...Application Security...

How Would You Change App Store/Market Permission Models?

2012-01-06T10:01:00.000-08:00

In a shift from my normal informational type posts, today I'm interested in starting a discussion on the topic of App Markets/Stores.

Apple has a more rigid review process and a slower time to market for Apps. Google allows apps quickly to market and relies on the visibility of requested permissions and shifts security decisions to the users. (Very basic descriptions, there are many more moving parts)

Which model is working better? If you could make changes to either model, what would you change?

Interested in thoughts and ideas.

-Michael Coates - @_mwc

Free Application Security Training Course at Beaver BarCamp 3

2011-10-03T03:00:00.000-07:00

At the end of October I will be hosting a free web application security training course at Beaver BarCamp 3. The conference will be held on Saturday, October 29 from 10am to 6pm at Oregon State University. Beaver BarCamp is free and open for anyone to attend!

What is this barcamp conference?

BarCamp is an ad-hoc gathering born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants who are the main actors of the event. — barcamp.org

The list of events aren't fully published yet, but you can take a look at last year's agenda to get an idea what type of topics may be discussed at the conference.

Hope to see you there.

-Michael Coates - @_mwc

Article Published: Creating Attack-Aware Software Applications with Real-Time Defenses

2011-09-13T07:30:00.000-07:00

CrossTalk, The Journal of Defense Software Engineering, has just published our article "Creating Attack-Aware Software Applications with Real-Time Defenses" in the September edition. A huge kudos to the entire team and especially Colin Watson for leading this effort.

Authors:

Colin Watson @clerkendweller
Michael Coates @_mwc
John Melton @carosec
Dennis Groves @degroves

Abstract. Attack-aware software applications provide attack detection and real-time defensive response with a very low false-positive rate. This technique allows an application to detect and neutralize a threat before the attacker exploits a known or unknown vulnerability. The approach is especially suited to soft-
ware applications with high information assurance requirements such as in the defense, critical national infrastructure, and financial service sectors to protect against cyber espionage, fraud, business logic abuse, tampering, and theft. The Open Web Application Security Project (OWASP) has developed a methodology, documentation, code and pilot demonstration which can be freely used to apply the concepts; this project is called AppSensor.

Full Article (pdf)

-Michael Coates - @_mwc

Joining OWASP Board

2011-08-18T17:35:00.000-07:00

The 2011 OWASP elections have concluded. I'm thrilled to have the support and backing of the OWASP community as they've voted me to one of the three board positions.

For readers of my blog that aren't already aware of OWASP, this is a worldwide non-profit & open source organization with the mission of improving the state of application security. This translates to an incredibly talented group of security experts all working towards a common good.

Open source, free from corporate control, free to the world - what more could you ask for?

I've been a long time OWASP supporter, have led and contributed to several projects, spoken at numerous conferences in the US and Europe and now I am excited to continue advancing the mission of OWASP through my efforts on the board.

I'd love to hear people's goals and ideas for OWASP. But as a volunteer community that empowers everyone, I'd more like to see you take those ideas and run with them! OWASP is a community of action and on the OWASP board I will work to empower individuals around the world with the resources, audience, and tools that are needed to continue producing top notch security materials.

Take a moment and help contribute to the OWASP mission.

How can you help?

Start or join an OWASP project
Expand the OWASP wiki
Become a member
Attend the next OWASP Conference
Stop by at your local chapter meeting
Participate on the email lists or the community site

-Michael Coates - @_mwc

Hiring Response to Recent Attacks Is Misguided

2011-08-12T10:26:00.001-07:00

Sadly the response to security compromises in the news seems to be a push to buy more firewalls. Firewalls provide no defense against application security attacks. The article below reminds me of a great chart by Gunnar Peterson

According to the barclay interim report which is also being referenced in stories on CSOonline.com

The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike.

If you read through the barclay report you'll notice they are specifically referring to the following high profile events:

Attacks against:

Visa, Amazon, MasterCard and PayPal
The multiple Sony compromises
Nintendo, RSA SecurID, Gmail and CitiBank

Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.

Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.

-Michael Coates - @_mwc

OWASP 2011 Elections - Vote Now

2011-08-08T15:49:00.000-07:00

The voting is now open for the OWASP 2011 elections. I've been a passionate supporter of OWASP for years, a leader of multiple OWASP projects, a speaker at the conferences and am excited about the possibility of joining the OWASP board.

