[Owasp-leaders] Feedback on Potential New OWASP Project
Sethi, Rohit
rohit at securitycompass.com
Wed Jan 13 13:12:31 EST 2010
I'm not sure I understand. For example, how would you evaluate Apache struts against ASVS V4.1: "Verify that users can only access protected functions for which they possess specific authorization."? That's simply an "if" check somewhere in the code. Does Struts provide this or not?
What about ASVSV.8.1: "Verify that that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id and personal information." ? If the framework allows you to generate your own custom error page when you catch an exception, then the framework follows the requirements. However, if the framework provides a simple configuration option in the deployment descriptor to do the same thing declaratively, and has that option turned on by default, the framework still complies with the requirement. The second way of doing it, however, will lead to more secure web applications because many app developers simply often do not change the default error handling mechanism - and end up with stack traces dumped on screen.
Rohit Sethi
Director, Professional Services
Security Compass
http://www.securitycompass.com
Direct : 888-777-2211 ext. 102
Mobile: 732.546.4473
Twitter: rksethi
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Wednesday, January 13, 2010 12:29 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
Right, I see it. The basic idea is that one should look at a deployed application in terms of (1)targeted application (or framework) components and (2)components in the environment that the targeted application components require to function. Some requirements met by the former, some by the latter, some may be met by functions provided by both. In the case of the latter, not all requirements met. Then, one sorts this all out using the reporting requirements. I would guess that "typical" ASVS-based framework verifications would read something like, we found x, y, and z controls and they're implemented right according to ASVS requirement r, but it's not a pass for requirement s because we don't know where they're going to be used.
Mike B.
________________________________
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
Sent: Wednesday, January 13, 2010 11:54 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
We seem to have a disconnect. How can you verify a framework against ASVS? For example, how do you know whether or not a framework can comply with V6.1: "Verify that all untrusted data that are output to HTML (including HTML elements, HTML attributes, javascript data values, CSS blocks, and URI attributes) are properly escaped for the applicable context." What is applicable context when you don't have a specific application to measure it against?
In our view, a framework should provide the tools to allow for V6.1, but individual application developers could theoretically build their own libraries or use third party libraries such as ESAPI to achieve the same thing. In fact keen developers could just code their own output escaping tools and still achieve compliance with ASVS requirements. Providing libraries in the base framework simply makes it easier.
The manifesto is not about assurance. You can't quantify the level of security it provides you; it's more about making the lives of developers easier and giving them the tools they need in order to get "T--H--I--S" much more secure.
Rohit Sethi
Director, Professional Services
Security Compass
http://www.securitycompass.com<http://www.securitycompass.com/>
Direct : 888-777-2211 ext. 102
Mobile: 732.546.4473
Twitter: rksethi
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Wednesday, January 13, 2010 8:56 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
Hi Rohit. Sounds good, let's discuss! The basic response to the below is, yes I agree that e.g. it's unlikely frameworks would meet all ASVS requirements for a given level. The basic concept that I'll reiterate though is that levels may be met by combinations of security functions provided by applications and underlying frameworks and whatnot together. Thus for example if framework A were verified using ASVS level x, the report would have findings that requirement not met, you provide some good examples/rationale why below. Then, these results could be published and then subsequently recycled when verifying applications that run on framework A, when one runs into a requirement met by the framework, verification investigation for that requirement done and onto next, when one one runs into a requirement that can only be met by the application go do the code review or whatever for that requirement for the application. The overall value add of this approach is that one is always working towards a targeted level of assurance. I can't tell looking at the manifesto if some/all of those requirements make a framework "this" much more secure or "T--H--I--S" much more secure, and how much it contributes to the overall level of assurance.
Best,
Mike B.
________________________________
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
Sent: Tuesday, January 12, 2010 11:48 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
Hi Mike, since your post relates to an OWASP project I think this is the ideal list for my response.
First of all, thank for taking the time to read through the document and offer your feedback. I think it's important not to waste time on duplicating effort, and I understand what you're saying about ASVS.
I will respectfully disagree that ASVS renders the manifesto useless. ASVS is primarily about how you can verify the security posture of a single application with varying levels of assurance; the Secure Web Application Framework Manifesto (I promised Jim Manico I wouldn't use the SWAF acronym) is about what features a web application framework should offer such that the applications built on top of it are secure.
