tag:blogger.com,1999:blog-13756280.post493298283119632434..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: 2007 web application security project ideasJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-13756280.post-45531381845894496792016-10-21T05:15:25.069-07:002016-10-21T05:15:25.069-07:00Cloudace is the market leader in offering Web Appl...Cloudace is the market leader in offering Web Application security and Firewall Solutions in cost effective manner in Vijayawada and Hyderabad cities India<br /><a href="http://www.cloudace.in/solution/web-application-security-and-firewall-solutions/" rel="nofollow">solution/web-application-security-and-firewall-solutions/</a>Anonymoushttps://www.blogger.com/profile/01802282385582272050noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-4988056147571807402007-03-20T13:43:00.000-07:002007-03-20T13:43:00.000-07:00Jeremiah, there's a PR going out this afternoon fr...Jeremiah, <BR/><BR/>there's a PR going out this afternoon from a largish organization on a web app sec certification. When it happens, I'll shoot you a copy. <BR/><BR/>AndrewAndrew van der Stockhttps://www.blogger.com/profile/11645325811466424904noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48840873323586494372007-01-06T20:27:00.000-08:002007-01-06T20:27:00.000-08:00> Actually, on the OS scanner, I would say that be...> Actually, on the OS scanner, I would say that being able to log in is one of the LAST things it needs to be able to do. <br /><br />Last on my tiny list maybe, but certainly not the bottom. And hen I say login, I really mean login w/ logout detection. The last thing you have to do is have invalid scans and have to baby sit the scanner for hours on complex sites. <br /><br />> Login functionality is so different from app to app that staying logged in is the one thing all of the off-the-shelf tools CAN'T seem to do right.<br /><br />Tell me about it. We struggle with it in our own technology as well. Crawling properly in many ways is just as hard as login.<br /><br />> I think it would be more profitable to use existing cookies and parameter values to perform analysis during an expert crawl. And of course, the tool needs to be able to crawl the rest as well.<br /><br />I think I can agree there. Have to start somewhere and no reason to bite off more than one can chew.<br /><br />> There needs to be a high-publicity project available for breaking that does more than just have a vulnerability for defacement.<br /><br />Great idea. I wholeheartedly agree. So much work, so little time. If someone decides to start any of these projects, I'll do whatever I can do publicize them.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82539701162620409202007-01-05T20:04:00.000-08:002007-01-05T20:04:00.000-08:00Also, I think there need to be some better trainin...Also, I think there need to be some better training sites available than "Hack this site" and webgoat. There needs to be a high-publicity project available for breaking that does more than just have a vulnerability for defacement.Will Stranathanhttps://www.blogger.com/profile/07533170385996088112noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44182997139647607082007-01-05T20:02:00.000-08:002007-01-05T20:02:00.000-08:00Actually, on the OS scanner, I would say that bein...Actually, on the OS scanner, I would say that being able to log in is one of the LAST things it needs to be able to do. Login functionality is so different from app to app that staying logged in is the one thing all of the off-the-shelf tools CAN'T seem to do right.<br /><br />I think it would be more profitable to use existing cookies and parameter values to perform analysis during an expert crawl. And of course, the tool needs to be able to crawl the rest as well.Will Stranathanhttps://www.blogger.com/profile/07533170385996088112noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52040878067401173892007-01-04T09:01:00.000-08:002007-01-04T09:01:00.000-08:00A good place to start on standardizing severity le...A good place to start on standardizing severity levels is the CVSS framework. This is being used by the NVD and has been adopted by Oracle. I believe strongly in not reinventing the wheel. If there are aspects to web vulnerabilities that are different from the universe of vulnerabilities then CVSS should be strengthened not redone.<br /><br />CVSS has a base score of computing the impact based on confidentiality, integrity, and availability. Then uses a bias based on the business context of the application to more heavily weigh one of the dimensions.<br /><br />I would be interested in working with people on this.<br /><br />-Chris W.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-75730831636944747642007-01-04T07:48:00.000-08:002007-01-04T07:48:00.000-08:00wow, some great comments here, hard to keep up.
