Sunday, 1 April 2012

OWASP Web Defence Presentation

I went to the OWASP London meeting last Thursday where I watched the excellent Jim Manico give a presentation on the state of the art in web defences (presentation available here).

The talk was largely focused on the most common web app vulnerabilities and how to defend against them.  If I was to over-simplify the message of the presentation I would say that it focused on training developers and giving them libraries to help mitigate the threats.

Whilst I agreed with everything that was said, and I fundamentally believe that training developers is an essential part of any SDLC, I would have liked to see the main emphasis be on developing frameworks that either virtually eliminate the vulnerability or allow for ease of auditing that developers are doing the right thing.

I actually had a chat with Jim in the pub after the presentation and asked him about the focus of his talk; it turns out we actually pretty much agree that web defences need to be part of a framework (and he was clearly better informed than I am about the state of the art in that department).  His talk it seems was focused on the practical things that can be done today.

If I was going to give a similar presentation I think I would feel the need to focus on where we need to get to.  To my mind vulnerabilities of all types, in any piece of software, are basically impossible to eliminate via training; this does not make training useless, training is still necessary, I just don't think it's sufficient.

We need to make our web applications secure by design, secure by default and security auditable.  The first 2 principles are commonly understood, the last I think is something that I don't see people talking about and I think it is the direction we need to move in.  Any framework will have the ability to bypass the default and do something insecure, and that's fine as that kind of flexibility is usually essential.  What we need is the ability to easily find deviations from security best practice and focus our review efforts on those areas.  Unless we can identify the weak links in our security chain we will never be able to get the kind of security assurance we want.

No comments:

Post a comment