Please read more about my background and my vision for OWASP. You can also listen to the board candidate interviews. Here is the link to the OWASP 2011 elections wiki page with all the info.

Watch your email for the voting link and thanks for your support.

My Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.
My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.
In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.
The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing. This involves sitting down with these industries through our global committees and identifying their needs and how we can help meet them.

Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.

-Michael Coates - @_mwc

Enhancing Secure Communications with Strict Transport Security

2011-07-11T07:36:00.000-07:00

New security capabilities in Firefox, Chrome and several other browsers enable web applications to create a more secure browsing experience with users.

Summary

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Background & Details

As an application owner one of your goals, in addition to providing an exceptional experience to the user, is to provide a secure interaction with your web application that protects any data submitted by, or sent to, the user. However, during the user's interaction with the web application the user may be targeted by malicious parties that are attempting to compromise the confidentiality or integrating of the browsing session. Their goal may be to view the sensitive data that is transmitted between the user and the application or possibly modify the exchanged data to install malicious viruses on the end user's machine or trick the user to insecurely provide their credentials so the attacker can steal this information.

The primary defense mechanism to protect data exchanged between the user and the web applications is to allow users to interact with their web application over Secure HTTP (i.e. HTTPS). When properly configured HTTPS establishes a secure channel between the user and web application which guarantees the data cannot be read, modified, or replayed by a third party. However, there are many situations where a web application has been incorrectly designed which invalidates these guarantees and places the user at significant risk to these man-in-the-middle attackers. (See TLS Cheat Sheet)

Recent security enhancements to Firefox and Chrome now allow websites to instruct the end user's web browser that the specific website should only be accessed over HTTPS. In other words, the website now has the power to instruct the user's browser to not send any insecure communications to the website's domain. This is accomplished by a new feature called Strict Transport Security.

Example of the HTTP Strict Transport Security header
HSTS is enabled by an additional response header set by the web application

Strict-Transport-Security: max-age=60000

HSTS Eliminates Certificate Error Messages and User Override
HSTS is a specific opt-in security control that is enabled by a website for a specific domain. By enabling this control a website is saying that the user should only interact with this domain over a secure channel and similarly, never send any data over an insecure communication channel. Therefore, if the browser cannot validate that a secure channel has been established for any reason (e.g. expired certificate, domain mismatch, untrusted issuer) then no data will be sent by the browser and the user will receive an error page. Unlike the typical certificate error page that allows a user to accept the risk and continue, the HSTS error page does not allow a user to override the message. The logic behind this is that the website has specifically enabled HSTS and there should be no legitimate scenario that results in an invalid certificate.

Protecting Against Users Bookmarking HTTP or Typing HTTP to Reach Site
HSTS also protects against a common scenario that places users at risk with many HTTPS websites. A user that visits a website from a bookmark or search engine result may initially request the HTTP page for the site. Most sites will quickly redirect the user to the correct HTTPS page. However, this initial request and response is sent over clear text HTTP and could be tampered with by an attacker. If the user is not vigilant they could enter their credentials on a page that has been modified by the attacker to steal the user's information. HSTS eliminates this vulnerability by instructing the browser to "upgrade" the initial HTTP request to HTTPS before it leaves the browser. As a result the user only interacts with the site over a secure channel and never gives the attacker a chance to tamper with any of the exchanged data.

Who Should Use HSTS?
Sites that currently offer HTTPS access should strongly consider adopting HSTS. If there is any reason for offering a secure connection then it is prudent to ensure that users are able to leverage the increased security capabilities offered by HSTS.

More Information
More information can be found at the following links. In addition, two popular sites currently using HSTS include paypal.com and addons.mozilla.org. Check them out to see HSTS running live.

Wikipedia.org entry

MDN Docs for HSTS

-Michael Coates - @_mwc

OWASP Communications Survey - Results

2011-06-06T09:21:00.000-07:00

Two weeks ago I launched a Google survey to better understand the communication preferences of OWASP members and the OWASP community. The survey is now closed and here are the results.

Survey Information

Publicized via leaders email list, OWASP RSS news feed, personal blog (michael-coates.blogspot.com)
Open for 2 weeks 5/23/2011 - 6/6/2011
73 Responses
No authentication required to complete the survey - results could contain duplicates
5 multiple choice questions targeting frequency of using various OWASP communication methods
1 question to identify primary method of communication
1 question to identify if user has an OWASP.org email account
1 free form text box for suggestions

Results

	Primary Method	Often or Occasionally Used
Leaders Email List	34%	78%
RSS News Feed	29%	66%
Local Chapter Email List	21%	79%
OWASP Twitter @OWASP	11%	42%
OWASP Twitter Feed @OWASP_feed	3%	26%

Summary of Responses

Raw data can be found here

Survey Observations

Email and RSS feeds are the dominant method of information communication
The primary OWASP twitter account is checked by less than half of the respondents (42%)
Large majority (75%) of respondents have OWASP.org email accounts. If desired, future surveys could target just OWASP members and require owasp.org email login
There were multiple comments requesting a forum
There were multiple comments requesting a more formal OWASP PR department and an "official voice" of OWASP via some channel

My Feedback
The google survey is surprisingly easy to use. I think this is a very good method of gathering community feedback and we should consider creating more surveys in the future. Just like with any survey, we have to be very careful on wording on question presentation to minimize influencing the results. Also, I'll get a wiki page setup to capture these survey results and future OWASP surveys.

-Michael Coates - @_mwc

OWASP Survey on Preferred Communication Methods

2011-05-24T22:48:00.000-07:00

I'm curious to find out how people are learning about OWASP news and events. There are a variety of technologies available (RSS feed, twitter account, leaders list, OWASP home page, etc)

I've create a google survey with 9 questions to try and capture some of this information. You can complete the survey at the following link. This survey is open to anyone and no sign-in is required.

Survey link:
https://spreadsheets.google.com/spreadsheet/viewform?formkey=dGFRS0M5Rm0tMy1CWEh3ampVNnpmbWc6MQ

-Michael Coates - @_mwc

Running for OWASP Board

2011-05-22T22:01:00.011-07:00

OWASP Board Elections: Michael Coates

I'd like to announce that I'll be running for one of the three seats available in the 2011 OWASP board election.

My candidacy is now listed on the OWASP elections page and includes a link to my bio and vision for OWASP. I've been involved with OWASP for years as a project owner, global committee member, corporate supporter representative and speaker at many OWASP conferences. I strongly believe in the mission and the OWASP organization.

Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.

My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.

In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.

The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

* Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

* Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

* Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing.

* Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.

-Michael Coates - @_mwc

Network Provider Modifying Application Traffic En Route To Users?

2011-05-18T01:28:00.000-07:00

To keep up with a growing demand for wireless internet service some providers are adding clauses that allow them to optimize traffic by the real time modification of large media files such as video and image.

These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. [Services Terms and Conditions - Verizon]

More info on their network optimization.

Perhaps you've fallen under the thinking that your site doesn't need SSL/TLS because you are not transferring or accepting any sensitive user data. Besides this being flawed logic, you may want to reconsider your position given this information. This new policy may cause a portion of your users to receive images and videos in a format or quality different than you have specified.

To ensure your delivered traffic is received as intended you need to use SSL/TLS. A site delivered via SSL/TLS cannot be tampered with anyone between the website and the user. Any attempts to modify or intercept this traffic will result in a certificate failure and alert to the user[1].

As the move to wireless internet continues to grow so will the strain on the network and the number of users visiting your application via a wireless provider. If you want to ensure that your images and video are delivered in the quality and format that you've specified, and not the decision of the network provider, then you need to move to HTTPS for your sites now.

Note: Please take a look at the OWASP Transport Layer Protection Cheat Sheet to avoid common vulnerabilities in design and deployment of SSL/TLS

[1] - There are exceptions if the certificate is issued by a CA that has been added to the end user's browser root certificate store e.g. corporate adds SSL proxy CA to all issued machines.

-Michael Coates - @_mwc

Attack Aware Applications - Presentations Around The World

2011-05-10T04:08:00.013-07:00

Several years ago I started the OWASP AppSensor project to build a strategy for equipping applications with real time attack detection and response. The project has really grown since its inception and has many excellent contributors actively growing the project.

Here is a list of the currently planned 2011 presentations on Attack Aware Applications, aka AppSensor. I hope you have the opportunity to attend one and learn more.

10th February, OWASP World Summit - Portugal
23rd March, OWASP San Antonio Chapter Meeting
18th April, OWASP Minneapolis Chapter Meeting

The following presentations will be lead by long time contributor Colin Watson. More information can be found at this link.

