Thursday, June 12, 2008

The OWASP Top 10

Yesterday Houston OWASP meeting with presentation by J Sawyer, Developer Evangelist of Microsoft, was very informative.

J went through the 10 top vulnerabilities for developers. Each of them he showed with explanation, examples, and mitigation - admittedly, all mitigation was focused on .NET. I was quite impressed and noted some aspects where IIS 7 is integrated with ASP.NET, so that default security settings are enforced. For example, for unauthorized file access.

J promised the slides on his blog. I also asked David Nester, the Houston OWASP president, about the same top 10 but mitigating in other technologies, such as PHP or Java.

Here is an interesting thing. The top 1 most used vulnerability, cross-site scripting, received least of all mitigation coverage. It is the hardest to protect against also. There is a XSS secure library from MS, and that is the approach that Jeremiah Grossman advocates too - secure libraries.

The added bonus came in the form of questions and answers. I asked J, what should an outside consulting company like ours do to help with security effort:
  1. Learn and implement latest security protection techniques;
  2. Educate software developers in companies;
  3. Educate management?
He said, all of the above. Then J added the bonus advice: start from the threat assessment. This will show that you are serious and will create a good foundation. In fact, this in itself is quite a value proposition. I noted the word "threat" which sounds so much better than "vulnerabilities". That is because "threat" is to you, and somebody else is to blame. But vulnerabilities, alas, leave the vulnerable party responsible.

The meeting took place at the MS Campus. Here is the view from the window.


David Nester said...
This comment has been removed by the author.
David Nester said...

Great post, Mark! One note on XSS and mitigation techniques. J presented two very good solutions for XSS and dealing with the very popular attack type; however, I would also include two additional strategies for XSS protection are strong input validation and HTMLEncode(ing) of the data being presented from the application.

Food for thought.