Last night, after the first day of the OWASP AppSec Research 2010 conference, we had the pleasure of attending the conference gala dinner at the lavishly decorated Stockholm City Hall, also used for the annual Nobel Prize award ceremony.
Steve Lipner (Microsoft) gave the keynote speech today. He described the early step, creation and evolution of Microsoft's Security Development Lifecycle (SDL). This began in early 2002 which included team-wide security training, the introduction of early threat modelling, code review, use of some tools, undertaking security testing and modifying software defaults to make them more secure. These were seen as quick wins but were immature and ad-hoc processes. They then worked on the security "science" and "security audit" to build a more robust and repeatable program leading to the first edition of the SDL in 2004. It is regularly reviewed and updated and version 5.0 was released this year and 5.1 is due in October 2010. Whilst the SDL is based on Microsoft's own experiences and culture, he said it can be applied to non-Windows development, it does not rely on Windows tools and is not just for shrink-wrapped software development. Neither is it only suitable for waterfall or spiral development methodologies; the application of SDL to agile processes has been described recently. But the most important point he made is that SDL at Microsoft is not necessarily what will work in other software development teams—it is a very helpful starting point, but requires commitment and time to create processes and apply these consistently.
Immediately following the keynote speech, Pravir Chandra (Fortify and OWASP SAMM Project Leader) outlined the Software Assurance Maturity Model (SAMM) and lessons learned in its application to real software development programs. He emphasised the need to identify and classify all applications by risk, to determine what security activities are undertaken. He described that the argument for secure software development must be a business argument based on risk, that it has a real return on investment (ROI), and starting with a single development process and enhancing that can be a good way to introduce secure development practices. The activities undertaken need to be mapped to preventative, detective and corrective controls, and that the tasks need to specify roles, responsibilities and mappings to process flows. Also, he said that security knowledge needs to be spread widely with champions and experts, not just kept by a single specialist or group. He believes SAMM has a large proportion of overlap with Microsoft SDL and BSIMM, and is in the process of mapping SAMM's activities to the latter.
David Rajchenbach-Teller (MLState) described a new programming language for web applications called OPA. It has been designed from a clean start to avoid legacy concepts from the 1970s and 80s and is based on formal methods, is safe from the bottom up, using a single language for the whole application and is based on the distributed system model where not all principals are trusted, communications use web standards and security is mostly automatic. He showed some example code and described real applications in use today. He then described how it prevents a number of issues in the OWASP Top Ten 2010 but that is still under development, and for example, they are working on cross-site request forgery (CSRF) prevention mechanisms and extending the security policy feature set.
Cassio Goldschmidt (Symantec and SAFECode) presented an engaging explanation of how we are all responsible to a certain extent for the creation of software flaws. Whilst software manufacturers may be increasingly applying secure development practices, software is very complex, there are multiple layers of software on top of software and there is no effective way to prove software correctness. Adopters (e.g. home and corporate users) desire feature-rich software and security is not always visible. The environment affects purchasing decisions and home users in particular may not keep software patched. He said purchasing decisions in corporate entities may be made by different people than the users leading to a disconnect, and even patching can be delayed due to corporate cycles. Security researchers also have a part to play where the motivation and consequences of actions are not always transparent. Similarly governments find it difficult to make good law and the timescales cannot keep up with the fast pace of developments. They may provide incentives or require higher standards, but these can be blunt instruments. In summary he proposed that economics plays a larger part than technical solutions to the risks and impacts, even thought industry is moving in the right direction.
During and after lunch, OWASP board members and leaders discussed opportunities, issues and proposals to assist end-users find organisations who are providing products and services based on OWASP's knowledgebase.
Nick Nikiforakis (KU Leuven) described their analysis of eight file sharing services that are cloud-based, provide "one-click hosting" and are mostly anonymous. They found that although the services tended to offer both private distribution (e.g. by email link or instant messaging) and public distribution (e.g. links added to forums, blogs, etc) most of the services were relying on obscurity through obscurity. In many cases the URL token was predicable and even if the source filename was included, this was often not required. Given the predictability of tokens, they were able to obtain details of many different files on the file sharing systems, and tried to identify which were of the private or public type by an examination of whether the source filename could be found elsewhere using Yahoo. The remaining non-binary types were downloaded and examined to find a wide variety of data including bank statements, company budgets & salaries, personal data, documents with admin credentials, doctors notes and even a death certificate. Their advice, choose file sharing systems that have unpredictable tokens, encrypt the files and remove from the store as soon as possible.
The conference closed with thanks being given to the organisers, Kate Hartmann (OWASP Operations Director), OWASP board, helpers from the university, the sponsors, the sound and video teams, the caterers and the attendees. Prizes from various sponsor competitions and the capture the flag event were given. John Wilander reminded attendees about the upcoming AppSec US 2010 in September and announced that next year's AppSec EU would be help in Trinity College, Dublin, Ireland, and in Athens the year after.
Congratulations to the team from Sweden, Norway and Denmark for such a well-organised, and excellent appsec conference!
Posted on: 24 June 2010 at 23:59 hrs