15 April 2014


Posts relating to the category tag "vulnerabilities" are listed below.

16 January 2014

More Bad News From The Banks

It seems that although banks might be "where the money is", they may not be spending it in the right places when it comes to information security.

Partial screen capture from the blog post about smartphone banking apps and their security vulnerabilities

In December I mentioned a study of vulnerabilities in banks' websites, especially the high prevalence of cross-site scripting (XSS).

Last week, the results of a one-week study of 40 iOS personal banking mobile apps, provided by major banks throughout the world. The study reveals the rather poor state of client-side software security, with all the apps deployable on jailbroken devices, most had non-SSL links, almost half were susceptible to Man in The Middle (MiTM) attacks since they did not validate the authenticity of SSL certificates, and half were vulnerable to cross-site scripting (XSS). Read more bad news in the blog post.

The list of security tests mentioned in the study would be worthwhile undertaking for any mobile app development plan.

I am quite surprised about this is such a highly-regulated sector. Although each compromised bank account may not have much significance to the bank, the impact on individuals is very high, and financial services regulators are likely to show concerns.

Posted on: 16 January 2014 at 11:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 December 2013

Building Secure Software at OWASP London

The next OWASP London event will be on Thursday 12th of December 2013, at 18:00 for 18:30 hrs at Morgan Stanley in Canary Wharf.

Photograph of an office block under construction in the City of London

I am speaking, but I am particularly looking forward to Ofer Maor's presentation about Interactive Application Security Testing (IAST). The presentations are:

  • IAST: Runtime Code & Data Security Analysis - Beyond SAST/DAST
    Ofer Maor

    Until recently, Static and Dynamic Application Security Testing (SAST/DAST) dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...
  • OWASP Cornucopia
    Colin Watson

    Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project

So, there will be a broad mix of information suitable for a wide range of developers, testers, and verifiers - of whatever skill level. My own presentation will be similar to the one I gave in June during the OWASP EU Tour, but it has been specially updated for this event. There will also be news about next year's AppSec Europe being held in Cambridge. I imagine we will move to a local bar/pub at around 20:30 hrs to continue the discussion.

Further details are available on the chapter's page. Free registration is required for access to the host's building (Morgan Stanley, 25 Cabot Square, E14 4QA). Registration closes when all spaces are booked, or the evening before, whichever is soonest.

Posted on: 03 December 2013 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 October 2013

OWASP London Chapter Meeting - This Thursday

The next OWASP London event will be on Thursday, 24th of October 2013 between 18:30 and 20:30 hrs.

Photograph of a light sculpture displayed during the Kinetica Museum exhibition in London

The event is kindly being hosted by Expedia Inc at the Angel Building, 407 St John Street, London, EC1V 4EX. The nearest tube station is Angel of course.

The presentations will be:

  • Using the O2 Platform, Zap and AppSensor to protect and test applications (Dinis Cruz)
  • OWASP Mobile Top 10 (Justin Clarke)

There will also be an update about next year's AppSec Europe being held in Cambridge. Further details are available on the chapter's page. Please arrive from 18:00 for a prompt start at 18:30 hrs.

Free registration is required for access to the host's building. Registration closes on Wednesday 23rd (tomorrow).

Posted on: 22 October 2013 at 07:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 October 2013

Web Application Scanner Comparison from Miami

Hack Miami has published a paper comparing five web application security dynamic scanning tools.

Photograph of signs showing an explanation of the beach safety warning flags and monitoring information in Florida

The paper Hack Miami Web Application Scanner 2013 PwnOff - An Analysis of Automated Web Application Scanning Suites describes a one-off comparison undertaken during the HackMiami 2013 Hackers Conference. Tests were undertaken pre and post authentication for both normal and administrative users, against three web applications (one PHP, one JSP and one .Net). The paper assessed five scanners:

  • Acunetix
  • IBM Rational AppScan Standard
  • Metasploit Pro
  • NTO Objective NTO Spider
  • Portswigger Burp.

The scanners were assessed for the interface, vulnerability detection, reporting and overall value. It is useful to also refer to other comparisons such as Web Application Security Scanner Comparison and New Magic Quadrant for Application Security Testing 2013. But even better evaluate them yourself on your own applications and compare with manual testing methods.

And don't just leave security to the testing stage of development.

Posted on: 21 October 2013 at 11:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 October 2013

DOM-Based Cross Site Scripting

A new paper describes problems caused by the insecure handling of untrusted data through JavaScript from attacker-controlled sources, such as the document.location property, into security sensitive DOM components of an HTML page.

Partial image of a page from the paper '25 Million Flows Later - Large-scale Detection of DOM-based XSS'

Sebastian Lekies, Ben Stock and Martin Johns present an automated method to detect DOM-based cross site scripting (XSS) vulnerabilities in their paper 25 Million Flows Later - Large-scale Detection of DOM-based XSS.

The paper describes a taint-tracking approach for detection, an automated vulnerability validation mechanism and a the results of a study examining over half a million pages from the Alexa top 5000 websites.

The results? Well, read the paper. Then go and fix your site!

Posted on: 04 October 2013 at 07:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 September 2013

OWASP ASVS for Web Applications 2013 Beta Release

OWASP's less well known, but immensely useful, Application Security Verification Standard (ASVS) for web applications has been updated and a beta version was released just prior to AppSec EU last month.

Diagram from the OWASP ASVS Web Application Standard 2013 showing the four different web application security verification levels

The ASVS Web Application Standard 2013 defines a set of technical controls for applications that should be verified as part of security testing processes. They are primarily application controls but also include relevant ones in the host environment. The document describes three use cases — for application certification, for alignment of testing methodology and for selection of external suppliers.

