Thursday 31 December 2009

Happy New Year and Thanks!

Just a small post to wish you all a Happy New Year!

2010 should be a great year, there is a lot in the pipeline and I expect it to be an exciting & productive ride :)

I also want to Thank You for all the support and encouragement

Dinis Cruz

Wednesday 23 December 2009

Comment on OWASP testing and disclosure levels

I think this is a great idea and one that OWASP is uniquely position to make it happen.

This goes to the heart of what we are trying to do at OWASP since it will help to improve the visibility of an website's security.

But before you continue reading the rest of this post, if you are not aware of PayPal's guidelines for external security researchers, please go and read this (which is linked from

Here is what I like about this schema:
  • (probably the most important) this is NOT dependent on the website's collaboration or participation (i.e. we can implement this independently)
  • It promotes good behavior and security awareness from the website's owner
  • it allows OWASP to raise the bar of entire sections of the online industry, since once we have a number of websites that follow the proposed guidelines, then their competitors will have 'market pressure' to follow it
  • this is something that the entire OWASP community needs (from member companies, to individual members, to owasp leaders, to participants at our conferences or mailing lists). For example, I (as a web user) would like to know when I use a website about that website's security posture. Another good example was when OWASP had to chose a couple months ago which Online-Voting provider we used for our board elections. Since we were paying for that service, the website's security should had been part of the decision making process (and it wasn't since we had no visibility into that website's security)
  • this schema also allows to clarify what is the affected website's point of view regarding their multiple web applications. Let look at a couple examples:
    • The Full Disclosure and Fully Open could be used on Sample Apps. For example the ones published with the Spring Framework (like JPetStore or PetClinc)
    • the Responsible Disclosure and Open Code Review could be used for Open Source applications (in fact the different between Open Code Review and Fully Open could be that for Fully Open the tests can be executed into the actual live website versus a locally executed copy of the website (which will be possible when we have access the source code)
    • the Responsible Disclosure and Open Test is what PayPal is doing
    • the Private Disclosure could be used a first step for companies who want to leverage the good guys security knowledge (for example, a lot of us 'accidentally' discover security vulnerabilities in websites but are not comfortable in reporting them since we are not sure how the website's owner would react (in fact in most cases we don't even know who to contact)). Another source of security issues for this is the XSSed database, or the google searches for the latest Flash/XSS vulnerability.
    • the No Disclosure is an interesting one since I don't expect that companies will 'officially' embrace, but one we (OWASP) could apply based on that companies past behavior (past examples are: MySpace when it sued Sammy, BT with Daniel, the US Gov departments behind with the Gary McKinnon case, etc...)
    • Finally given the current 'hacking laws' the OWASP “Trust Us” Insecurity Program – No testing + no disclosure is what all public websites should be given by default. This would actually be a great way to visually show the current (bad) state of affairs
    • For day to day browsing, a Firefox extension that checked the website's status would be a great way to expose this to a wider audience
I'm sure there is a number of tweaks we will need to do to the classification names, its definitions and the scenarios they cover. 

So I would say that the next step is for us to try to implement this, mark it as Beta for a while, and once it is working, officially launch it.

Who wants to be the project leader?

Tuesday 22 December 2009

Idea for OWASP Standard for public rating of an WebSite's security profile

Jeff Williams had a great post following the discussion we had at TwitterLand (direct quote from Jeff's email):

I saw some twittering about this sort of thing over the weekend…

The basic idea is that we could create some OWASP standards around the way that companies allow their websites to be tested/scanned/reviewed and how they want to handle disclosure of issues that are discovered. Companies could choose the standard they want to follow and it would encourage people to make that choice explicit and public (visible).

We could do this pretty easily in the OWASP Legal Project – the way that Creative Commons defined some IP licenses and released them. I’m just not sure what the current practices are. Has anyone catalogued a list of companies with either testing or disclosure policies? See Microsoft policies.

Just as an off the top of the head brainstorm, what do you think of these?? Of course we’d have to specify these carefully and fully.
  • Full Disclosure – disclose anything you find
  • Responsible Disclosure – work with us please
  • Private Disclosure – send it to us and pray
  • No Disclosure – we will hunt you down and kill you
  • Fully Open – code review + test all you want
  • Open Code Review – we’ll let you review the source and test all you want**
  • Open Test – test with your account all you want
  • Staged Test–register and we’ll let you test on a non-production system
  • No Testing – you are an evil hacker
** Note: I have already drafted an “OWASP Open Code Review” license that grants people the rights they need to do a source code review without giving up ownership or other legal rights.

