This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AU Conference 2009 Presentations"

From OWASP
Jump to: navigation, search
Line 58: Line 58:
  
  
----
+
== Ranjita Shankar Iyer ==
 +
'''A Prescriptive approach to Secure SDLC'''
 +
 
 +
The old adage goes “Prevention is better than cure”. Similarly, many security vulnerabilities can be easily prevented if security was taken into consideration at the beginning of the development process. As application security professionals, we’ve seen that uncovering serious vulnerabilities and subsequent attempts to repair with production-ready applications significantly increase costs to the enterprise and delay project timelines. Moreover, despite the immense amount of literature on application vulnerabilities we find that developers are still unaware or only have very limited knowledge of common threats and secure coding practices. This often leads to the commonly sighted flaws such as the following:
 +
- Implementation of client-side controls only that are easily bypassed
 +
- Incorrect implementation of regular expressions to block XSS and SQL injection attacks
 +
- Including too much sensitive business logic in applications that utilize FLEX and other RIA technologies
 +
- Insecure use of API's and frameworks such as struts and spring
 +
There are a number of commercial secure coding tools that facilitate developers to incorporate security controls upfront during the development and build process, but commercial products tend to be expensive, and not practical to provide to every developer. Commercial products are also a black-box to developers and enterprise security teams, where it’s unclear on how vulnerabilities were identified.
 +
 +
Leveraging our expertise in the field, we have developed an extensive data grid that maps standard security requirements (grouped into categories such as User Authentication, Input Validation, Session Management etc ) to sample implementation snippets in popular frameworks such as .Net, Java Struts and FLEX. This data grid draws on work already complied by open source communities such as OWASP that has a variety of tools and resources to help developers in understanding and resolving security issues. Furthermore the major frameworks mentioned above also often provide a large set of security APIs at the developer’s disposal. Leveraging these existing APIs lessens the burden of implementing security correctly and our data grid references these API's where appropriate.
 +
 +
However, experience has shown us that such resources alone are not effective in preventing security code flaws. Therefore we are launching an open-source, extensible, secure coding analysis tool that delivers information from the data grid to the developer as they are writing code in their favorite IDE's. The plug-in tool takes a prescriptive approach and prompts the developer with useful information and repair techniques using existing security APIs within major frameworks and open-source resources, such as ESAPI. The tool has an innovative extensible design, whereby modules can be easily extended to incorporate any framework and any vulnerability. Deliberate design decisions have been made to accommodate future frameworks and the customizable vulnerability identification engine can also be tailored to accommodate specific business risks and regulatory policy requirements.
 +
 +
 
 +
Speaker Bio's
 +
 
 +
1) Ranjita Shankar Iyer CISSP, GSEC
 +
Application Security Architect - Morgan Stanley
 +
Ranjita is an application security specialist with over 8 years of experience developing and securing business critical applications. She is currently a Security Architect at Morgan Stanley and assesses complex applications across the firm to ensure that they are employing appropriate security controls to protect highly confidential client and employee data. Prior to this, she was at EY at the Advanced Security Center performing attack and penetration tests for fortune 100 financial services clients. She is well versed in the many challenges that organizations face with regards to introducing security into the software development lifecycle.
 +
 +
2) Kai Huang  CISSP, GSEC
 +
Application Security Specialist - Ernst & Young
 +
Kai is part of E&Y Global Information Security group, and is responsible for reviewing and advising security matters for a wide range of applications and information systems consumed by E&Y.  Prior to GIS, Kai was a member of the E&Y Advanced Security Center, performing web application, internet, intranet tests for EY's Fortune 500 clients.  Kai's primary areas of interest are web application security and VOIP research and tool development.  Prior to E&Y, Kai worked at CIGNA as a CIRT member.

Revision as of 02:52, 11 January 2009

Owasp au2009 conf logo.jpg

Presentations

The following presentation abstracts are provided to understand the details of the presentations. This year OWASP will be video recording the event again and all videos will be kept online and available through the OWASP wiki.


Christian Heinrich

TCP Input Text & Download Indexed Cache

To be provided.

Andrew Vanderstock

The future (and past) of web application security: how to detect and protect against value attacks.

2008 was a bumper year for value attacks. Criminals are finally getting over the sophomoric desire to 0wn large numbers of hosts, turning their attention to getting a lot of money instead. This is bad if you have stuff the criminals want.

Unfortunately, web application scanners (source and dynamic) cannot easily (if at all) detect or scan for this entire class of attack - you need to do the hard work.

In this presentation, you'll learn how to:

  • Figure out where the value in your application is
  • Identify weaknesses in your processes by identifying all the paths to your assets
  • Protect your application against value and process attacks by careful and minor changes to your design
  • Identify if folks are trying to do "interesting" things using ESAPI's intrusion detector classes

With some luck, there might even be a demo!


