OWASP Periodic Table of Vulnerabilities James Landis
[email protected]
The AppSec Profession
~1980-????
Project Goal GOAL
Existing ‘Taxonomies’
OWASP Top Ten (2013)
• Focuses on just the riskiest issue categories • Measures DREAD attributes • Recommends high-level solutions, and secure libraries like ESAPI
• Attempts to enumerate, but not classify, all web WASC Threat application attacks and weaknesses Classification • Includes a view (Development Phase View) which (v2) shows SDLC mapping • Officially avoids recommending solutions SANS Common • Focuses on riskiest issues (just more of them) Weakness • Measures DREAD attributes Enumeration • Recommends solutions, categorized by SDL phase (CWE-25)
Failed Approaches
• Developer Training • “Enumerating Badness”, “Penetrate and Patch” (h/t Marcus Ranum) – Some vulnerability classes, automated tests – Yes! – Other classes (e.g. Logic flaws), manual tests – No!
• Firewalls • Root cause analysis (XSS == SQLi, XSS != SQLi) • Everything else we’ve been doing
Solutions?
• Accepting Reality – HTTP not stateless – People might try to hurt us
• Platform Security Continuum Vulnerable by Default
Secure by Design
• Make it impossible to make mistakes • Economies of Scale
Divide and Conquer
Browsers and Standards Perimeter and Platform
Generic Frameworks Custom Frameworks Custom Code
User agents, plugins, HTTP protocol, SSL/TLS, Content Security Policy (CSP), Same Origin Policy (SOP), IETF RFC, etc. Application proxies, content distribution networks (CDNs), application firewalls, web servers, database servers, application servers, operating systems, etc. Web application runtime environments Development platforms unique to individual businesses/verticals Business logic unique to each application
Economies of Scale
Browsers and Standards
WebDev Mistakes
Code Changes
Perimeter and Platform
Generic Frameworks Custom Frameworks Custom Code
Impact
Scope
• Avoid reproducing existing documentation – Describe just enough of the solution to show how it’s distributed between targets – References, references, references!
• Minimize original research – Most solutions enforce old ideas in frameworks – Browser/standards require some new thought
• Mobile, thick client vulnerabilities excluded
Metaphor
Results!
OWASP'Periodic'Table'of'Vulnerabilities Perimeter'and'Platform
Generic'Framework
Custom'Framework
Legend
Browsers'and' Standards'@ ' Session' Management
Browsers'and' Standards'@ ' Content' Management
Custom'Code
Selected Examples
Perimeter Browser Generic Custom Vulnerability /Infrastructur Custom Code /Standards Framework Framework e Clickjacking
Browser vendor standardization on safe framing
CSRF
Change default for cross-domain writes
Improper Input Handling
Abuse of Functionality
Automatically set X-Frame-Options header
Configurable XFO policy
Automatic nonce checking, configurable Provide APIs for Provide APIs for positive positive validation validation of of custom types common types
Never use primitives
Define abuse cases for all features
Case Study - XSS
• Decouple presentation and data – easy with AJAX, not with Web 1.0 • What if content IS markup? • Secure framework might have steep learning curve / difficult adoption path • Browser sandboxing • CSP, Caja, IFRAME seamless/sandbox
Developer Training
BEFORE
XSS SQLi
CSRF HTTPRS Clickjacking Application DDoS Improper Input Handling Redirector Abuse Logical Flaws Remote File Include OS Commanding XML External Entities
AFTER Logical Flaws Function Abuse Input Validation Secure Framework
Drawbacks and Benefits
• DOESN’T help us with legacy/current applications • DOES help drive remediation planning / gap analysis in existing applications • DOES focus remediation toward areas with greatest force multiplier (e.g. Top Ten Defenses) • DOES allow objective evaluation of firewalls and frameworks
Q&A