We could combine these into a few interesting combinations…
  • OWASP Open Security Program – Fully open review + full disclosure
  • OWASP Shared Security Program – Open testing + responsible disclosure
  • OWASP Private Security Program – Staged Testing + private disclosure
  • OWASP “Trust Us” Insecurity Program – No testing + no disclosure

Note that this is NOT a certification program. This is a way for companies to *declare* their approach to security. Your thoughts welcome…

OWASP Challenges World Governments to Improve Application Security

At the OWASP IBWAS 09 Conference (organized by the Portuguese and Spanish chapters) we had panel on the last day which debated what the Governments should do to improve Web Application Security in 2010. 

You can read the Press releases here in english,  spanish or portuguese.

And here is the contents of the press release with the 5 recommendations:

Madrid, Spain, 15/12/09

Around 40 participants and several dozens of technology students and their teachers have attended the Iberic Web Application Security conference (IBWAS’09) that was held at the Escuela Universitaria de Ingeniería Técnica de Telecomunicación, Universidad Politécnica de Madrid, Spain, on the 10thand 11th of December 2009.

The conference, which was a massive success, was organized by the Spanish and Portuguese OWASP chapters with the aim of bringing together application security experts, researchers, educators and practitioners from the industry and academia to discuss open problems and new solutions in application security.

Through the passionate discussion held in the "Web Application Security: What should Governments do in 2010?" panel, several conclusions have been reached.

These conclusions reflect the decisions made by the panel and are meant to be debated, updated and eventually published by OWASP as a set of recommendations.   

Panel’s conclusions:

  1. We challenge governments to work with OWASP to increase the transparency of web application security, particularly with respect to financial, health and all other systems where data privacy and confidentiality requirements are fundamental
  2. OWASP will seek participation with governments around the globe to develop recommendations for the incorporation of specific application security requirements and the development of suitable certification frameworks within the government software acquisition processes;
  3. We offer our assistance to clarify and modernize computer security laws, allowing the Government, citizens and organizations to make informed decisions about security;
  4. We ask governments to encourage companies to adopt application security standards that, where followed, will help protect us all from security breaches, which might expose confidential information, enable fraudulent transactions and incur legal liability;  
  5. We offer to work with local and national governments to establish application security dashboards providing visibility into spending and support for application security.

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of its materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization.

Friday 18 December 2009

Latest twitter hack: Any good contacts at twitter security team and management?

I have an OWASP related idea that I would like to present them (... trying to leverage the fact that they should be a little bit focused on security these days...) 

Please make the intro directly to my OWASP email


Friday 4 December 2009

Setting up some O2 test boxes at a Cloud near you

I need to build a couple test boxes for O2, and was thinking of using Amazon EC2 to set them up.

In the past I have used VPS from ISPs like RackForce, but they can be quite expensive and I need to be able to create a number of new boxes on demand which the VPS guys don't seem to support.

So is the Amazon EC2 the best option?

Has anybody here used it? Any top tips?

One annoying problem I have with Amazon EC2 is that it doesn't seem to be possible to 'suspend' VMs, is that true? Ideally i would like to create a VM and then suspend it (at a low cost) so that I only have it enabled when I need it. I guess another option is to create a custom O2 image that can then be used (again, has anybody here tried to do that for a Windows box? If so, are there any license restriction issues?)

One really cool thing with the Amazon EC2 system is that I can control my instances from my iPhone :)

Wednesday 2 December 2009

New version of CirViewer (now with Debug Symbols support)

I just published a new version of the CirViewer module which contains a very exciting new capability.

CirViewer now supports the loading and mapping of .NET *.pdb files (i.e. debug symbols) into O2's CIR (ICirData, ICirClass and ICirFunction). If you don't know what CIR is , think of it has an Object-Model representation of source code which you can visualize and easily write scripts against (at this stage O2 only cares about Call-Flow information)

Here are the main links:
There has been substantial changes to this version of CirViewer, so you are advised to uninstall previous versions (or you will have two side-by-side versions since this latest release will not override the previous one (these updates usually override them, but this one will not since, amongst other things, the EXE file name was changed)

If you want to give this new version a test-drive, you will need some .NET Assemblies with the *.pdb located in the same directory and the source code (see video).  To make it easy, you should try first with the hacmeBank Web Services dlls and source code which you can download from: CirViewer-HackMeBank

Please test it and provide feedback to the #O2Platform Mailing List (