C...wow, some great comments here, hard to keep up.<br /><br />Chris,<br /><br />> We need some way to identify solid web application people but I would advocate giving it some more thought before going down the certification route.<br /><br />Solid advice. There must be some way to get a decent minimum bar barometer.... *thinking*Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87133399938565782752007-01-04T07:19:00.000-08:002007-01-04T07:19:00.000-08:00Standardizing severity ratings is something that t...Standardizing severity ratings is something that the industry has needed for some time now. As an application security consultant for 6 years (my previous job), there were countless times where individuals disagreed on the severity of a particular vulnerability or class of vulnerability. An objective baseline for each type of vulnerability is a good foundation but there has to be some flexibility built in for subjectivity (within reason) and context. For example, avoiding denial of service vulnerabilities is far more important to some applications than others, so in those cases it would need to be weighted somewhat higher.<br /><br />As for a certification I have to disagree wholeheartedly. The last thing we need is another CISSP-like cert for people to pad their resumes with. The best penetration testers I've worked with had no industry certifications and most opposed the idea that they were any indication of skill. In my experience, the more industry certifications a person has on their resume to prop themselves up, the less likely they are to stand on their skills alone. There will obviously be exceptions to this rule, but by and large I've found it to be fairly consistent, at least within the penetration testing space. Software development or equipment-specific certifications may be more effective, but I have little perspective on that. We need some way to identify solid web application people but I would advocate giving it some more thought before going down the certification route.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5938877799080317602007-01-02T09:52:00.000-08:002007-01-02T09:52:00.000-08:00good post and great replies so far!
for severity ...good post and great replies so far!<br /><br />for severity rating systems - i have read through all of the work on DREAD (MS Threat Modeling), TRIKE (went to the toorcon preso 1.5 years ago), and CVSS (read all the stuff on the FIRST page). I read a few more sources, specifically on vulnerability management. it seems that threat modeling (more STRIDE instead of DREAD) applies fully, while rating systems do not. at least that's the impression i'm getting. there are categories of websites, and each type of website has different threats. universal metrics are going to be difficult to apply without making this distinction.<br /><br />as far as the cert goes - i also recommend against such a concept. certs are a part of a more global picture of instructional capital. what you want is training - and sharing of ideas. this means conferences and local meetings. there is no conference covering just "web application security", and there should definitely be more than one at this point (one "all expenses paid" and one that costs like $50 for students at a hotel with cheap rates). local chapters of OWASP have started up (there is one is my city now)... so people should start going to these events and presenting regularly.<br /><br />in regards to client-side security: i also wanted to mention noxes, but someone else already has. httpOnly and <a href=http://www.gerv.net/security/content-restrictions/>content-restrictions</a> should also find a way into plug-ins and browsers quickly and easily (and they should scale as to not affect performance as well). features in WAF and XML gateways should make their way into cablemodems, dsl routers, WiFi routers, and personal firewall software if possible (again, while affecting performance minimally as much as possible). layered defense-in-depth has seemed to work over time with regards to system and network vulnerability protection.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-56407662895881624712007-01-02T09:02:00.000-08:002007-01-02T09:02:00.000-08:00Hi Mike,
> Generally I agree with your posts, but...Hi Mike,<br /><br />> Generally I agree with your posts, but not this one so I'll break with my usual lurker tradition and comment.<br /><br />If everyone agreed with all my posts all the time I'd have to question the value and insightfulness I was providing. Either that or I'd be telepathic. <br /><br />> Having any "standardized" severity rating system is neigh-on impossible. Each of the models suffer from subjectivity problems.<br /><br />You might be right, but I think subjectivity is probably OK. If a flexible system were developed, and the subjectivity variables were assigned by the organization itself (or a paid expert), then the output would be what they are looking for. As it stands people are just looking for ANYTHING workable to help in prioritization, we’ll get perfection later.<br /><br />> As for a certification, the world does not need another cert :)<br /><br />I hear ya. The last thing we need is another crappy certification to snicker at. The thing is though organizations are looking for solid webappsec people. They’re asking what to look for as a minimum bar to qualify candidates before the interviewing process begins. This need will only increase over the next year. So maybe certification isn’t the answer, but then what is?