mostly useless crap from me

It’s time to get moving again. The Top 10 2007 is out. So it’s time to look at the raison d’être of OWASP – The OWASP Guide. The OWASP Guide is a compendium of best practices, what not to do (in 2003-2005), how to test for a problem, and occasionally comically bad English. I did 18 hour days for nearly six months back in the day to get it out the door, something that is just not possible these days as I have my insomnia mostly under control.

My view is that we need four smaller books:

1. OWASP Secure Lifecycle Guide for Requirements, Architecture & Design
2. OWASP Guide to Writing Secure Applications
3. OWASP Testing Guide
4. OWASP Code Review Guide

That way, we can farm out the materials that exist in the Guide today to the appropriate books, and make it much more lightweight. Being 300 pages is fine, but honestly, I doubt anyone besides me and the translators have read it in its entirety. I don’t think the average work-a-day developer has the time nor the inclination to read yet another fat book, particularly one that they themselves don’t see as being particularly useful to their primary role: pumping out insecure code, leaving time for instant messages and a few quick rounds of killing fellow cubicle dwellers … in whatever FPS du jour.

Schneier stated recently in one of his famous counter points with mjr, that he believes that the security industry shouldn’t exist and that penetration tests (paraphrasing) should read and then shredded. Seriously, if you’re waiting until the pen testers tell you that you have a problem, it’s far too late. Software engineering must make the jump from being a cowboy nation of lazy and uneducated coders to being a repeatable, safe art. That’s why I work in the area I do – fixing the problems before they are problems. Then it’s basic risk management. And folks have been doing risk management for years, well before the current security industry sprang up. There are snake oil sales folks in our industry without a doubt, but there are many skilled and useful folks as well. I hope I am one of the latter.

Back to the Guide… There’s a need for the OWASP Wiki to be in sync with these master works. This is an ongoing problem; I don’t know how to solve it. Writing a book one page at a time is ineffectual and wasteful. Editing a massive tome even more so. Wikis have their place though, even if the Wiki fan boys hype it beyond its actual capabilities. The Wiki way is not the book way. To a Wiki fan boy, this is actually not a problem. But to me, as a lover of narrative and meaning, the dictionary like slabs of text are like context-less ships passing in the night. There’s no thumbing around there without maybe missing something important. The Wiki is great as a dictionary; terrible as a learning platform. I love puttering around great Wikis like H2G2. Towel Day is May 25. Don’t forget your towel.

No matter which way you slice it, someone has a lot of work to do to translate a book into a useful and helpfully hyperlinked Wiki, and a truly awesome Wiki is nearly impossible to fold back into a book.

One of the worst self-serving, money grubbing ($200m a year), homophobic, Teletubby hating (seriously!), hypocrites on the planet has died.

Jerry Falwell dead at 73

This venal black heart tried to blame 9/11 on pagans, feminists and the (at least) 50% of the population who happen not to share his particularly hateful religionpolitics. He hid his bigotry behind his “religion”, the last bastion of the weak minded social deadbeats. Voters from the other camp are not the enemy. Falwell forgot that in his desire to grasp power for himself. He coveted others’ happiness and only wished that folks not in his personal “in group” had an awful time. And you know what? He failed.

What would Jesus think? If the New Testament is true as Falwell hopes, he will have a long soak in Hell.

His hate mongering fanaticism will not be missed. My only wish is that the media would stop publicizing his passing. Good riddance to bad rubbish – may he be forgotten quickly and his legacy of divisive hatred healed within a few years of his death.

After a nine month process, starting with a visit to a pho restaurant with Raoul Endres in Melbourne Australia, and ending with me working in a hotel room in Pennsylvania, USA, the Top 10 2007 is really done. It’s 35 pages packed to the rafters of good advice.

The document will be launched at OWASP EU this week. Look for it on our Wiki shortly in PDF, Word and Wiki format.

Whilst not quite a 1-1 mapping to MITRE data, this is a succinct update to the 2004 work, and I think a very worthy successor. Hopefully, it will not be three years between this release and the next.

Jeff Williams and Dave Wichers (my co-authors) have put in some excellent work on the back end, as well as being a devil’s advocate when it was necessary. Much thanks to Steve Christey of MITRE for his excellent careful line by line reviews, and indeed all our peer reviewers.

Feel free to download it and have a read. I welcome all comments.

I’ve been finishing the OWASP Top 10. One of the things I profess I know little about is automated tools. Up until recently, they’ve created more work (false positives, false negatives) than is actually justified in running the tool. However, they are getting better.

After discussions with Jeremiah Grossman of White Hat Security and WASC fame, I was a little surprised to find that none of the tools can detect CSRF vulnerabilities. This is doubly surprising in that of all the attacks, this one is tractable given a flexible enough engine.

The basic game plan is this:

a) Watch an action take place
b) Determine what changed so you can create a signature of the attack
c) Create a pre-canned request from (a) but add in your CSRF locator strings
d) Go.

Now, how to exploit the CSRF? It will need something like a eggshell site of pre-canned CSRF attack payloads. Most CSRF attacks start with a XSS, so the game plan has to be … find a XSS and insert the eggshell in there. This is not hard, just requires that the victim browser has access to the eggshell site, or the CSRF attack is small enough to be self contained by the hosting site itself (as in the Samy worm).

However, it is fun to read professionals dismissing the potential of CSRF. This list either shows ignorance about how many apps work, or worse, ignorance of how you can easily submit a form from a GET request, creating a POST request. All it requires is sufficient payload space to include a link to a vulnerable reflected or persistent XSS to start obviating the HTML stream. Once that’s done, CSRF is all but in the can.

Interesting. We need to do more, not less CSRF promotion in our camp. However, on the other hand, our defenses are woeful, so maybe leaving it in a less than well understood state is a good idea. Hard to say. What do you think?