[Owasp-codereview] [Owasp-ireland] OWASP Ireland - September 2009 Panel discussion

Mostafa Siraj mostafa.siraj at gmail.com
Wed Jul 15 08:55:23 EDT 2009


Hi David,
I guess we don't vary so much in our opinions, we both believe that teaching
developers how to write defensive code is very important but the point here
if you didn't give him real examples of "What to defend against" he wouldn't
validate in the right way.

I always receive questions from developers asking "I have a checklist that
state that I should validate every input and I don't know what exactly
should be done". he has to know that user input that contain special
characters interpreted by another system leads to serious security holes
(e.g. in case of browser it leads to XSS, in case of DMBS it leads to SQL
injection, in case LDAP it leads to LDAP injection, etc). he has to
understand these security issues and he has to see real examples of how
these attacks might occur, I work in a services company so most of the
employees are developers not security engineers. the developer just care
about the functionality, he just want to get things done if he is not aware
of the risks of security vulnerabilities he will never listen to you. this
is my live experience that I face everyday.

but I still agree with you that more emphasis was paid to vulnerabilities
than writing secure code, OWASP and SANS should publish lists like "Top 10
secure coding habits". it will be very beneficial to developers I believe

Regards,

Mostafa Siraj <http://AllAboutApplicationSecurity.blogspot.com>
Application Security Expert
ITWorx Egypt
www.ITWorx.com

On Wed, Jul 15, 2009 at 1:06 PM, davidrook <david.rook at realexpayments.com>wrote:

> Hi Mostafa,
>
> I wouldn't agree with what you have said, taking the example you have given
> there I fail to see why teaching someone to validate their inputs and
> outputs wouldn't be good in this case. If you had been teaching them set of
> secure development principles for a year (which would include input and
> output validation/encoding) and they still wrote that code then there is a
> bigger problem than just the potential of XSS ;-)
>
> I don't think that education detailing specific vulnerabilities should be
> dropped but I think it shouldn't be a starting point either. A developers
> security education should not start at the intricate details of attacks such
> as XSS and SQL Injection rather this is somewhere their education should
> evolve to. Sure training courses wouldn't be a as "glamorous" and people
> would need to probably charge less for them but that's not the point here!
>
> Thanks,
>
> Dave
>
> Mostafa Siraj wrote:
>
>> Hi David,
>>
>> I don't think your approach -whitelist learning- would perfectly fit when
>> it comes to application security
>>
>> I'll give you an example: I was teaching a security course to some
>> students and started telling them, accept a username from a user and echo it
>> back as "Welcome [username]", all the students without exception wrote
>> something like this (here I use C# example)
>>
>> welcomeMessageLabel.Text = "Welcome " + usernameTextBox.Text;
>>
>> the above statement is very natural, no one would ever thing that it's
>> vulnerable to XSS for example even if I was teaching them Input Validation
>> for 1 year, they will still consider the above statement safe because it's
>> really very natural
>> so they have to learn about the main security vulnerabilities -blacklist
>> approach- (OWASP Top 10, or SANS Top 25) to get a feel of how security
>> vulnerabilities occur beside of course the whitelist approach (Input
>> Validation, Secure Authentication,...etc)
>>
>> so I believe that both are very important and you can't skip anyone of
>> them
>>
>> Thanks
>>
>> Mostafa Siraj <http://AllAboutApplicationSecurity.blogspot.com>
>> Application Security Expert
>> ITWorx Egypt
>> www.ITWorx.com <http://www.ITWorx.com>
>>
>>
>> On Wed, Jul 15, 2009 at 12:10 PM, davidrook <
>> david.rook at realexpayments.com <mailto:david.rook at realexpayments.com>>
>> wrote:
>>
>>    For controversy dial C for Conor! :)
>>
>>    I have one as well: "The path to secure software does not start with
>>    specific vulnerabilities".
>>
>>    I think anyone on the Irish mailing list will know I have been saying
>>    since the release of the Sans Top 25 list earlier this year that I
>>    don't
>>    think lists of vulnerabilities is the optimal approach to developer
>>    education and ultimately secure software. We as software security
>>    professionals are guilty of telling to developers to prevent a list of
>>    vulnerabilities instead of telling to develop securely, yes I do feel
>>    there is a difference here. Think of it this way, when you are
>>    learning
>>    to drive does the instructor give you a list of ways to crash a
>>    car and
>>    hope you figure out how to avoid all of those different ways of
>>    crashing
>>    or does he teach you how to drive safely and within the rules of
>>    the road?
>>
>>    Everyone without fail in the application security community is
>>    guilty of
>>    doing this yet we blame the developers when the applications are
>>    insecure, are the security professionals not just as culpable for not
>>    educating developers correctly? Whether it be the OWASP top ten,
>>    PCI DSS
>>    Requirement 6.5 or companies offering secure development training they
>>    all focus on a small set of vulnerabilities instead of focusing on
>>    a set
>>    of secure development principles such as Input Validation, Error
>>    Handling and Secure Communications.
>>
>>    Dave
>>
>>    Conor Mc Goveran wrote:
>>    > HTML5 could have been a unifying standard which may have halted the
>>    > continued fracturing of the web as a platform, alas with the failure
>>    > of the browser vendors to unify behind this standard (dropping the
>>    > video tag due to lack of agreement on the codec) this will be the
>>    > biggest missed opportunity of the decade. ALL of the
>>    developments that
>>    > are good about the internet/web have come from a base of widely
>>    > adopted and largely consistent implementation of the standards. The
>>    > failure to bring the HTML standard into the shiny new world of
>>    the web
>>    > application is the start of the end for web applications.
>>    Building web
>>    > applications is hard because HTML/Javacript is definitely not a good
>>    > foundation for an application platform. The reason it continues to
>>    > increase in popularity is because HTML/Javascript while far from
>>    > perfect is well implemented (despite Microsofts best efforts) and
>>    > standardised even across OS/Browser combinations. Now we have AIR,
>>    > Silverlight, Flash, Quicktime, Shockwave blah blah blah. All
>>    > proprietary, all different, all crap.
>>    > The web is dead. Dead? Yeah dead. US multinationals have screwed the
>>    > pooch again. Can industry and in particular the US software
>>    behemoths
>>    > actually ever create an innovative diverse and standardised
>>    eco-system
>>    > for technology? Can they ever understand that actually starting to
>>    > compete with each other on innovation rather than the red eyed craze
>>    > of trying to dominate an industry through proprietary lockin will
>>    > benefit everyone? Or is this the sole preserve of the academic
>>    > community? I thought a quote from a Microsoft employee made to me in
>>    > 2003 summed it all up when speaking about web services 'If only
>>    > everyone had used DCOM, none of this would have been
>>    neccessary.' Sigh!
>>    >
>>    > 2009/7/14 Eoin <eoin.keary at owasp.org
>>    <mailto:eoin.keary at owasp.org> <mailto:eoin.keary at owasp.org
>>
>>    <mailto:eoin.keary at owasp.org>>>
>>    >
>>    >     Guys,
>>    >
>>    >
>>    >
>>    >     Any ideas of a *good* topic for a panel discussion which may
>>    >     engage the initiated and non alike?
>>    >
>>    >
>>    >
>>    >     Something controversial? or bi partisan?  ("The world is