12th May, ISSA UK application security training day at National Codes and Cipher Centre, Bletchley Park, UK — a high-level overview of application defence with a focus on how this can contribute to a reduction in operational risk (free to ISSA members, registration required).
19th May, 2nd International Secure Systems Development Conference, London, UK — an introduction to OWASP AppSensor (chargeable).
25th May, OWASP Greece chapter Training Day, Athens, Greece — introduction and walk-through on how to identify and select attacker detection points (free to OWASP members, registration required). Colin will also be presenting Software Assurance Maturity Model at this event.
9th June, AppSec EU 2011, Dublin, Ireland — an update on the OWASP AppSensor project including how to build the concepts into your own software projects (chargeable, discount to OWASP members, registration required).
16th June, OWASP Belgium chapter meeting, Brussels, Belgium — a repeat of the AppSec EU presentation (free, registration required).
21st September, OWASP USA, Minneapolis, Minnesota USA — Application Attack Detection & Response - A Hands-on Planning Workshop

-Michael Coates - @_mwc

Have Presentation - Will Virtually Travel

2011-05-09T04:03:00.001-07:00

Over the past two months I've had the opportunity to remotely present at two different OWASP chapter meetings - OWASP San Antonio and OWASP Minneapolis. I had been talking with Dan Cornell (San Antonio) and Adam Baso (Minneapolis) for quite some time about getting out to each location for a presentation. Unfortunately, the travel just didn't line up. At this point we looked at other options and the idea of a virtual presentation to the chapter was born.

Technology

For the San Antonio presentation we used Skype for video and audio and the slides were manually advanced on a local projector at the San Antonio chapter meeting. This setup allowed the audience to see me and I could also see most of the room via the chapter meeting's Skype camera. This setup worked pretty well, but it would have been better if I was able to control the slides.

At Minneapolis we used WebEx. With this setup I was still able to see and hear the room, but I also had full control of the slide deck and the ability to remotely share my browser for live demos. This worked really well and is the setup I'd advise for future remote presentations. In addition to the local chapter attendees, the WebEx meeting link was also sent out to the full OWASP mailing list and many other people were able to remotely join in.

In both setups the biggest problem was the ability to clearly hear the audience's questions. I could hear questions from attendees sitting close to the chapter's WebEx machine. However, for those that were sitting further away, I needed the local chapter leader to repeat the question closer to the microphone. In the future, I'd recommend that the local chapter obtain a wireless microphone that could be connect to their WebEx computer.

Audience Feedback

I received good feedback from the presentations. Although it’s always ideal to have a speaker present in person, I feel like two-way video created a great environment for a remote presentation. Based upon the two virtual presentations I've conducted so far, I'd definitely recommend that other chapters explore virtual presentations to compliment their normal speaker schedule.

Please feel free to ping me with additional questions or to coordinate a virtual presentation for your chapter.

-Michael Coates - @_mwc

Bringing Web Application Security to University Students

2011-04-26T11:58:00.000-07:00

Over the weekend Mozilla led an open source boot camp at Stanford University with a great lineup of courses including a hands-on web security lab where students performed actual exploits against a vulnerable web application.

The goal of the web security workshop was to educate students about top security threats facing today’s web applications. By allowing students to perform exploits themselves, the students were able to fully grasp both the impact of these weaknesses and also the ease at which an attacker could compromise a vulnerable application. The combination of the lab actives and secure coding principles provided the next generation of computer scientists with the skills to better understand web application threats and the importance of building security into their applications.

Unlike a traditional presentation where there is one speaker and many listeners, the web security workshop leveraged a vulnerable web application platform created by OWASP that enabled students to perform actual exploits against a running web application.
The workshop addressed four prominent web application security issues:

cross site scripting
access control
SQL injection
cross site request forgery

The event was structured to provide each student with an understanding of the vulnerability, knowledge of the impacts and risks the vulnerability poses to users, the ability to exploit the vulnerability within a running application, and the secure design patterns necessary to avoid these weaknesses in their own applications.

The web security workshop was a great success and received very strong feedback from the students. Students particularly enjoyed the lab element that allowed them to put the new skills they’d just learned into use.

The full slide deck and notes on how to setup the web security testing software are online for anyone that would like to work through the material on their own. Mozilla is hoping to conduct similar open source workshops at other universities around the world.

