AppSec EU 2012 - Part 2

Continuing from the first successful day, the second day of AppSec EU conference on Friday 13th July had another packed 3-track agenda.

The day's proceedings began in the main auditorium with a keynote from Gary McGraw.

Gary McGraw provided gave a stimulating presentation on what's wrong in software security, and how best to make changes through the software development lifecycle to have the greatest effect on identifying software bugs and architectural flaws, and on increasing confidence about the actual security of the application. He summarised how software security has progressed over the last ten years, how large companies like Microsoft has developed their own secure development life cycles, and how it is much more common to see security being considered at multiple stages of the development. He described the Building Security In Maturity Model survey of what companies are really doing and how the source data has expanded over four reports. He explained that this real survey work has made a large difference in convincing others that these activities, what would otherwise just be "good practices", are actually being used.

Following a brief break, I listed to a talk in the Defenders track. Dan Cornell introduced the issue of identifying the best dynamic automatic software security testing tool (automated black box testing). He conveyed how some of the publicly available comparisons and discussions about application scanning are very worthwhile reading and provide much insight, but what matters is whether a scanner will work sufficiently well with your own applications, with their own particular frameworks, architectures, patterns and conventions. He said that application coverage, low false positive identification of security vulnerabilities and low false negatives were the most general desirable properties. He outlined how log in processes often cause difficulties for scanners and described some common issues — complex authentication is not necessarily the issue, just unusual log in schemas can be very difficult for some scanners to learn without considerable tuning. He said the issue of identifying false negatives is related to the issue of ranking the severity of the vulnerabilities found. Finally he went on to demonstrate the open source ThreadFix tool that can be used to aggregate, normalise and de-duplicate findings from many different test sources, and output consolidated data to software issue tracking systems, giving a complete overview of the status of applications over time.

Dinis Cruz introduced the OWASP O2 project and described how it connected different technologies in a way that could be used by security consultants or developers to help with code analysis and improvement. In this presentation he focused on a customisation of the interface that integrates with an integrated development environment (IDE) to perform security static analysis of an ASP.Net application in real time as the developer types code. This is accomplished by integrating Microsoft's CAT.NET is a binary code analysis tool with the Roslyn compiler as a service tool. He demonstrated convincingly how injection flaws such as SQL injection and cross-site scripting could be flagged immediately within the IDE. By linking this to coding standards and external resources, knowledge can be inserted into the implementation stages of projects within the environment developers already utilise.

In the second keynote of the day, Diomidis Spinellis, professor at Athens University Department of Economics and Business, explained the problems associated with SQL, Xpath and JavaScript injection attacks. He informed the audience of a generic approach that uses location-specific signatures to identify these types of attacks. The functionality is available as open source libraries (EnSign) that can be used with any web application.

Pravir Chandra continued the theme of injection attacks in the third keynote entitled "Everything You Know About SQL Injection is Wrong". He illustrated how SQL injection, cross-site scripting and Xpath injection are all related to the same issue of failure to segregate data and code. He proposed we should use design patterns that enforce a separation between these concepts to prevent the intermingling of data and code, and thus eliminate these most dangerous vulnerabilities. He argued the case for the concept of an output assembler, or parameterised wrapper, that takes data, code and combines these safely using encoding libraries to prevent the un-necessary exposure of code resources directly.

The break for lunch provided time to absorb some of the sunshine and speak further with the other delegates.

After lunch, Stephen de Vries discussed using the concepts of Behaviour Driven Development (BDD) to write security requirements in structured plain English with JBehave. These unit tests can then be used to automate the execution of security testing to verify the desired outcomes. He provided a live demonstration that linked the use of JBehave, Selenium 2 (Web Driver) and Burp Suite; the latter is controlled remotely using a specially developed script. He explained how these ideas could be built into a continuous integration environment like Jenkins.

Immediately following on from Stephen de Vries, there was another excellent presentation from John Wilander. He defined, illustrated and demonstrated multi-step cross-site request forgery (CSRF) using a sequence of self-generating inline frames (iframes) which he described as semi-blind since the attacker never sees the responses. He explained that a common technique using tokens to prevent this type of attack cannot help in rich internet applications (RIAs) where the complete process is undertaken client-side and a single request is made to the server at the end. An attacker can forge the JSON structure and he suggested protection mechanisms that can be used including restricting the HTTP method to POST, limiting the request to Ajax where possible and restricting the allowable media types for the request. He went on to define and demonstrate double-submit CSRF protection and how this could be circumvented via a vulnerable sub-domain of the same domain name and proposed the concept of using a triple submit CSRF protection mechanism.

At this point I had to depart for my return journey, and unfortunately had to miss the final presentation, a keynote by Christian Papathanasiou, the closing ceremony and an early evening visit to the Acropolis Museum.

In summary, another very well organised conference with valuable sessions and unparalleled opportunities to meet with application security experts from around the world. Apart from thanking the organising committee especially Konstantinos Papapanagiotou, and OWASP staff for ensuring such a high standard of event, I think we should give special praise to all the excellent volunteers, including local students, who put in so much effort, and were so attentive and helpful. Athens was an excellent choice.

The next OWASP Global Conferences are AppSec North America 2012 (Austin, Texas, USA) in October and AppSec Latam 2012 (Montevideo, Uruguay) in November. The next AppSec EU will be held in Hamburg, Germany during July 2013.