<br /><br />> Finally, an OSS scanner would be a great thing to have out there.<br /><br />Yes, I’m well aware of the Watchfire patent and the sad state of affairs that is the U.S. patent system. Generally speaking you can’t code a for loop anymore without violating someone’s patent. And I refuse to let that stop me from developing software or working on a project. Otherwise I better pick a new career. I’ll continue to write code that brings value, fills a need, and I’ll take the battles as they come. If Watchfire wants to be known for viciously attacking open source communities, so be it. I’m sure they’d suffer equally in return. At least, that’s my opinion on that matter.<br /><br />> http://tinyurl.com/2zndg<br />You sure that’s the link you meant?<br /><br />Anyway, thanks for commenting and please break you silence more often. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72134076987897928522007-01-02T08:38:00.000-08:002007-01-02T08:38:00.000-08:00Sven,
Cool! It looks like your thinking about the...Sven,<br /><br />Cool! It looks like your thinking about the problem correctly. Good luck with the project and keep us appraised. Also, don't be shy about soliciting feedback from the web security mailing list.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36092320076944338532007-01-02T07:14:00.000-08:002007-01-02T07:14:00.000-08:00Hi Jeremiah,
on the topic of client side protect...Hi Jeremiah, <br /><br />on the topic of client side protection: There are at least two approaches for client side XSS protection that I know of: Noxes (http://www.seclab.tuwien.ac.at/papers/noxes.pdf) and NoMoXSS (http://www.seclab.tuwien.ac.at/projects/jstaint/). <br /><br />Furthermore, (shameless plug) we (Justus Winter and myself) developed RequestRodeo, a client-side protection solution to protect users against CSRF. Here is the project side with the code: http://savannah.nongnu.org/projects/requestrodeo And here is a link to the paper: http://www.owasp.org/images/4/42/RequestRodeo-MartinJohns.pdfMartin J.https://www.blogger.com/profile/15506921479280094762noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58709096046720213552007-01-02T05:21:00.000-08:002007-01-02T05:21:00.000-08:00Generally I agree with your posts, but not this on...Generally I agree with your posts, but not this one so I'll break with my usual lurker tradition and comment.<br /><br />Having any "standardized" severity rating system is neigh-on impossible. Each of the models suffer from subjectivity problems (what values do you plug in - how do you give a number for "damage" - what is the difference between a 6 and a 7 - etc, etc), and are only really useful if one set of people (or very like-minded/highly trained people) do all the "scoring". With this in mind, I think that you will only get standardization within organizations by using one model, which I think to some degree is already happening. Achieving this outside, for all findings/vulnerabilities, probably isn't possible IMHO.<br /><br />As for a certification, the world does not need another cert :) It might be an honorable idea and get more people thinking about web security (and more better identifying those that know the field), but certs are easily played and lose value very quickly IMO (lots of individuals with meaningless letters after their name - I have one set, but never use them - judge people by their experience and knowledge rather than some studying and a quick test). What I *do* think we need is lots more information out there on web-based vulns, and easier systems for people to follow and test their apps. Not just point-and-click automated tools, but honest-to-goodness methodologies (not checklists or brief write-ups).<br /><br />Finally, an OSS scanner would be a great thing to have out there. I even donated a codebase to OWASP to help start the beretta project off (http://www.owasp.org/index.php/OWASP_FOSBBWAS_(code_name_Beretta)). However, I had to quickly withdraw from that project, because of this - http://tinyurl.com/2zndg - which amazingly still hasn't been challenge yet. I'm not a lawyer, but I believe that anyone that works on such a project inside the US is risking themselves litigation by Watchfire the current patent holder (or anywhere else that the patent is registered). The guys working on it at the moment are probably getting away with with it because Europe doesn't have software patents - probably one of only a small number of things they actually do right! Just this sad fact alone means seeing an OSS scanner in the US is unlikely IMO unless someone has the money to challenge the patent for the inevitable lawsuit for loss of earnings that Watchfire/SPI (a licensee of the patent as I understand) would be sending your way :(<br /><br />So sorry Jeremiah, although I love reading you posts, generally agree with you and find you have great insights in this field, I would have to beg-to-differ on this one :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10165815357696614792007-01-02T05:18:00.000-08:002007-01-02T05:18:00.000-08:00Hi Jeremiah,
I fully agree with this stuff.
FYI: ...Hi Jeremiah,<br />I fully agree with this stuff.<br /><br />FYI: I'm actually working on the point of “Standardized Severity Rating System for Web Application Vulnerabilities” [1]. Because I hadn't that much time in the last two months I'm still in the research phase but it will come :)<br /><br />[1] http://www.disenchant.ch/blog/webapplication-security-risk-calculation/21<br /><br />Regards,<br />Sven / DisenchantAnonymousnoreply@blogger.com