Full List of Mozilla courses at the boot camp:

7 Lessons from Mozilla – Pascal Finette & Todd Simpson, Mozilla Labs
Hacking the Firefox UI, Shawn Wilsher & Frank Yan
Managing Software at Internet Scale, Christian Legnitto
Web Security, Hands on Learning, Michael Coates
Frontend Development Foundations, Matthew Claypotch
Scaling a Web Application, Jeff Balogh

-Michael Coates - @_mwc

Enabling Browser Security in Web Applications

2011-03-31T13:18:00.004-07:00

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy

[Cross Post with http://blog.mozilla.com/webappsec/]

The vast majority of application security occurs within the application’s code. However, there are a few key security controls that are enabled by the web application dictating security properties to the web browser. These security properties enable the browser to impose additional security controls on items such as cookie handling, framing, and even the processing of JavaScript. These controls provide an additional layer of defenses which will either eliminate certain attack vectors or, at a minimum, minimize the impact of particular client-side attack types.

Some of these defensive controls have been around for awhile and others are newly supported in Firefox 4 and other modern browsers. Mozilla has been rolling out these controls across all of our websites with a high degree of success. It should be noted that these controls are not a substitute for secure development practices. Instead, they are another layer of defense that can be used to protect users and data in the event of an unknown gap elsewhere in your application.

HTTPOnly

Benefit: Minimizes impact of cross site scripting vulnerability by preventing JavaScript access to the session cookie.

Limitations: Does not prevent against any other malicious actions from XSS (phishing, malicious redirects, etc)

Example within HTTP Response:
Cookie: sessiondID=kljahsdf123; HTTPOnly;

Additional Reading:
http://www.owasp.org/index.php/HttpOnly

Secure Flag

Benefit: Instructs the browser to never send the cookie over a HTTP request. The cookie can only be sent over HTTPS. This works even if the user manually types in a request for HTTP. The HTTP request will be sent, but the browser will not send any cookies marked as “SECURE”

Limitations: The HTTP Request is still sent and this could be manipulated by a man in the middle to perform convincing phishing attacks (See Strict Transport Security for solution).

Example within HTTP Response:
Cookie: sessiondID=kljahsdf123; SECURE;

Additional Reading:
http://code.google.com/p/browsersec/wiki/Part2
https://developer.mozilla.org/en/DOM/document.cookie

Note: When setting both HTTPOnly and SECURE flags you will simply have both values for the cookie:
Cookie: sessiondID=kljahsdf123; HTTPOnly; SECURE;

Strict Transport Security

Benefit: Instructs the browser to never send requests to the domain over HTTP. Requests can only be sent over HTTPS. Think of this as the Secure flag for the entire request. This will protect the user even if they manually type in HTTP into the URL. The browser will upgrade this to HTTPS, assuming the site has previously enabled HSTS, and only the HTTPS request will be sent over the network.

Limitations: Only supported in most recent browser versions; however, support is quickly growing.

Example within HTTP Response:
Strict-Transport-Security: max-age=60000

Additional Reading:
https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security

X-Frame-Options

Benefit: Instructs the browser to disallow framing of a domain or limit framing to only sites of the same domain. This prevents clickjacking attacks and other malicious framing actions.

Limitations: Not supported in very old browser versions.

Example within HTTP Response:
X-Frame-Options: DENY
or
X-Frame-Options: SAMEORIGIN

Additional Reading:

https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

Content Security Policy (CSP)

Benefit: CSP provides some amazing benefits. After a website is setup appropriately (no use of inline JavaScript) and a policy has been established, CSP will effectively prevent XSS where attacker controlled data is embedded in the HTML document. This works since the policy has established what JavaScript code is allowed and any other JavaScript that may make its way into the webpage via user input is flagged by the browser and blocked.

Limitations: Supported in Firefox 4 and plans for support in Chrome. It is still possible to introduce XSS vulnerabilities by not properly validating and sanitizing JSON content, or by including attacker controlled data in dynamically generated JavaScript code. Even if CSP is only supported by a portion of users it can act as an alerting system via the the report-uri to detect and report CSP violations that could be an attack.

Example within HTTP Response:
X-Content-Security-Policy: allow ‘self’ *.mydomain.com

Additional Reading:
https://developer.mozilla.org/en/Introducing_Content_Security_Policy
https://developer.mozilla.org/en/Security/CSP/Using_Content_Security_Policy

-Michael Coates - @_mwc

Launching OWASP Defenders Community

2011-02-23T10:20:00.000-08:00

I've created the OWASP Defenders Community as the first step towards a vision of OWASP I outlined the other day. John Wilander is leading the charge on the builders / developer community (and I just received an email from Thang Nguyen volunteering to lead the breakers community.

