Friday, June 20, 2008

Top 5 questions to get webappsec threads spinning out of control

1. Should all Web traffic be SSL'ed or only username/passwords?
2. Black box vs. white box testing, which is better?
3. Ask anything about a WAF.
4. What are the best-practices for conducting password recovery?
5. Which certification should I get? CISSP?

21 comments:

Andre Gironda said...

Should all Web traffic be SSL'ed or only username/passwords?

All web traffic should be SSL'd.

Black box vs. white box testing, which is better

5 million software quality engineers, and 400 million developers over 30 years of science and statistics all think that white-box is better. Note that white-box dynamic analysis such as dynamic taint tracking is not black-box.

Ask anything about a WAF

When are they going away?

What are the best-practices for conducting password recovery?

Search owasp.org for answers.

Which certification should I get? CISSP?

None. Until the OWASP People Certification is available, and then you should get it.

MikeA said...

1. Should all Web traffic be SSL'ed or only username/passwords?

Depends on the content of the traffic. Anything "sensitive" (eg. cc#, SSN, etc, etc).

2. Black box vs. white box testing, which is better?

Pro's and cons of both methods. Each find different categories of vulns.

3. Ask anything about a WAF.

Done already

4. What are the best-practices for conducting password recovery?

No password *recovery*. Time-restricted, one-time link to change password emailed to the persons address on record

5. Which certification should I get? CISSP?

None.

Evert said...

Yea that was a bit of a pointless discussion right there..

Mark said...

You forgot "Which is the most secure web language?"

Andre Gironda said...

@ Mark:

You forgot "Which is the most secure web language?"

Poorly phrased, but accurate. And the answer to the "most easy to secure web language overall" is... [drumroll] JEE, better known as the Java Platform, Enterprise Edition.

Why are these questions so easy?

Jeremiah Grossman said...

LOL!

Anurag Agarwal said...

@andre - its J2EE and not JEE

Andre Gironda said...

@ Anurag:

Nice one! Great joke.

No, really. It's JEE, as in `the language formerly known as J2EE'. Like Prince.

ClueTrain Driver said...

Umm wow... Did someone fall of the cluetrain and bump their head?

romain said...

1. Only SSL'd dynamic content (generated with some information that are relative to the users: his preferences, password, whatever)

2. Of course both are needed... Unless you have awesome developers!

3. WAF may introduce a new layer of vulnerability, that's interesting.
Anyway, WAF is useful...

6. What is the difference between a 'web language' and a 'language'? Anyway, the framework changes.

Mike said...

pretty amusing...

Mark said...

@ andre

Thanks for taking my joke seriously. I'll agree poorly phrased as I had not yet had my coffee and without caffeine, I do not function.

The answer is none of the above. All languages are equally poor if the application is not designed/developed properly.

Matt Presson said...

I will have to agree with mikea, except on his answer for 5. I do believe that the CISSP does offer a good overall knowledge of security and its many facets. Although the test and material in itself does not go very deep, a good overarching understanding of security has never hurt anyone, especially security professionals. Maybe I am biased because I am about to take the test, but just my opinion. Take it for what it is.

By the way, way to let your blog run rampant Jeremiah. Do you plan on being at OWASP Boston?

Rafal said...

Damn Jeremiah - you know how to bring out the troll...

Sadly - most of those have been circulating no the WASC WebAppSec mailing list for the past few months. I think honestly, these are important questions but are much like the "which flavor of Linux is better?" topic - which inevitably ignites something of a religious war.

At least I haven't heard someone say that PHP is the most secure programming language :)

Rafal said...

... by the way, Andre - You're just plain retarded if you honestly believe that *all* web traffic should be SSL'd (as you indicate). If you SSL'd all web traffic you wouldn't be able to do intrusion/anomaly detection, not to mention the overhead you'd cause in both processing power and bandwidth needed... anyway - way to think bigger-picture.
Sorry - I'm just annoyed with your comments, as you obviously have zero real-world experience.
As always ... "Arguing on the Internet is like running the Special Olympics, even if you win, you're still retarded."

Christian Folini said...

@Rafal:

I still prefer to run all web traffic through ssl. Yes, it costs performance, but it is a darn simple rule and saves a lot of headache.

It's not the only option, but it works in the real world.

Andre Gironda said...

@ Rafal:

I've had many people, formerly or currently with GE and HP talk about how you "have no real world experience" and you "are a troll". Since I know where you've worked and talked with your current or former co-workers -- and you appear to know nothing about me, I guess this settles that argument, no?

Also -- I am retarded, my IQ is probably half of yours. I got under a 900 on the SAT. My reading level is stuck in 11th grade. I guess being smarter doesn't actually help you understand security, let alone make you into a nice person.

As for settling the SSL issue, why don't you try reading RFC 3365 or try to understand how modern attacks from XSS proxies, airpwn techniques, KARMA techniques, and/or Ettercap filter techniques work?

At some point, data security might progress to the point where we can have functionality and assurance at the HTTP layer. Right now, how do we know that any certain transaction contains or does not contain sensitive or control information?

The way that HTML, CSS, Javascript, Flash, Java applets, QuickTime, and RealPlayer/MediaPlayer execute in the browser today means that HTTP is a control channel from the content to the browser. Since any control information can basically come from anywhere, TLS/SSL is one of the only ways to provide confidentiality to that data, and to prevent MITM type attacks.

Of course, SSL/TLS is only one method of helping for this; and it's not perfect either. However, it's ubiquitous, easy, and it solves a lot of problems.

In the way that web application attacks can be used together -- I think that SSL/TLS as a defense works great along with other protections and defenses.

Anonymous said...

1. Not all, but probably all POST based, assuming GET is being used right.
2. White box, because it somewhat addresses the insider threat and is likely to find anything black box would find anyway.
3. How can positive security based on network admins communicating with developers ever work, when positive firewall security (especially deny all outbound) based on network admins communicating with sysadmins never really worked right to begin with? Developers are far more antisocial and insular.
4. Make sure you have the permission of the machine owner, or at least enough plausible deniability or political clout to not have to care.
5. The best jobs come from connections, and those people are going to drag you right past HR anyway, so certifications only matter if you're in a slump or are trying to coast.

Jeremiah Grossman said...

@rafal

> Damn Jeremiah - you know how to bring out the troll...

Yah, it's an acquired skill, to be used with caution. :)

Arshan Dabirsiaghi said...

rafal calling jeremiah retarded:

https://twitter.com/jeremiahg/status/8269390637

(courtesy of marcin)

Jeremiah Grossman said...

wow, @marcin is on his game. nice catch.

In truth, I've been known to do and say some pretty retarded things. Have no plans to stop now, its served me well :)