Let me illustrate:
ASVS V5.2 : "Verify that a positive validation pattern is defined and applied to all input." Is a verification activity
Manifesto 3.1.2: "Provide an API to Validate All Input Data" Is a mechanism that allows a single application developer to achieve ASVS V5.2. Moreover, we point to the Apache Struts Validation plug in as an example of such an API which applies specifically to Struts Form fields.
Notice that an application framework developer couldn't achieve ASVS V5.2 for the most part because the positive validation pattern applies to a specific application, whereas an individual app developer probably would not get much value of Providing an API to Validate All Input Data - particularly those forms of input not used within the application.
Here's another example: ASVS V3.1: "Verify that the framework's default session management control implementation is used by the application." That's good advice if the session management of the underlying framework is done properly. Namely Manifesto 3.3.1, 3.3.3, 3.3.4, and 3.3.5.
I can go on for a while about how these docs differ. There are overlapping requirements but the details in the text differ - the manifesto was written specifically for framework developers and includes references to known working implementations of the functionality to use as an example.
As for the word manifesto, I'm not sure I follow your argument about how the misuse of the word in other contexts should keep us from using it here. That said, we are not particularly tied to the word "manifesto" and are willing to investigate alternatives if others in the community agree with you.
Cheers,
Rohit Sethi
Director, Professional Services
Security Compass
http://www.securitycompass.com<http://www.securitycompass.com/>
Direct : 888-777-2211 ext. 102
Mobile: 732.546.4473
Twitter: rksethi
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Tuesday, January 12, 2010 3:45 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
To play devil's advocate... I posted a reply, but to the webappsec.org list. The condensed version might be: why not instead just use ASVS (it allows for requirements being met by combinations of security functions provided by applications and underlying goo), and not sure about "manifestos". Maybe, this is the better place to discuss, if interested.
Best,
Mike B.
________________________________
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James F. (eBusiness)
Sent: Tuesday, January 12, 2010 3:34 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Feedback on Potential New OWASP Project
Thoughts:
1. I think this idea rocks.
2. I don't like the title which implies it is about securing web frameworks. How about Web Application Framework Security Functionality Manifesto"
3. It doesn't feel enterprisey enough (of course this is coming from an enterprise architect). Seriously, we need to target more than your average one-off SMB web application. One hint to my reaction is that it talks about converting to two-factor auth (something I have zero interest in) when the enterprisey interest would be in converting to consume SAML or other SSO tokens. If you were writing Twitter, you probably wouldn't care about how to externalize security via XACML but us enterprisey types understand its importance.
4. I am keenly interested in how a framework should noodle management of security. For example, what is the right conceptual model/checklist for JMX MBeans in this space.
5. Today's work frustration is that I have been busy debugging a federated identity installation and somehow forgot a few passwords. Does the framework provide for encryptable properties where it detects more than just replacing xml files is big. I tried this workaround today and it failed which proved a level of security (good) while also making me bust my brain harder.
6. I would like to see things on logging expanded significantly. Gunnar is now offering the most wonderful course that uses WebGoat where it is not about prevention but more about ways to figure out after the breach forensics. Hopefully, he can expand this doc as well...
________________________________
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
Sent: Tuesday, January 12, 2010 9:21 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Feedback on Potential New OWASP Project
Hi all,
Many of us have argued that the features of underlying web applications frameworks will make a major impact on the security of the individual applications built on top of them.
To that end, a few of my colleagues and myself have put together a "Secure Web Application Framework Manifesto". In many ways, this is the inverse of the work that Arshan and the Intrinsic Security Working Group did- our emphasis is on providing a set of requirements for frameworks to follow, rather than evaluating the frameworks themselves. Ideally, frameworks will adhere to the manifesto and publish a list of the features implemented. This helps developers make intelligent decisions about the underlying security of the frameworks they use, and should have the additional benefit of enhancing the default security of web applications.
I'd like to propose turning this into an OWASP project, but wanted to solicit feedback from the security community prior to turning it into an official project.
Here's the link to the paper:
http://labs.securitycompass.com/papers/secure-web-application-framework-manifesto-v0-05.pdf
Two questions:
1) Do you see value for this as an OWASP project?
2) If you have feedback about the requirements themselves, could you please contact me directly? I'll be sure to include you as a contributor
Thanks,
Rohit Sethi
Director, Professional Services
Security Compass
http://www.securitycompass.com<http://www.securitycompass.com/>
Direct : 888-777-2211 ext. 102
Mobile: 732.546.4473
Twitter: rksethi
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100113/262a7e25/attachment-0001.html
More information about the OWASP-Leaders
mailing list