Check out the wiki page here. Note that this is a community. So if you want to be a part of this I highly encourage you to provide the basic bio information and picture as seen on the Community tab. You can upload the data yourself or send it to me (michael.coates@owasp.org)

The OWASP-Defenders mailing list is also setup, Subscribe here.

Lots of great things coming down the pipeline. Check out the roadmap and please jump on board.

-Michael Coates - @_mwc

A Vision For OWASP

2011-02-21T11:18:00.001-08:00

There's been lots of talk over the last few weeks about OWASP. Is OWASP at a tipping point? Where should OWASP go next? Has OWASP lost touch withdevelopers?

These three posts provide very interesting insight about OWASP and some concerns in the community. Some individuals may view these discussions and think that OWASP is in trouble and is crumbling. I think that nothing could be further from the truth.The reality is that OWASP is growing by leaps and bounds. Community involvement is up, membership is up and projects are growing. We just held a fantastic summit that gathered the best security minds in the world. Sure, we have issues to address, but that is a result of our growth and our desire to be better. The fact that people are discussing how to make OWASP better points to the strong desire for OWASP to succeed.

Enough for talking without acting, here's how I think OWASP can grow to meet the new demands we are seeing.

Greater focus and involvement from key security groups - builders, breakers, defenders
Get the right people to the table. We have lots of consultants, let's increase enterprise/industry represenation
A shift from quantity to quality
Use OWASP as a platform for growth and support (as mentioned during the summit)
Do away with the notion of the board driving all decisions and direction. The board will assist and support everyone's efforts. But the people are the true drivers.

Here is a model that I think would be successful for OWASP. The focus is on building communities around builders, breakers & defenders (am I missing anyone?). The intent isn't for these groups to operate in isolation; instead the goal is to get the correct stakeholders united to address the key security issues that they are facing. Developers know what developers need and how development works. So let's get security minded developers together to address the issue. If they need information from the breakers or defenders, then just ask, we're all OWASP. Let's do the same for the breakers community and the defenders community. The intent is to drive security by getting the best people together to solve the right problems in areas where they are experts.

Moreover, within OWASP these groups should be champions of projects within their domain. No more half-baked or abandoned projects. Each community should be able to vouch for the quality of the projects in their area. If its not up to snuff, then fix it or cut it. Is a key project missing? Then develop a strategy and plan to fill the gap with quality material. If OWASP wants to succeed then we need to focus our efforts in the right areas and create high quality outputs.

One last thought, which is probably the most import, this model is all built on top of the OWASP platform. OWASP has a voice and is a gathering point for security excellence throughout the world. Let’s leverage this incredible community and focus our efforts for some truly awesome results.

Don't like this model? Then suggest something better. Talk is cheap; let's get some results.

Here's how to get involved

Want to join the developer/builder community? Email John Wilander (john.wilander@owasp.org)

Want to join the defender community? Email me - michael.coates@owasp.org

Breakers? We need a leader.

A community for c-level security people? Need a leader here too.

-Michael Coates - @_mwc

Cross Origin Header Forging for CSRF Attacks

2011-02-09T06:15:00.000-08:00

Django and ruby on rails just released security updates (here and here) to address an attack that would allow CSRF through forged headers. Previously these two frameworks provided a CSRF defense for XHR requests that was based on the presence of the X-Requested-With header. The idea was simple, the header was automatically added during normal use of the XHR request by the user and an attacker was unable to spoof or forge a header in the context of a cross domain setting (e.g. CSRF attack). We discussed this a few months back and the consensus was that this approach was safe.

Apparently that has all changed. The details are currently very limited (or I just haven't found them). This is what is provided at the django and ruby on rails security update pages:

Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests.

Michael Koziarski of the Rails team brought this to our attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django's CSRF handling.

I'm very curious to find out more. Is a proof of concept available? What browser plugins are required for this attack? The potential exposure must be large because both frameworks have released a "backwards-incompatible" patch.

This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case.

-Michael Coates - @_mwc

Live Demo of Attack Aware Application using AppSensor

2011-02-03T10:19:00.000-08:00

Following up on my earlier post on Attack Aware Applications, I wanted to direct readers to a live demo implementation of an application using these ideas. The app is available at the following url: https://defendtheapp.com:8443/AppSensor-Tutorial/lesson.jsp

This is a running demo of the AppSensor-Tutorial code that is free and open. It is a part of the OWASP AppSensor project and fully leverages ESAPI code behind the scenes.

