Thursday, September 22, 2011

Thinking in Security after OWASP AppSec USA 2011

Just came back from Minneapolis after two days of application security training where we went through several tools that can be used to find out vulnerabilities in Web Applications.

OWASP-WTE is a Ubuntu distribution packaging several open source utilities used to perform what is called Penetration Testing (PenTest). The training focused on basic concepts about HTTP specification that any security tester should know, it presented the most common attacks and the available tools and manual procedures the tester is supposed to master.

Here are some reflections that I have come up with after these two days.

In my current project I have gone through the top ten application security risks I have used skipfish and websecurity and I have documented at least one of my experiences using this product to PenTest Liferay. We have done the same for our BHUB based application however in terms of automated tools it is never enough. What a tool can find others will miss and vice versa.

Dealing with false positives is really annoying but in a world where the number of threats only increases we have no other option than going through this practice in a regular basis.

If you are hosting a web application go through the OWASP Testing Guide. Web apps should be prepared to live in the wild and that is as important as hardening the OS.

Perhaps the most forgotten point related to security is monitoring. Trying your best with dozens of tools and manual hacking attempts is a must do however that is not enough. Controls must be put in place and your server logs are full of useful information you should analyze looking for patterns, eliminating false positives and hopefully automating blocking when a threat is identified.

The PenTest individual is someone that must be willing to script, to be a hacker, a programmer, a human being who knows there is a big responsibility on the job s(he) does. S(he) might be saving the company from failure after all.

The skills for such a person go beyond being a tech savvy. Discipline and persistence are a must have.

Any additional effort you can put in protecting your web application will be worth it but application security is just the tip of the Iceberg because ultimately it will always rely on some credentials for a user to gain access to certain resources and the credentials can be obtained even in applications for which an exploit has not yet been spotted.

Social engineering is one example, take just the real life example of an employee from a security related company who dared to transmit a password via email. Ultimately your company is as secure as the most careless of the company employees.

Phishing is another good example. Look here and here for a couple of posts I have made in the past related to twitter hacking attempts.

I have left Minneapolis convinced that like in any other aspect of our mortal life there is no silver bullet. For sure there is none when you try to implement security.

No comments: