Category Archives: Security

OWASP’s Top Ten and Your False Sense of Security

This past weekend, I attended the No Fluff Just Stuff conference (twitter.com/nofluff). While there, I saw a great presentation from Ken Sipe briefly discussing OWASPS current top 10 security vulnerabilities web developers should be concerned with today. As any good talk should, it really got me thinking. I love web security…but am I alone?

Web security is important. In fact, it is extremely and increasingly important. And no, I am not alone. There are many others out there that love this stuff. Sadly that is part of the problem. There are tons of smart people out there who want to know everything there is to know about web security, but is it the right people? Are they white hat developers working hard for their clients? Are they the business owners managing the projects and writing the checks? Or are they script kiddies living in their grandma’s basement…

I am realistic. There will always be people who want to learn about the latest and greatest in the security world so they can make it better, and others who want to learn so they can bend break or obliterate it. My gripe is, web security seems to take a back seat in the minds of many. The priority instead lies in what businesses “really care about.” This includes user experience, business requirements, time to market; basically any buzzword you pull out of that dusty Agile book on your desk.

Those things all sound pretty important (after all, as I said, they are writing books about them, right?) However, I argue that the sparkliest html5 presentation layer will do you no good if someone can drop your database tables with nothing more than Firebug and a 10 minute World-of-Warcraft break.

So what do I expect? Should companies spend the money to make sure all of their developers know how XSS attacks happen? And why you can’t use two-way functions to store passwords? Or why a nonce should be part of every form submission?

Yes. Yes they should.

Don’t get me wrong, there are many ways to make a site safer. Code reviews are a great way to catch and prevent OWASP’s top 10, and many others that didn’t make their list [assuming the reviewer knows what they are looking for.] OWASP’s ESAPI library is another, providing an api for the ‘more novice’ developer [though reviews on ESAPI are mixed, and it doesn’t seem to be fully baked yet.] But this will only get us so far. To be cliche, there is power in numbers, and we are only as strong as our weakest link. The more greater the number of informed folks that lay eyes on our code, the fewer vulnerabilities will make it through.

Needless to say, I consider a basic understanding of modern vulnerabilities a must. I also consider it the burden of the informed to convince the others that this really is worth the time and money. I know many clients/business owners do not want to know the nitty gritty details of how a teenager with enough spare time can put the screws to them, and that’s ok. They don’t need the details, as long as they know their developers are well educated on the subject and can therefore believe them when they say “this has to be done.” So get out there and advocate for education on web security! And while you wait for your employer to get on board, why not get a head start? Useful links follow:

OWASP Top 10
OWASP’s WebGoat security lab
Google’s Gruyere Web Security lab

Finally, be sure to check out posts, whitepapers, and other great content at http://blog.credera.com

Advertisements