There is also another demo of a social network site using AppSensor technology. You can see a video of this site in action here and download the source code here.

We are always looking for more contributors to the AppSensor project. Please join our mailing list and share your ideas.

Lastly, if you will be attending the OWASP World Summit next week I encourage you to attend the Secure Coding Workshop - Defining AppSensor Detection Points

-Michael Coates - @_mwc

Attack Aware Applications

2011-02-03T04:02:00.006-08:00

(cross post with blog.mozilla.com/webappsec)

We are working hard to advance the security of Mozilla web applications. This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, and more. In addition to secure development, we are also working to make our applications “attack aware”.

The idea behind an “attack aware” application is that the application is able to identify abnormal user actions that are not due to user errors, such as typos, and are instead the result of deliberate attacks against the application. The goal is to detect a malicious user probing for application weaknesses and disable their ability to cause damage to the system.

An “attack aware” application uses a blacklist style detection of a potential attack. It is important to realize that this is not intended to be a substitute for secure design principles. Instead, it is an additional detection capability layered on top of a securely designed application. Think of a bank that has been built securely and then installs an alarm system to detect attempted attacks.

The value of “attack aware” applications is in the correct selection of detection points that minimize false positives and effectively detects malicious activity. For example, detecting a single tick (‘) within a text field (which could be used for SQL injection testing) is a bad detection point since there will be many false positives with legitimate uses of that character (e.g. the name O’malley, or just typos).

An example of a good attack detection point is detecting malicious values within password reset token URLs (e.g. site.com/resetToken?k=abc ‘ OR 1=1;–). There is no reason a user would accidentally modify the URL to include a potential SQL injection attack. Therefore false positive rates are low and the likelihood of the user purposively attacking the application is high. This is only one example of the detection points we are using. The OWASP AppSensor research project provides numerous detection points and covers this topic in much more detail.

The next question is what should be done after an attack is detected? Currently we are monitoring attack reports from our attack aware applications. This data is all fed into a security integration manager that allows us to monitor trends and investigate individual attack reports. We are moving towards building a system that will enable us to selectively block the offending user from the application to prevent further attacks.

What about the bounty program? These additional defenses are slowly being rolled into our systems and we don’t expect any impact on the bounty program in the near future. However, when the time arrives one possible solution is to provide a mirror environment of bug bounty sites for security testing and enable the primary application with the attack aware capabilities and response options.

Please direct comments to the mozilla blog post

-Michael Coates - @_mwc

Application Security Tutorial Videos

2011-01-31T10:45:00.003-08:00

A fantastic new project just started at OWASP titled AppSec Tutorial Series.

From the project page:

The OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video is 5-10 minutes long and highlights a different security concept, tool or methodology.

The project is led by Jerry Hoff and you can find the first video here and also embedded below. Enjoy!

-Michael Coates - @_mwc

OWASP World Summit 2011

2011-01-24T08:38:00.001-08:00

In just a few weeks the OWASP World Summit will take place in Lisbon, Portugal. Unlike many security conferences that have a handful of speakers and many listeners, the OWASP World Summit is designed in a working session style format where top security experts meet to solve pressing problems in application security. This isn't just a bunch of presentations, this is where real security work gets done.

The lineup of working tracks is pretty spectacular, including a dedicated track to secure coding, an entire day of browser security, and a track with the specific focus of cross-site scripting eradication. In addition, OWASP will be looking inward on how the organization can be structured to grow and continue providing top security resources to the world.

A security conference would be nothing without the right people, and this event is definitely drawing a great crowd.

All the top OWASP leaders and security gurus from: Mozilla, Google, Microsoft, Paypal, Facebook, Apache, Verizon, Dell, leading security consulting groups (Aspect Security, Cigital, Denim Group) and many more.

(Take a look at the full roster here)

I'll be at this event for sure. The last OWASP summit in 2008 was great and I'm expecting even more this time around. Please flag me down and say hello if I don't run into you. I'll be in multiple working sessions, but you can find me for sure in these two that I will be leading.