Andrew van der Stock is a leading web application researcher active in the builder web application community. Andrew has recently returned from a two year stint working in the USA.

Andrew is the project lead and lead author for the following OWASP projects:

  • OWASP Developer Guide 3.0
  • OWASP Top 10 2009
  • ESAPI for PHP port

He is looking for contributors to all of the above projects. He helped start the Melbourne and Sydney OWASP chapters. Previously, Andrew was Executive Director of OWASP from 2005 to 2007.

He is the moderator of webappsec@securityfocus.com, and has contributed the web application section of the SANS Top 20 since 2005. He helped set the SANS GSSP Secure Programmer (Java) certification, and thus is deemed to hold this certification as he literally knows all the answers (he peeked).

In previous lives, he has assisted with the following open source projects: 

   * UltimaBB, forum software - fork of XMB
   * XMB, forum software
   * SAGE-AU President of SAGE AU in 2000-2001, General Committee member 1999-2000, and a long time member.
   * pnm2ppa HP print drivers for Unix and work-alike systems
   * XFree86 Device drivers for Matrox Millennium I/II/Mystique (mid 90's vintage stuff)

In his now copious spare time, Andrew continues to run AussieVeeDubbers, one of Australia's largest car forums, and one of the world's largest VW car forums.


Ranjita Shankar Iyer

A Prescriptive approach to Secure SDLC

The old adage goes “Prevention is better than cure”. Similarly, many security vulnerabilities can be easily prevented if security was taken into consideration at the beginning of the development process. As application security professionals, we’ve seen that uncovering serious vulnerabilities and subsequent attempts to repair with production-ready applications significantly increase costs to the enterprise and delay project timelines. Moreover, despite the immense amount of literature on application vulnerabilities we find that developers are still unaware or only have very limited knowledge of common threats and secure coding practices. This often leads to the commonly sighted flaws such as the following: - Implementation of client-side controls only that are easily bypassed - Incorrect implementation of regular expressions to block XSS and SQL injection attacks - Including too much sensitive business logic in applications that utilize FLEX and other RIA technologies - Insecure use of API's and frameworks such as struts and spring There are a number of commercial secure coding tools that facilitate developers to incorporate security controls upfront during the development and build process, but commercial products tend to be expensive, and not practical to provide to every developer. Commercial products are also a black-box to developers and enterprise security teams, where it’s unclear on how vulnerabilities were identified.

Leveraging our expertise in the field, we have developed an extensive data grid that maps standard security requirements (grouped into categories such as User Authentication, Input Validation, Session Management etc ) to sample implementation snippets in popular frameworks such as .Net, Java Struts and FLEX. This data grid draws on work already complied by open source communities such as OWASP that has a variety of tools and resources to help developers in understanding and resolving security issues. Furthermore the major frameworks mentioned above also often provide a large set of security APIs at the developer’s disposal. Leveraging these existing APIs lessens the burden of implementing security correctly and our data grid references these API's where appropriate.

However, experience has shown us that such resources alone are not effective in preventing security code flaws. Therefore we are launching an open-source, extensible, secure coding analysis tool that delivers information from the data grid to the developer as they are writing code in their favorite IDE's. The plug-in tool takes a prescriptive approach and prompts the developer with useful information and repair techniques using existing security APIs within major frameworks and open-source resources, such as ESAPI. The tool has an innovative extensible design, whereby modules can be easily extended to incorporate any framework and any vulnerability. Deliberate design decisions have been made to accommodate future frameworks and the customizable vulnerability identification engine can also be tailored to accommodate specific business risks and regulatory policy requirements.


Speaker Bio's

1) Ranjita Shankar Iyer CISSP, GSEC Application Security Architect - Morgan Stanley Ranjita is an application security specialist with over 8 years of experience developing and securing business critical applications. She is currently a Security Architect at Morgan Stanley and assesses complex applications across the firm to ensure that they are employing appropriate security controls to protect highly confidential client and employee data. Prior to this, she was at EY at the Advanced Security Center performing attack and penetration tests for fortune 100 financial services clients. She is well versed in the many challenges that organizations face with regards to introducing security into the software development lifecycle.

2) Kai Huang CISSP, GSEC Application Security Specialist - Ernst & Young Kai is part of E&Y Global Information Security group, and is responsible for reviewing and advising security matters for a wide range of applications and information systems consumed by E&Y. Prior to GIS, Kai was a member of the E&Y Advanced Security Center, performing web application, internet, intranet tests for EY's Fortune 500 clients. Kai's primary areas of interest are web application security and VOIP research and tool development. Prior to E&Y, Kai worked at CIGNA as a CIRT member.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_AU_Conference_2009_Presentations&oldid=50699"