OWASP AppSec Research 2010 - Part 1

The Open Web Application Security Project (OWASP) AppSec Research 2010 conference started this morning following the previous two days of application security training. The conference began with a welcome and introduction from the primary organiser and OWASP Sweden chapter leader, John Wilander, and the OWASP Board.

This was immediately followed by the keynote address on Cross-Domain Theft and the Future of Browser Security by Chris Evans and Ian Fette (Google). They described how attacks are increasingly targetting the browser, and nowadays this may may mean its plug-ins rather than the browser itself. Browsers are generally moving to being sandboxed but it is harder to sandbox the plug-ins and it is operating system, as well as browser, specific. Chris described future softspots and the possible growth of multi-payload malware that tries to exploit two vulnerabilities e.g. to exploit code and then escape a sandbox. Ian described the large proportion of search engine results that seem to be phishing or malware sites and how blacklisting can help defend users. Interestingly he mentioned Google actually visits suspicious websites in a virtual machine to check whether malware exists.

The remainder of the day was split into three parallel tracks.

After the keynote, I attended the presentation by Lieven Desmet (KU Leuven) on client-side cross-site request forgery defence measures and their own CsFire Firefox extension. It builds upon previous efforts, particularly RequestRodeo (Martin Johns, 2006) but aims to provide a much more usable experience with very little user involvement. The extension is available to download and the team are looking for feedback, especially with problems caused with particular websites. They believe a combination of server and local policies may overcome these issues, such as sites spanning multiple domains.

Ivan Ristic presented the main threats against SSL (implementation flaws, rogue certification authority certificates, rogue certification authorities, usability issues, and application & configuration vulnerabilities. He then went on to describe the principal SSL deployment mistakes—these are very important considerations to take into account, especially in the design of a new website. His recommendation: create the site completely SSL-only from the start. And, use the free information and tools at SSL Labs.

The problem of using static code analysis tools with source code built using open source, proprietary and home-grown frameworks was described by Christain Hang (Armorize Technologies). He described how reflection, invocation sequence and cross-content propagation can lead to false positive and false negative results. For example, in the Struts framework for Java he showed how detailed knowledge of the configuration XML file is needed. He suggested that asking users to hard-code the analysis tool's configuration, or for the tool's developers to build support for each framework are unsustainable. His recommendation was to dynamically translate the framework logic into the source code, so the two are stitched together before the analysis is undertaken. He says it is not perfect, but it is easily extendible and equally applicable to home-grown frameworks.

After lunch, Mike Samuel and Jasvir Nagra (Google) described the Caja project and how it can help (in particular larger, more mature social networking sites), where the same origin policy is not sufficient, and policies need to change quickly to meet new demands and threats. The technique uses the concept of virtualisation to isolate and control the flow of third party HTML, JavaScript and CSS to the end user.

Johan Lindfors and Dag Konig (Microsoft) outlined the variety of security tools available for .NET development and testing. These included demonstrations of Team Foundation Server, Threat Modelling Tool, and an overview of FxCop, CAT.NET, Pex, Moles and the Web Application Configuration Editor. They also described the concepts behind code contracts. There is more about these on the security tools blog.

David Byrne and Charles Henderson (Trustwave), outlined the pros and cons of manual and automated testing. They moved onto examples that only manual testing would fine, and reminded the audience to to remember that vulnerabilities also come from (product/organisation) acquisitions, old/dead code and in third party libraries.

The day closed with a panel discussion about whether application security is fighting a losing battle.

The research papers, presentations, demonstrations from all three tracks are listed on the conference website, where the presentations, and recorded videos, will be available in due course.