AppSec EU 2012 - Part 1

After the successful training courses, OWASP chapters workshop and University Challenge, the first day of the AppSec EU conference began on Thursday 12th July with a welcome by Konstantinos Papapanagiotou on behalf of the local Greek conference organising committee, who thanked all those involved with making the conference a reality including the host Athens University, the committee, OWASP staff, sponsors, and the trainers, speakers and volunteers. He also apologised for what the British would call "fantastic weather".

The conference's first session was given by the board from the Open Web Application Security Project.

The OWASP Board provided an introduction for those less familiar with the organisation, and an overview of successes in the past year since AppSec EU 2011 in Dublin. The current number of local chapters is 193 in 76 countries. The board outlined current strategies and plans for the coming year, including the upcoming vote for board members.

Jacob West gave the first keynote, discussing the growth of the smartphone market and how mobile is an emerging point of purchase. He discussed the reasons why some mobile users are not keen to use their phones for payments with a survey showing that some users prefer their desktops/laptops for such activity, but there are a significant number who don't feel secure or find it too complicated. He gave an overview of the mobile landscape and how it introduces additional trust boundaries that other applications do not necessarily have to deal with. He explained that it is not always clear to users who is responsible for security — device manufacturers, or application owners, or application developers, or operating system providers, or network providers, or even the user themselves. He discussed some of the most common security issues with Android applications and provided recommendations on what organisations need to consider when about to develop for, or acquire in, the mobile space.

The conference split into three tracks (Builders, Breakers and Defenders). Justin Clarke spoke about using the open source Java source code scanner tool PMD to perform security static analysis. He described how the approach for security checking needs to target insecure patterns, but minimise false negatives even if there are false positives, and how it is necessary to investigate the context of a rule violation. This is in contrast to normal PMD usage where the intent is to find buggy code patterns, but to minimise false positives even if there are high false negatives. PMD is used extensively by Java developers, is highly extensible, has good documentation, is well supported and integrates with many IDEs and build tools. He described and demonstrated how he has developed and integrated a number of test security rules. He went on to discuss challenges of the approach, and ways to mitigate some of these. Currently the demonstrated code only works with PMD v4, but it is in ongoing development.

Immediately afterwards, Dave Wichers provided an introduction to DOM-based cross-site scripting (XSS) and identified a number of public information resources on this topic. He explained why he finds the current naming conventions for types of XSS (reflected, stored and DOM-based) confusing and proposes using the terms "client XSS" and "server XSS" based upon where the code is built, both of which can be reflected or stored. He went on to describe the extensive problem with client XSS due to much less awareness in development teams, lack of comprehensive guidance on avoiding client XSS issues and how to fix it, inherent issues in commonly-used JavaScript libraries/APIs, and also because detectability is lower. He showed some research he has been undertaking with other experts in the field to try to enumerate dangerous functions in some of these libraries. He especially recommended looking at the DOMXSS Wiki. He also discussed some encoding libraries available, and tools that target this class of security weakness.

The next keynote of the day was provided by Duncan Harris who described how Oracle started its own secure software development lifecycle (Oracle Software Security Assurance) after its first public vulnerability named EasySQL. This was a serious design failure that affected all versions on all platforms that did not have a workaround and there were no mitigations. Now there is a major programme that encompasses secure development standards, secure coding standards, secure coding training, definition of security requirements throughout all phases, security-vetted core modules, and pro-active, destructive & ethical hacking security testing. He also described the management structure of their software assurance personnel, the difficulties of managing over 3,000 products and the processes undertaken for the large number of product acquisitions that occur.

A break for lunch allowed delegates to network and visit the vendor booths. It also provided time to progress with Capture The Flag challenges.

Ben Livshits continued in the main auditorium with a keynote describing how Bing identifies sites that are hosting malware so they can be excluded from its index. He outlined research concepts, the migration of those into real-word products and introduced the Nozzle and Zozzle tools that detect heap spraying and other types of JavaScript attacks at scale. They identify thousands of malicious sites daily with a false positive identification rate of about one in a million.

In Tricolour Alphanumerical Spaghetti I spoke about vulnerability severity ranking systems, differences in vocabulary, the lack of consideration of environmental and business contexts in many cases, drivers such as PCIDSS, and how it is difficult to compare and aggregate results. I explained issues using Common Vulnerability Scoring System (CVSS) for application weaknesses, briefly mentioned Common Configuration Scoring System (CCSS) and the nascent Common Misuse Scoring System (CMSS) (see previous blog post), and discussed the use of Common Weakness Scoring System (CWSS) with the Common Weakness Risk Analysis Framework (CWRAF). I provided some pointers for those generating and consuming vulnerability data and outlined an approach for organisations developing their own vulnerability risk ranking systems.

Adrian Winckles described Anglia Ruskin University's approach to developing a sustainable virtual training environment for a large number of remote students. He described the necessary properties for providing application security distance learning where the environments need to be able to support a number of network components, host multiple applications and tools, prevent students from being able to "find the answers", be able to take snapshots and track students' progress and protect the network from malicious activity.

The presentations will be available on the OWASP web site in due course.

The conference finished with a PCI Panel introduced by Jeremy King, European Director at PCI Security Standards Council. He set the scene describing the current industry status, types of crime and described the ongoing work of the PCI SSC.

John Yeo acted as moderator for the five panel members (left to right above) Jeremy King, Valentim Oliveira, Josef Nedstam, Pravir Chandra and John Wilander. They were challenged to a series of questions about payment cards, the PCI SSC, compliance vs. security, application security and the use of web application firewalls (WAFs) to meet Requirement 6.6 of PCI DSS.

In the evening all conference delegates were invited to a special cocktail reception in the beautiful rooms of the Kostis Palamas building in the main university campus.

Continued in Part 2.