Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be a far poorer place.

But…. the problem starts when he goes through attribution for the OWASP Top 10, starting around the 17 minute mark. Dave says “Jeff Williams and I basically wrote it” (17:10 onwards), and had various people in OWASP review it such as Dinis Cruz and myself. This is exactly what happened for the 2004 version. But the way it was said implies that the OWASP Top 10 2007 was Dave and Jeff’s and I reviewed that too. I’m sure Dave didn’t mean to miss out on appropriate attributions (he’s a straight up and down sort of guy), but just in case anyone thinks like I did when listening to the podcast, I’d like to set the story straight:

The OWASP Top 10 2004 was Jeff and Dave’s. Absolutely agree with this. I’m pretty sure I reviewed it as I was working on the Developer Guide 2.0 at the time.

The OWASP Top 2010 is primarily Jeff and Dave’s efforts. No problems. I gave up leadership in the project sometime in 2008 when I had to concentrate on personal matters. At that time, I had no draft or made any effort to update the text. Dave’s effort to restart the project didn’t start until after I’d left Aspect. After the draft PPTX was complete, I reviewed drafts of the release candidates, along with about another 30 or so folks.

The OWASP Top 10 2007 is primarily mine in methodology (strict adherence to MITRE statistics in 2006), research and development, authorship, editing and leadership. For example, I sat down with Raoul Endres in a pho restaurant in a wintery day Melbourne, Australia well before I moved to the USA and worked out the methodology. I delivered a draft to about 30 folks in early January of 2007. Jeff Williams and Dave re-wrote and included a few items that I disagreed with (effectively two crypto sections that were not representative in the statistics), and dropped important issues that I felt strongly about. You don’t win them all, but I would have loved for these findings to have made it.

Some of the sections I wrote up in the draft that missed out in the final version:

• A7 – Malformed input (dropped – a bad call in my opinion as nearly all flaws are due to insufficient input validation and output encoding)
• A8 – Broken authorization (dropped – a bad call in my opinion, as most of the easily discovered business logic flaws are authorization related)
• A9 – Insecure cryptography and communications (became A8 – A9 in the final version)
• A10 – Privilege escalation (dropped – a bad call in my opinion, as attackers try to do this all the time)

You can see an early draft here. DO NOT USE THIS VERSION – IT’S NOT OFFICIAL!

I strongly disagreed with the dropping of RFI as it’s one of the biggest reasons that PHP sites are taken over, and PHP is by far the most prevalent server platform. RFI belongs in the OWASP Top 10 probably as the #1 item in the Security Configuration section. There are still millions of sites with this particular flaw.

Call me hypersensitive to the way Dave phrased just one sentence in 45 minutes, but I want folks to realize that I didn’t dedicate many nights and weekends to the OWASP Top 10 2007 to have that taken away from me in glossing over of efforts. I also want to make sure that folks understand that I consider Jeff and Dave friends and utterly respect their long time efforts with OWASP.

* Full disclosure – I worked for Aspect Security between December 2006 and January 2009. Dave and Jeff are founders of Aspect Security and thus my employer during the latter stages of Top 10 2007 gestation. I had a great time at Aspect, worked with amazing customers on cool projects, and have very fond memories of the USA.

I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week.

We have open slots in our schedule for secure code reviews starting from mid March 2011.

We perform our code reviews against the OWASP Application Security Verification Standard

• Level 2B – Automated Review using Fortify 360 coupled with a manual verification of 83 items (Architecture, Authentication, Authorization, Session Management, Data Protection, Cryptography, etc)
• Level 3 – Includes all of the above, but 110 inspection points. The sweet spot of our reviews in my personal opinion.
• Level 4 – Includes all of the above, plus manual inspection for trojans, backdoors, etc.

These reviews help folks wishing to comply with PCI DSS or PCI PA DSS, or just wish to know that their websites are safe and secure.

If you’d like to discuss things further, please e-mail avanderstock (at) purehacking.com.

A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses.

Epic fail.

Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting out a fire that costs a million bucks to put right than to be the materials engineer who designs cheap fireproof cladding. I’m burying the hatchet as I burnt a fair bit of goodwill in my original announcement, which not my intention at all. We still need folks to break stuff and disprove snake oil, so there’s a place for the dark side whether I agree with the focus on the dark side or not.

Just two nominations made Andrew sad despite the worthiness of the submissions.

1. Rob Lewis nominated Trustifier http://trustifier.com/ryu/features.html
2. I nominated Josh Zlatin, a colleague for the work he has done on PureWAF, extensions for the OWASP Core Rule Set + Mod Security. You can see the results of PureWAF on Pure Hacking’s website, which is behind our WAF in the cloud service. That’s not an invitation to attack us, just sayin’

Please discuss or vote in the comments section for who you think should get the non-existant gong.

The Sorta Inaugural 2011 Pure Hacking Top Web App Sec Defenses Competition

There’s a couple of changes. Pure Hacking will be sponsoring the competition in 2011. There will be categories, such as Life Time Achievement, Best Security Architecture, Best Left Field Idea, Best Secure Business Idea, Best Quick and Dirty Defense, Best Educator, and of course Best Defense. I will detail more about the categories as time goes on. I will be getting inappropriate statuettes made with engraving and everything. If you feel like you can donate something to boost the booty, contact me.

As for nominations, I will keep a running tally of awesomeness from my RSS feeds and other sources. You can nominate your favorite folks and defenses by e-mailing me – vanderaj ( at ) owasp.org. Come December 1, 2011, I’ll put them up for voting at which time I will disclose the prizes.