The number of classes requirements has been expanded to 13, and now covers:

  • Authentication
  • Session management
  • Access control
  • Input validation
  • Cryptography at rest
  • Error handling and logging
  • Data protection
  • Communications
  • HTTP
  • Malicious controls
  • Business logic
  • Files and resources
  • Mobile.

Each class includes around 10-20 specific requirements. The new sections, and re-allocation of some requirements means that the numbering has changed significantly. The cross-referencing will be important for those already using the ASVS Web Application Standard 2009.

Not all the requirements need to be achieved for every application. The choice can clearly be organisation-specific, based on its own risk assessment, but the document describes four levels of verification, each successive level increasing the number of mandatory requirements.

The project team, primarily Andrew van der Stock, Sahba Kazerooni, Daniel Cuthbert, and Krishna Raja, are working on gathering feedback from the community, creating use-case examples, and mapping to other OWASP projects such as the upcoming new Developer and Testing Guides.

Please help by providing your own ideas to finalise the beta release via the project's mailing list.

Posted on: 24 September 2013 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 September 2013

CVSS 2 Implementation Guidance

The US National Institute of Standards and Technology (NIST) has announced a consultation period on its draft NIST Interagency Report (NISTIR) 7946, CVSS Implementation Guidance.

The contents listing from NIST's draft Interagency Report (NISTIR) 7946, CVSS Implementation Guidance

NISTIR 7946 describes use of the Common Vulnerability Scoring System Version 2.0 (CVSS v2.0) framework for communicating the characteristics of IT vulnerabilities. The draft guidance is the results of applying CVSS to 50,000 vulnerabilities and is intended to help those using CVSS.

Some weekend reading...

Comments on the draft can be sent to NIST by email to nistir7946-comments@nist.gov until 4th October 2013. They have provided an Excel template to help structure feedback.

Posted on: 17 September 2013 at 08:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 September 2013

AppSecEU Research 2013 Part 3

... Continued from Part 2. As I was speaking in the afternoon, I did not attend quite so many presentations on this second day of AppSecEU 2013.

Photograph taken during OWASP AppSec EU Research 2013 showing one of the conference rooms

For the first hour and half, I attended the OWASP Project Leaders' Workshop, organised by Simon Bennetts, OWASP ZAP Project leader, and Abraham Aranguren, OWASP OWTF Project leader. The meeting was used to share ideas and problems, relating to managing projects, engaging and supporting contributors, code/file repositories, sharing and coordinating approaches. I found the meeting very useful and it was good to meet some active contributors face-to-face.

Photograph taken during OWASP AppSec EU Research 2013 showing Erlend Oftedal presenting on securing a modern JavaScript based single page web application

Erlend Oftedal described how logic is shifting from the server into JavaScript, and how this approach is used in single web page applications where the JavaScript loads data and templates, and allows navigation without page reload. He discussed common issues on the client, and also the backed server resources such as promiscuous web services. He presented q number of recommendations for security such applications. [video]

I took a short break to meet with other delegates and also do a final run-through check of my presentation for the afternoon.

Photograph taken during OWASP AppSec EU Research 2013 showing Stefano Di Paula

Just prior to lunch, I went back to the main auditorium to listen to Stefano Di Paula discussing anti-clickjacking measures, and problems with common JavaScript libraries such as jQuery and YUI. Stefano's deep knowledge on these subjects shone through and lead to some very specific questions from the audience. [video]

After lunch the theme of click-jacking protection continued with a presentation by Martin Johns. He presented the common approaches used to today, pros and cons of these, and discussed alternative techniques. He also outlined another protection approach which he his working on with others, which was debated with other knowledgeable delegates in the audience. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing a view of the Hamburg skyline from the conference venue

Mid-way through the afternoon, I presented my own talk about OWASP AppSensor - In Theory, In Practice and In Print. I provided a brief overview of application-specific attack detection and real-time response, and discussed the new guidebook currently in review and provided a link to the latest version. I then went on to demonstrate how it is possible to apply AppSensor-like capabilities to a third-party application with minimal changes to application, but yet will achieve a significant degree of protection. [video]

Immediately afterwards I stayed in the same conference room to hear Sahba Kazerooni outline the new draft OWASP Application Security Verification Standard v2. I provided some feedback on an earlier draft and it was good to hear how the beta release has moved forwards. This will be a large improvement in this already highly mature project and the team are looking for feedback before the final version is released. [video]

The final keynote was provided by Prof Dieter Gollman of TU Hamburg who discussed a generalised view of access control for web systems. [video]

Photograph taken during OWASP AppSec EU Research 2013 showing the organising team during the closing ceremony

In the closing ceremony Dirk Wetter presented awards for the capture the flag competition, and passed on thanks to all the sponsors, volunteers and OWASP staff who had helped make the conference happen. Sarah Baso stood up to provide thanks to Dirk, and his family, for all their input over the last year and to provide a small gift in OWASP's appreciation. [video]

It was truly a very useful and well organised conference, and despite having some worries about the split-floor venue, really that didn't seem to matter at all. It was a fantastic knowledge-rich event and I am so pleased I attended. The recordings of all the other sessions I was unable to attend are also available online, free of charge and without registration, and the slide decks will be available shortly too.

If you want to attend something similar, the next global ApSec conferences are in Latin America (Lima, Peru) in October and North America (New York, USA) in November.

The next AppSecEU event will be held in Cambridge, UK, on 23-26 June 2014.

Posted on: 06 September 2013 at 10:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Vulnerabilities : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Wednesday, 23 April 2014 at 09:17 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com