Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
4th Annual NTC ISSA InfoSec Nashville Conference August 24, 2005
http://www.owasp.org
Your Application Security Initiative – Beyond Finding Vulnerabilities
Jeff WilliamsCEO, Aspect SecurityChair, OWASP [email protected]
2OWASP
Remember the Corvair?
3OWASP
The Automobile Market
25 Years Ago Most cars were built without safety features No seatbelts, airbags, crumple zones, side impact protection,
etc…
Many different forces affected the market Pinto, Nader, Oil Crisis, Regulation, lots more…
Automakers include more safety features Becomes a critical buying factor Competitors must improve to compete
Today Can’t sell a car without safety
4OWASP
Economics
“The Market for Lemons”By George Akerlof in 1970 (Nobel Prize for Economics in 2001)Buyers can’t tell cherries from lemons (asymmetric information)Market price decreases to compensate for the riskCherry owners are less inclined to sellTherefore, even a competitive market is filled with lemons
5OWASP
The Software Market
Worse than the automobile market
Asymmetric information is carefully protectedExtremely difficult to analyze software (even with source)Restrictive license agreementsLegal and regulatory restrictions on security analysts
Virtually guarantees insecure softwareIf you can’t tell the difference, why pay more?No way to establish the benefit of secure software
Until recently, making secure software didn’t make sense
6OWASP
The Market is Changing!
Microsoft Trustworthy Computing Initiative
Oracle “Unbreakable. Can’t break it, can’t break in.”
VISA CISP and PCI Standards include OWASP Top Ten
General Electric Application security built into contract language Mandatory code reviews
Constellation Energy “Convergence” – physical, infrastructure, and
application layers
7OWASP
Disclosure Laws Work
Recent Events Over 50 million SSN’s (1 in 6
Americans), credit card numbers, account numbers, and driver’s license numbers stolen in the last 6 months.
ChoicePoint legal and notification costs $11.4m for 145,000 individuals
2005 FBI Survey shows 588% increase in costs associated with unauthorized access and an 80% increase in Web site incidents
Government Action Federal government and over half
the states have “breach, notify, and freeze” legislation pending.
FTC leading lawsuits against companies that fail to protect consumer data in their applications
NIST and DISA standards now include stringent application security requirements
2005 Privacy Incidents
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
Feb Mar Apr May Jun Jul
8OWASP
The Future
Ingredients: Sun Java 1.5 runtime, Sun J2EE 1.2.2, Jakarta log4j 1.5, Jakarta Commons 2.1, Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1
Software Facts
Modules 155 Modules from Libraries 120
% Vulnerability*
* % Vulnerability values are based on typical use scenarios for this product. Your Vulnerability Values may be higher or lower depending on your software security needs:
Cross Site Scripting 22 65%
SQL Injection 2Buffer Overflow 5
Total Security Mechanisms 3
Encryption 3
Authentication 15
95%
Modularity .035
Cyclomatic Complexity 323
Access Control 3
Input Validation 233
Logging 33
Expected Number of Users 15Typical Roles per Instance 4
Reflected 12
Stored 10
Cross Site Scripting Less Than 10 5 Reflected Less Than 10 5 Stored Less Than 10 5SQL Injection Less Than 20 2Buffer Overflow Less Than 20 2Security Mechanisms 10 14 Encryption 3 15
Usage Intranet Internet
9OWASP
Software Security Is A Different World
Network SecurityPart of ITNetworking ExpertsProduct Focused1000’s of CopiesSignature BasedPatch Management
Software SecurityPart of Business Units
Software ExpertsCustom Code Focused
1 Copy of SoftwareNo SignaturesPrevent Vulnerabilities
Don’t let anyone rely on network security techniques to gain software security
10OWASP
Root Causes of Application Insecurity
People and Organization Examples Lack of training Responsibilities not clear No budget allocated
Process Examples Underestimated risks Missed requirements Inadequate testing and reviews Lack of metrics No detection of attacks
Technology Examples Lack of appropriate tools Lack of common infrastructure Configuration errors
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Untrained People and Organizational Structure
Issues
Missing or Inadequate Processes
Missing or Inadequate
Tools, Libraries, or
Infrastructure
11OWASP
Process Goals
Risk UnderstoodSecurity activities driven by
application security risk
Security ConsideredIntegrated into all the activities in the SDLC
Security OpenInformation about security is available and verifiable
Flaws IdentifiedAs quickly as possible after
they are introduced
Technology Goals
Security TrackedWithin projects and across
the entire organization
Best ToolsFor developing and testing the security of applications
Standard TechnologyCommon approach to the
typical security areas
Attacks MonitoredAttacks on applications are
identified and handled appropriately
People Goals
Shared Understanding
Everyone in the organization shares an understanding of app
security risk levels
Responsibility Assigned Security
assigned for each project and the organization as a
whole
Support AvailableFor developers who need
help with application security
Developers TrainedIn application security and
the organization’s approach
Targeting the Root Causes
12OWASP
Getting Started
Check out some applicationsFind out whether you’re vulnerable or notBuild a case for management
Evaluate your capabilityAssess your organization and processesHow will security best fit into your culture
13OWASP
Key Enhancements
Establish requirements and testing processesTailor standard requirements for each projectUse OWASP Testing Guide
Start up an application security teamA centralized team is key to building a
capability
Developer security trainingCheck out OWASP WebGoat
14OWASP
Advanced Enhancements
Establish a global application risk registerTrack issues, create insight
Negotiate security in contractsUse OWASP secure software contract annex
Build Application Security “Brand”Easy to understand labels for risk and security
levels
15OWASP
Level 5ContinuousImprovement
Level 0Ad Hoc
Level 4Metrics
Level 3Institutionalize
Level 2Fundamentals
Level 1DemonstrateNeed
Process TechnologyPeople
Application Security Capacity Scorecard
AppSec Rqmts Process Coding Best Practices
Global Risk Register
Std. AppSec Mechanisms
AppSec Testing ProcessDeveloper Training
Assign Responsibility
Secure Deployment
AppSec Dev. Env.Security Architecture
Risk Dashboard
Contracting Process
Form AppSec Group
Analyze Critical AppsEvaluate Capabilities
Certification Program
Rely on Developers/Users
Establish AppSec Brands
AppSec Vuln. Analysis
16OWASP
OWASP Can Help
Open Web Application Security ProjectNonprofit FoundationAll materials available under approved open
source licensesDozens of projects, over 50 chapters
worldwide, thousands of participants, and millions of hits a month
OWASP is dedicated to finding and fighting the causes of insecure software
17OWASP
OWASP Supports Your Initiative
OWASP Top Ten Set priorities, get management buy-in
OWASP Guide 300 page book for application security
OWASP Secure Software Contract Annex Achieve meeting of the minds on application security
OWASP Testing Guide & OWASP WebScarab Test/analysis methods for application security Web application & web service penetration tool
18OWASP
Some of What You’ll Find at OWASP
Community Local Chapters Translations Conferences Mailing Lists Papers and more…
All free and open source We encourage your
company to support us by becoming a member
Documentation Guide Top Ten Testing Legal AppSec FAQ and more…
Tools WebGoat WebScarab Stinger DotNet and more…
OWASP
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Q&A