AppSec USA 2011 - Part 1

The first keynote speech at AppSec USA 2011 was given by Mark Curphey, a founder of OWASP.

He described OWASP's beginnings in 2001, how the organisation has grown and become the success story it is today. And that success is completely about the people and its open principles. Despite having contributions from all round the world, he described that connecting people in person together, face-to-face, is critical and thus how important the local chapters, local events and regional conferences are. He included a compilation of short videos from chapters around the world. He also saluted many of the exceptional people involved over ten years, and how he believes the application security community needs to keep instead with the trends in the developer community.

The talks were spread over four parallel tracks. Following the morning break, I attended a talk by Andres Riancho on web application security testing payloads. Andres described the lack of post exploitation techniques available in web penetration testing tools. If these do exist, they are mainly in the area of buffer overflows rather than for web exploits where there is often much reduced capability. He showed how W3AF has been extended to build a number of post exploitation payloads, mainly in Linux/Apache HTTP space. He also demonstrated how a custom payload could be used to download an web site's source code where there is a file read vulnerability, and then with a proof-of-concept static code analysis tool, examine that code to look for additional vulnerabilities that may be exploitable to achieve file write capabilities, and thus file execution. This combination of blackbox penetration testing and static-code analysis is a fascinating and useful concept.

I then attended a presentation on the mobile track by Ryan Smith about a distributed framework for performing large-scale android application security analysis called STAAF (Scalable Tailored App Analysis Framework). He described how there are many Android app analysis tools, but these are mostly designed to analyse a single app at a time. STAAF uses these as modules but has additional efficiency, scalability and data analysis capabilities. Ryan described the low barrier to entry for Android developers and the problem with third-party market places from where some users will download and install apps. The mobile devices treat all the apps the same. For users there is no distinction between core apps and third party applications and they can only make decisions based on trust of the source and the permissions requested. In practice this means malicious apps are widely available and downloaded by unsuspecting users. STAAF was built to scale across multiple servers to process scanning requests with centralised long-term storage and results reporting. Modules include extraction of permission requirements, libraries used, referenced static URLs, methods, manifest and Dex bytecode. Efficiencies are obtained by caching intermediate results, data conversion to ASCII, Smali & Java and storing the control flow graph from the Dex. Additionally common libraries and shared resources are not re-processed every time. The framework is bound by CPU power due to database activity, but it appears to have the potential to scan 50,000 apps in less than 8 hours with a relatively small number of nodes.

Next I listed to Scott Matsumoto's presentation on threat modelling for cloud-based services and applications. Threat modelling can be complex, and therefore I am always interested to hear about different approaches. Scott used the NIST Cloud Definition Framework to describe how Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) affect application design, deployment and operation. He discussed the use of Amazon Web Services (AWS) S3 as an example change to an application's architecture to identify the assets, threats and risks of using a cloud-based approach. He described the risks unique to cloud-based applications as well as those that are often very relevant, but are common to other architectures too. There is a related presentation tomorrow, by one of Scott's colleagues, on simplifying threat modelling.

During lunch the OWASP Board described the current healthy status of participation, membership and supporters, chapters, conferences and project activity. Michael Coates is now the new OWASP chair as Jeff Williams steps down after 8 years. The board also announced awards for people who had made special efforts during the previous year,and Michael Coates thanked Jeff Williams for his previous tenure.

After lunch, Dan Cornell described a technique to reduce the exposure time between vulnerability identification to short-term remediation. He explained that when code changes occur, this can lead to vulnerabilities where potential solutions might include web application firewalls, finding all the vulnerabilities and fixing before deployment, or avoiding vulnerabilities in the first place. These all have challenges and problems. His suggested approach for some classes of vulnerability such as injection, is to implement a process to automatically identify new code (e.g. change control processes, file system and network monitoring), analyse this code for vulnerabilities (e.g. using normalised data from manual and automated code review and vulnerability scanning tools) and automatically block traffic that is being targeted to exploit these using virtual patching using IDS/IPS/WAF systems. Once the rules are created, the alerts can be mapped back to the vulnerabilities to provide insight into what attackers have discovered and what they are interested in. These techniques may be of use where you have little or no control over the deployed code, or where it takes a,long time to create and deploy security fixes.

I returned to the mobile track to listen to Kevin Stadmeyer and Garret Held give an information-rich presentation on the security issues relating to iPhone applications, and how to develop these applications more securely. They described the secure storage of credentials and other data, inadvertent local storage, caching, and client-side sanitisation. Following a description of the most common issues, Kevin and Garret defined some secure coding practices to protect against buffer overflows, format string attacks, race conditions, and measures to take server side and to secure communications.

Jon McCoy demonstrated the use of tools and methodologies to verify security in C# .NET applications based on legacy tools and his own research. He used his tool GrayWolf to decompile demonstration executables & DLLs and GrayDragon to attack a test application while running, by modifying the memory. He described that once you have access to the source code, you can examine the protection measures and have much more ability to identify vulnerabilities and thus validate information assurance of deployed code. It is also possible to modify the code or insert calls to your own procedures. For example, he described a range of methods he has used to circumvent cryptographic controls using these tools. He went on to describe measures such as code signing, package encryptors and obfuscation which are used to prevent this reverse engineering, but also described how these techniques can be ineffective or lead to additional vulnerabilities.

The talks continue tomorrow. All presentations will be available on the OWASP AppSec USA web page.