>>    flat" or
>>    >     "yes earth is in the middle of the universe") in order to
>>    make for
>>    >     an interesting discussion?
>>    >
>>    >
>>    >
>>    >     Whoever comes up with the best one I'll buy them as much
>>    Guinness
>>    >     as they can stomach (Tom Brennan not included).
>>    >
>>    >
>>    >
>>    >     -ek
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >
>>    >     --
>>    >     Eoin Keary CISSP CISA
>>    >
>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>    >
>>    >     OWASP Code Review Guide Lead Author
>>    >     OWASP Ireland Chapter Lead
>>    >     OWASP Global Committee Member (Industry)
>>    >
>>    >     Quis custodiet ipsos custodes
>>    >
>>    >     https://twitter.com/EoinKeary
>>    >
>>    >     _______________________________________________
>>    >     Owasp-ireland mailing list
>>    >     Owasp-ireland at lists.owasp.org
>>    <mailto:Owasp-ireland at lists.owasp.org>
>>    <mailto:Owasp-ireland at lists.owasp.org
>>    <mailto:Owasp-ireland at lists.owasp.org>>
>>    >     https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>    >
>>    >
>>    >
>>    >
>>    > --
>>    > Conor Mc Goveran,
>>    > Managing Director,
>>    > Onformonics Ltd.
>>    >
>>    > Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
>>    > Company Reg: 45503
>>    > VAT: 9682767B
>>    >
>>    > Ph:        +353-14407576
>>    > Mobile:  +353-872038598
>>    >
>>
>>  ------------------------------------------------------------------------
>>    >
>>    > _______________________________________________
>>    > Owasp-ireland mailing list
>>    > Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>>    > https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>    >
>>
>>    --
>>    David Rook | david.rook at realexpayments.com
>>    <mailto:david.rook at realexpayments.com>
>>    Security Analyst
>>
>>    Realex Payments
>>    Enabling thousands of businesses to sell online.
>>
>>    Visit our new website: www.onlinepayments.ie
>>    <http://www.onlinepayments.ie>
>>
>>    Follow us on Twitter! www.twitter.com/realexpayments
>>    <http://www.twitter.com/realexpayments>
>>
>>    Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
>>    |t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com
>>    <http://www.realexpayments.com>
>>
>>    1 Lyric Square, London W6 0NB
>>    t: +44 203 1785370 | f: +44 207 6917264  |
>>    www.realexpayments.co.uk <http://www.realexpayments.co.uk>
>>
>>    27 avenue de l'Opéra, 75001 Paris.
>>    t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>>
>>    Visit our other Realex Payments websites:
>>    www.airlinepayments.com <http://www.airlinepayments.com>
>>    www.sepa.ie <http://www.sepa.ie>
>>
>>    Pay and Shop Limited, trading as Realex Payments has its
>>    registered office at Castlecourt, Monkstown Farm, Monkstown, Co.
>>    Dublin, Ireland and is registered in Ireland, company number 324929.
>>
>>    This mail and any documents attached are classified as
>>    confidential and are intended for use by the addressee(s) only
>>    unless otherwise indicated. If you are not an intended recipient
>>    of this email, you must not use, disclose, copy, distribute or
>>    retain this message or any part of it. If you have received this
>>    email in error, please notify us immediately and delete all copies
>>    of this email from your computer system(s).
>>
>>
>>    _______________________________________________
>>    Owasp-codereview mailing list
>>    Owasp-codereview at lists.owasp.org
>>    <mailto:Owasp-codereview at lists.owasp.org>
>>    https://lists.owasp.org/mailman/listinfo/owasp-codereview
>>
>>
>>
>>
>> --
>> "Our deepest fear is not that we are inadequate. Our deepest fear is that
>> we are powerful beyond measure. It is our light, not our darkness, that most
>> frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
>> talented, and fabulous?Actually, who are you not to be? You are a child of
>> God. Your playing small doesn't serve the world. There's nothing enlightened
>> about shrinking so that other people won't feel insecure around you. We are
>> all meant to shine, as children do. We are born to make manifest the glory
>> of God that is within us. It's not just in some of us, it's in everyone. And
>> as we let our own light shine, we unconsciously give other people permission
>> to do the same. As we are liberated from our own fear, our presence
>> automatically liberates others." --Nelson Mandela--
>>
>
> --
> David Rook | david.rook at realexpayments.com
> Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Visit our new website: www.onlinepayments.ie
> Follow us on Twitter! www.twitter.com/realexpayments
>
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> |t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com
> 1 Lyric Square, London W6 0NB
> t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk
> 27 avenue de l'Opéra, 75001 Paris. t: +33 (0)1 70 38 51 37  | f: +33 (0)1
> 70 38 51 51
>
> Visit our other Realex Payments websites: www.airlinepayments.com
> www.sepa.ie
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
> registered in Ireland, company number 324929.
> This mail and any documents attached are classified as confidential and are
> intended for use by the addressee(s) only unless otherwise indicated. If you
> are not an intended recipient of this email, you must not use, disclose,
> copy, distribute or retain this message or any part of it. If you have
> received this email in error, please notify us immediately and delete all
> copies of this email from your computer system(s).
>
>
>


-- 
"Our deepest fear is not that we are inadequate. Our deepest fear is that we
are powerful beyond measure. It is our light, not our darkness, that most
frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing enlightened
about shrinking so that other people won't feel insecure around you. We are
all meant to shine, as children do. We are born to make manifest the glory
of God that is within us. It's not just in some of us, it's in everyone. And
as we let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others." --Nelson Mandela--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20090715/1e74f631/attachment-0001.html 


More information about the Owasp-codereview mailing list