So far -

1. OWASP’s XSS roundtable at the OWASP Summit in Portugal is a worthy nominee. Let’s stamp out XSS.

2. I think Gunnar Peterson should get a Lifetime Prize just for being Gunnar. If more of us thought like Gunnar, the world would be a safer place and folks would be making a LOT more money than they do today.

Please keep this competition in mind throughout 2011.

For those of you who have to review unusual platforms, here are my notes for reviewing apps coded in Apex and Visual Force. As I learn more, I might add some additional entries, but I’ve been so constrained with time for so long, don’t hold your breath.

Terminology and Basics

Force.com is Sales Force’s SAAS API for ISVs and customers to write custom CRM apps atop the Sales Force platform. To provide some serious platform lock in, they use a new strongly typed language called Apex. Apex is sort of Java based. Java programmers will be somewhat familiar with its capabilities, but it has some surprising differences. As a reviewer, there’s nothing really head hurty when reading the code, but it’s important to realize it’s not grandpa’s Java you’re looking at.

Some things you’ll come across:

Meta data. You’ll see code with associated XML files. This XML data has a lot of stuff going on that describes it and allows Force.com to correctly handle it, particularly static resources. You can’t just ignore meta data – you need to inspect it.

Visual Force is a MVC based framework. It appears to act like a tag library with the <apex:… prefix, used inside files with a .page extension. These mimic the traditional type 1 JSP model. I think most of you will be familiar with this model and will not have too many difficulties in reviewing it. However, there are some asynchronous AJAX helpers (timers, future events, etc) that you will need to be aware of, particularly in relation to race conditions.

Objects. Sales Force have defined an object interface over their CRM data model. This has some interesting gotchyas, in particular, queries across these objects is called SOQL, and is pretty much a semi-injection proof sub-dialect of SQL 99. There will be an entire blog post for those issues primarily as there’s several ways code can be written to be unsafe.

Triggers. Triggers are executed after users undertake actions within the public site / sand box application. I need to learn more about them before I write about them, but they are the start of the flow of execution after the user does things within the application. If you have custom classes, they are generally called by triggers.

Bulk importer and Batch Apex. ETL support. I need to learn more about this functionality before I comment.

Flash and Flex support. Just in case some of the options weren’t scary enough, you can implement your presentation and business logic in a client side language. Sweet. I will not document Flash / Flex support as a) I hate Flash and have it disabled b) I have yet to see such code in action and I hate slamming or praising things I’ve not used. c) I don’t have any Flash or Flex tools to build test cases, so it’s going to be hard to nail this one down. Feel free to steal my thunder here if you so desire.

Web Services. These are traditional SOAP web services. Instead of using WS-Security, Sales Force have implemented their own session manager. Probably a good idea since no one besides Gunnar Petersen understands WS-Security. However, we all know that web services can be a mine field, so I will experiment with them and see how things work in a much later article.

Ajax. The Ajax API is one of the newest, and allows Javascript to make pretty much any call to the web services back end that a traditional SOAP web service can. Without WS-Security. Awesome. I’ll be looking into this issue a bit later as I learn more.

Some things they did right

Please don’t take my tone for disparagement, for it is not. There are some cool things Sales Force did right:

• Everything is escaped by default. You have to add code or an attribute to get this wrong.
• CSRF protection in every form. You have to do the wrong thing to be CSRFable.
• The easiest way to do SOQL is sorta magically injection proof. There are injectable ways, but again, you have to work at it.
• Many defaults chosen by Sales Force are good – SSL by default. Yay. SAML by default for SSO. Yay. GET and POST only. Yay. UTF-8 only. Yay. UCS-2 only. Yay. Illegally encoded Unicode characters are replaced. Yay. Content Type is safe unless you do the wrong thing. Yay.
• Sending cookies or headers are escaped. I’m not sure they’re properly escaped yet, but they are escaped.
• There are encoders for not just HTML and URL, but for JavaScript and others. Yay
• To promote code into production out the sand pit requires at least 75% test coverage. O.M.G. YAY! Tests are also not counted towards billing. There’s exactly zero reasons not to test your code.

This is but a part of the overall list of goodness. But that doesn’t help you figure out how to secure code review things yet.

The trouble for secure code reviews is several fold:

• There are no static code review tools to review Apex code. This is a serious deficiency that will only get worse if others try to emulate Sales Force’s success in crafting an entirely new language and API for their SAAS offerings.
• The security documentation is relatively sparse, and only gives hints as to how to shoot yourself with XSS, CSRF, SOQL, fine grained access control and other issues. This series is an effort to break through that and provide more documentation.
• There is a tight coupling between the code in your IDE and the sand box / public site. If you break this nexus, you do not have configuration data. With Sales Force’s “No code” logo, they hide some code and configuration from you. So expect to ask for the login and hope it’s not production.
• Sales Force have given a lot of thought to security, and many common Java issues are “fixed” or safe by default. But as Apex is a serious systems language, it allows you to shoot yourself in the foot. I don’t know yet as to the extent of it, but I will find out with some luck.

If you’re from Sales Force, please don’t worry. I’m not about to give away 0days – I am not a weak minded moron who delights in creating grief with no solutions. This series will be primarily about how to review Force.com code, followed by advice on recommendations for “fixing” it. Which is most likely to be “Do it how Force.com told you to do it in the manuals”.