Secure Coding Workshop - Defining AppSensorDetection Points

Enterprise Web Defense Roundtable

-Michael Coates - @_mwc

A Study of HTTPOnly and Secure Cookie Flags for the Top 1000 Websites

2010-12-28T22:46:00.002-08:00

A study of HTTPOnly and SECURE cookie flag settings for the top 1000 websites serving HTTPS content

A basic HTTPS request was sent to to the top 1000 websites. The HTTP responses were investigated to observe the usage of HTTPOnly and SECURE cookie flags. Here is what was found:

Unique Domains Responding: 162
    Domains responding to https://www.<site>: 141
    Domains responding to https://<site>: 88

Total Cookies Gathered: 559
    Cookies from https://www.<site>: 373
    Cookies from https://<site>: 186

HTTPOnly Flag
Total unique count of cookies using secure flag: 26
    Cookies from https://www.<site>: 25
    Cookies from https://<site>:11
    Note: 10 of the 11 sites from https://<site> were duplicated within the https://www.<site> results

SECURE Flag
Total unique count of cookies using secure flag: 15
    Cookies from https://www.<site>: 15
    Cookies from https://<site>: 0

Session Cookies
Cookies containing the word "session": 91
    Total unique count of these cookies marked HTTPOnly: 12
    Total unique count of these cookies marked SECURE: 8
    Total unique count of these cookies marked SECURE & HTTPOnly: 1 (https://www.clickbank.com)

HTTPOnly & SECURE
Total number of cookies marked HTTPOnly & SECURE : 7
    6 from https://www.paypal.com
    1 from https://www.clickbank.com

Raw data can be found at the following link.

Conclusion:

I was surprised to see such low numbers. The top 1000 sites includes the most frequented sites on the web. Since the sites responded to HTTPS requests, I would have hoped that these sites would also be leveraging the additional security benefits of the HTTPOnly and SECURE flags. It was also interesting to see that of the 91 cookies that could easily be identified as session related cookies, only 1 cookie was marked as both SECURE and HTTPOnly. Clearly these cookies should be rotated after an actual login, but why establish a session at all if you aren't going to protect it with these basic cookie flags?

Notes on this test:

HTTPOnly and SECURE flags are used as an extra layer of security and are most often used with sites that support logins. It is unclear what number of the sampled sites support logins and thus would be good candidates to implement these additional controls. Therefore the results should not be construed as a sampling of sites that should be using the HTTPOnly and SECURE flags.

When the HTTPOnly and SECURE flags are used on a website it is likely that they would be used throughout the site. Therefore if any of the sites were to use these flags I would expect them to be used on the page requested for the test. Therefore I believe the presence, or lack thereof, of the HTTPOnly and SECURE flags accurately represents the use of these flags at the tested sites.

-Michael Coates - @_mwc

Django's Built In CSRF Defense for AJAX

2010-12-14T18:05:00.000-08:00

How django safely bypasses a random CSRF token for AJAX requests.

Django will allow AJAX requests that contain the following header without the need for any CSRF token: X-Requested-With: XMLHttpRequest

See: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

While its true that an individual user could tamper with their own headers, it is not possible to modify another user's headers in a cross domain attack such as CSRF. See discussion here

Testing?

Intercept a request and remove the X-Requested-With header.
You should get a 403 FORBIDDEN response if the CSRF defense is working correctly.

-Michael Coates - @_mwc

Securely Storing Opt-Out Email Addresses

2010-12-13T01:31:00.007-08:00

Walgreens was just compromised and an attacker got the master list of email addresses that also included email addresses of people who had opted-out of receiving Walgreens emails. The attacker promptly sent phishing attacks to all of the email addresses in an attempt to elicit private user data.

This brings up an interesting design issue. On one hand you need to store the email addresses of people that have opted out of email, otherwise you may inadvertently re-add them in the future from other sources or users actions, but on the other hand, storing all of these email address is increasing the damage if the list is compromised.

Solution? Hashing. For every email address that is in your "opt-out" list, simply store the hash of the email address instead of the actual email address. When you get a new email address compare the hash against your list of the "opt-out" email addresses. If you have a match, then its an opt-out. Throw away that email address. For new opt-outs, simply add the hash of their email address to the "opt-out" hash store and discard the plain text email address.

This way you get the benefits of not inadvertently re-adding users that have previously opted-out while also ensuring that a compromise won't disclose the huge number of people who really don't want any of your emails anyway.

Note: Don't hash your "opt-in" email addresses or your normal mail functionality won't work at all.

-Michael Coates - @_mwc