afongen

Registration is open for the one-day OWASP conference we’re holding on the Saint Paul campus of the University of Minnesota. It’s not free as we’d hoped it would be, but it’s still only $25. Not bad for a day of web application security. Here’s the speaker list:

• Jeff Williams, OWASP founder and CEO of Aspect Security.
• Arshan Dabirsiaghi from Aspect Security will speak about the new OWASP Intrinsic Security Working Group, which focuses on addressing root causes of application security problems.
• Anil Kumar Revuru from Microsoft will talk about the Microsoft Connected Information Security Framework and Tools.
• Brian Chess of Fortify Software will speak about static analysis and its role in improving software security.
• Elliot Glazer from DTCC, on information security architecture layers and key processes.
• Corey Benninger from the Intrepidus Group will give us real-world phishing examples.
• Richard Stallman will talk about… well, whatever Richard Stallman talks about. Later that evening he will give another talk at the U.

Good stuff. We probably won’t be able to handle on-site registration if you just walk in that day, and space is limited (we’ll be in the theater at the student center), so register in advance.

I was about to write up my notes from Wednesday’s OWASP meeting, but Tim did a pretty good job. He starts by pointing out something I hadn’t really thought about:

The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

This is a danger of what is still a pretty insulated community. It’s easy to toss out terms like clickjacking and ESAPI and expect that an audience at an OWASP chapter meeting, a self-selected group interested in web application security, will know it all. That’s clearly not the case. Tim follows this stuff pretty closely, works in the area professionally, and still there were terms thrown about that weren’t clear.

I don’t mention this as a criticism of Andrew. I do it as a reminder to myself to know your audience. I did the same thing today, dropping a reference to where Google screwed up their SAML implementation in their single-sign-on service, and it didn’t occur to me until later that the guy I was talking to probably had no idea what I was talking about.

Anyway. It was an inspiring talk. Andrew was drumming up support and interest in contributing to a number of OWASP projects.

• OWASP Top 10 security vulnerabilities in web applications. The 2009 update is in the works. It will again be data-driven, as the 2007 update was (mostly).
• OWASP Developer’s Guide. A lot of the testing-focused content in the current edition can be removed, since there’s now a Testing Guide. There’s strong interest now in not spending time on what’s done wrong, and instead explaining how to do it right. For SQL injection, for instance, instead of explaining why dynamic queries are dangerous, it’s more valuable to show prepared statements with bound parameters.
• Top 10 Coding Standard. Andrew introduces this in a recent blog post. The idea is to set a minimum standard for what needs to be done to develop secure software.
• Application Security Desk Reference. This is pretty much what it sounds like, a reference. If I recall correctly, it should build on the Honeycomb project that was donated to OWASP several years ago, a thorough categorization and reference to web app sec.

There were others — there are a lot of OWASP projects — but those are the ones that stuck with me, partly because I’ve been thinking about what it would take to create short, self-contained courses in web app security and how these docs would fit in.

What’s really cool is that there are lots of ways to contribute in small ways to these projects. Especially with the Top 10 and the Guide, just working on small bits — a paragraph or two — is entirely possible.

I was briefly tempted to throw my hat into the ring to work on PHP ESAPI, a port of the Java Enterprise Security API project at OWASP. But I know I won’t make the time for it, and it’s been a while since I’ve done serious PHP. Besides, it would probably mean that Andrew would make me the lead. :) If you have killer PHP skills, please consider it. We sure as hell need this.

On top of all this, the highlight of the evening was meeting Andrew van der Stock in person. That’s been a long time coming.

At the risk of making this an “all OWASP, all the time” blog, I do want to say that Andrew van der Stock will be speaking in Minneapolis tomorrow (Wednesday) at 6:00 p.m. Actually a little after 6, since we usually let folks trickle in for ten minutes or so.

Andrew is the project lead for both the OWASP Guide and the OWASP Top 10, among other worthy activities. Let me tell you, those are monumental tasks. He’ll be talking about the Developer Guide 3.0. WIth the publishing of the OWASP Testing Guide, a lot of the content in the current developer guide has become redundant, so we should expect a different (more concise?) focus in the new version.

I’ve been looking forward to meeting Andrew for a long time now. Since his move to the U.S. from Australia a couple years back, I’ve been hoping we might cross paths. Looks like tomorrow’s my chance. Hope to see you there.

The Minneapolis/Saint Paul OWASP chapter is organizing two events that I want to tell you about.

First, Jeremiah Grossman is speaking at the September 9 chapter meeting. This will be a reprise of his talk at Black Hat, “Get Rich or Die Trying”:

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills — all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Slides of the talk are posted on his blog. Grossman does good presentations. This promises to be excellent.

Second, on October 21, we’re planning a one-day conference at the Saint Paul campus of the University of Minnesota. Details are still being worked out, but speakers include Jeff Williams (CEO of Aspect Security and an OWASP founder), Brian Chess (Fortify Software), and Richard Stallman.

Yes, Richard Stallman. I didn’t expect that! Looking forward to it. (No, that link doesn’t explain who he is. It’s just damn funny.)

Registration for the October conference hasn’t opened yet, but from what I understand we’re going to be able to make it free of charge. Wow.

I’ll let you know when there’s more information.

Gunnar Peterson will be speaking at Monday’s OWASP meeting in Minneapolis.

SOA and Web services promise wonderful interoperability, but distributed systems create lots of room for fantastic failures. This session will explore the gory details of unique vulnerabilities at each layer of the SOA stack - from the WSDL interfaces to XML processing (XSD, XPath and XQuery), to the implementation languages liike Java and C#, to new security standards like WS-Security and SAML.

I’ve been looking forward to this. See you there?

Brian Chess, who gave the above talk with Gunnar at the 2008 RSA Conference, will be speaking in September.

And if you missed Gary McGraw interview Gunnar for the Silver Bullet Security Podcast, go have a listen. It’s a good conversation.