[Owasp-singapore] Over half of all apps have security holes - Dodgy development practices balamed

Deepak Subramanian subudeepak at yahoo.com
Tue Sep 28 06:22:28 EDT 2010


Coming back to the original question of secure development. This is a very big 
problem that has been there for sometime as all here know.

Almost all of OWASP is dedicated to help in scenarios like these. I would like 
to share some things I have with you.

First and foremost let me talk about a project I truly believe in. This is 
called as the OWASP Enterprise Security API. I am currently handling the project 
development for the Objective-C platform. The aim of ESAPI is this:
ESAPI (The OWASP Enterprise Security API) is a free, open source, web 
application security control library that makes it easier for programmers to 
write lower-risk applications. The ESAPI libraries are designed to make it 
easier for programmers to retrofit security into existing applications. The 
ESAPI libraries also serve as a solid foundation for new development.
Allowing for language-specific differences, all OWASP ESAPI versions have the 
same basic design:
	* There is a set of security control interfaces. They define for example types 
of parameters that are passed to types of security controls.
	* There is a reference implementation for each security control. The logic is 
not organization‐specific and the logic is not application‐specific. An example: 
string‐based input validation.
	* There are optionally your own implementations for each security 
control. There may be application logic contained in these classes which may be 
developed by or for your organization. An example: enterprise authentication. 

You can find the link here 
.. http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Currently ESAPI Java is the most updated version. The .Net and php versions are 
also out there and usable immediately. 

Objective-C is relatively new and still trying to catch up :) 

Any help that can be provided in development towards this project is 
appreciated. Feel free to contact me for any details necessary.

Best Regards,
Deepak Subramanian

From: Wong Onn Chee <ocwong at usa.net>
To: Daniel.Tong at Asia.ING.com; "Claudio, Scarabello," 
<claudio.scarabello at sg.verizonbusiness.com>
Cc: security-77 at meetup.com; "Singapore, OWASP" <owasp-singapore at lists.owasp.org>
Sent: Tue, September 28, 2010 7:45:01 AM
Subject: Re: [Owasp-singapore] Over half of all apps have security holes - Dodgy 
development practices balamed

Thanks, Daniel.

Should we then create an online catalog of insecure websites with findings 
contributed by the public and community?
Sort of a Stomp-like site but focus on insecure websites.

Onn Chee

-----Original Message-----
From: Daniel.Tong at Asia.ING.com
Sent: Monday, 27 September 2010 6:58 PM
To: ocwong at usa.net; claudio.scarabello at sg.verizonbusiness.com
Cc: security-77 at meetup.com; owasp-singapore at lists.owasp.org
Subject: Re: [Owasp-singapore] Over half of all apps have security holes - Dodgy 
development practices blamed

The only people to benefit from law suits are the lawyers. 
Trust me they do not need another source of income.

I would agree that awareness and education is key. For consumers and businesses 
its one of choice. That is when people if realise they are at 'risk' will take 
their business else where.

What needs to be demonstrate that good security= trust = $.


----- Original Message -----
From: owasp-singapore-bounces at lists.owasp.org 
<owasp-singapore-bounces at lists.owasp.org>
To: Scarabello, Claudio <claudio.scarabello at sg.verizonbusiness.com>
Cc: security-77 at meetup.com <security-77 at meetup.com>; OWASP Singapore 
<owasp-singapore at lists.owasp.org>
Sent: Mon Sep 27 18:17:46 2010
Subject: Re: [Owasp-singapore] Over half of all apps have security holes - Dodgy 
development practices blamed

Hi Claudio,

Good insight.

Should we update consumers that they have the right to sue a website
owner if the website is insecure and infects their visitors?
This way, the business folks will stop ignoring the value of appsec.
When their pockets are hurt, the business folks will move.

Perhaps we should run an awareness campaign to educate and inform
consumers about their rights.
I believe such a campaign benefits all infosec pros.
What do you think?

Onn Chee

On 09/27/2010 11:32 AM, Scarabello, Claudio wrote:
> The way I see it, poor development practices, training and/or education
> are merely symptomatic of a root cause related to business owners who do
> not establish incentives/metrics for developers to build secure apps in
> the first place. And that's because business owners do not set aside
> budget for security reviews/ secure development. Why would they? Risk
> responsibility is not well established in the dev phases: they can deal
> with it later. And, adding SDLC (for example) early on would only slow
> down/hinder the project plans.
> Regards, Claudio Scarabello
> -----Original Message-----
> From: owasp-singapore-bounces at lists.owasp.org
> [mailto:owasp-singapore-bounces at lists.owasp.org] On Behalf Of Wong Onn
> Chee
> Sent: Saturday, September 25, 2010 1:27 AM
> To: OWASP Singapore; security-77 at meetup.com
> Subject: [Owasp-singapore] Over half of all apps have security holes -
> Dodgy development practices blamed
>  http://www.theregister.co.uk/2010/09/23/web_app_security_audit/
> Some interesting questions for us to think about:
> - How were developers taught dodgy development practices?
> - Is something broken in how we teach developers?
> - If it is true that our developers are not taught in the right way,
> should we focus our efforts on the schools where developers are trained,
> instead of relying on OJT to learn about secure web app development?
> What do you think?
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org

The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com

Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20100928/29259f2e/attachment-0001.html 

More information about the Owasp-singapore mailing list