mentioned above, IBM does have a VERY impressive line-up of products and technologies in the Application Security space. With the Ounce Labs acquisition they now have just about all pieces of the puzzle (the challenge now is integrating them and making them all work as a team)

  • And when I mean ALL pieces, I am thinking much bigger than just static or dynamic analysis. If you look how how Application Security engagements are carried out today, you will see enormous gaps in:
    a) the current workflow,
    b) how data is handled,
    c) how users that access the code & results are authenticated & authorized,
    d) how findings are created,
    e) how findings are presented (to management and developers) ,
    f) how findings are remediated,
    g) how findings are retested,
    g) how findings status is tracked, etc ...

  • What really struck me when I started looking at IBM's software portfolio, namely the Rational tools and the new IBM Jazz platform, is that we can use (for example) a combination of "Jazz Foundation + AppScan / Ounce (i.e. multiple engines) + Rational Team Concert + Rational BuildForce + Rational Test Lab Manager" to create an environment that would REALY allow (in a scalable and repeatable way) to perform "focused, meaningful and actionable" Application Security Assessments.
What is interesting when I look at Jazz and Jazz Foundation (which is licensed with in a 'interestingly weird' not-Open-Source-but-with-source-code-available-and-free-for-selected-Academic-and-Open-Source-projects kind of license) and O2 , is that there are quite a lot of similarities. O2 of course is not as mature as JAZZ in the Authentication/Authorization/Process/Workflow/Colaboration front, but the focus to create a common platform to integrate multiple technologies and tools is similar.

In fact, when looking at both solutions was when I realized that O2 was actually a 'Platform' and could be extended to 'glue' and integrate multiple Open Source projects the same way it already integrates with multiple Source Code (and soon Black Box) analysis tools (both commercial and open source).

The good news is that once O2 is able to 'talk Jazz' and leverage its available services, O2 can actually be one of the 'bridges' into/from the JAZZ world (i.e. once a particular Open Source or Commercial tool is integrated with O2, then it will be 'consumable' from JAZZ)

This is really very exciting times, and I really look forward to what is happening next :)

Here are a couple links with good info on Jazz: