cat slave diary

WebAppSec Past and Future

Written by

Andrew van der Stock

in

, ,

All the cool kids get the press for the wrong reasons. It’s much easier to destroy than to create. Therefore, my 2006 and 2007 lists will only highlight those things which I think have helped create safer web apps, not made it harder for us to protect against them.

2006 Highlights

  • IE 7.0 released. Seriously. Prevents many phishing attacks, reduces the damage through low privilege browsing, and stops some forms of XSS (including the recent Adobe PDF problem). Firefox and Apple could learn a few things from Microsoft.
  • Publication of Ajax Security guidelines by many folks (including me)
  • PCI updated their guidelines to encourage vendors to take CC handling seriously, mandating code reviews by 2008
  • Folks who are normally hidden started blogging, such as this PCI DSS blog and this
  • OWASP Testing Guide gets off the ground in a big way. When this is released (soon!), normal folks will have a way to review existing code properly.
  • OWASP Autumn of Code starts, funding approximately nine projects (8 were chosen and we funded another as it is strategic to OWASP’s mission). Many projects are nearly finished! This has been extremely successful and we will be doing it again in 2007
  • Encoding gets a fresh look: OWASP Encoding library and Microsoft’s revamped AntiXSS library which takes the refreshing approach of deny all crap and let through known good.

2007 Projections

It’s going to be a very busy year for vendors in this space, such as my new employer, Aspect Security. With PCI compliance coming through the works, folks writing PHP apps finally grokking that they need code reviews and pen tests, it’s going to be a bumper year.

Things that I think will make a difference or need more research:

  • Protections against malicious XSS. This will almost certainly focus attention on Javascript implementations
  • Better browser protections for users. All browsers need to look at IE 7.0 and think of that as a starting point. You hearing me Firefox and Safari / webkit devs?
  • Research into safe I18N methods and prevention. This is an almost completely green field today, and needs serious researchers
  • Working on safer API for free form protocols such as XML and LDAP which are essentially utterly injectable today
  • Work with the PHP group to get them to make PHP 6 safe by default. They have an excellent opportunity and a huge responsibility to not screw up
  • Open source web app sec training for open source languages such as PHP and Ruby is direly needed. Lots of information out there, but how to publish to this audience? Extremely challenging
  • Projects utilizing the latest fads (Spring, Ruby, Ajax, etc) MUST catch up with the latest in webappsec trends or they WILL fail. It is not enough to adopt the latest and greatest fad and think it’s secure. It’s not.
  • Folks like Gunnar Petersen are getting the secure SOA message out there. This baby’s time was several years ago, but I think in 2007 large organizations will finally start realizing that hooking up web services to 30+ year old Cobol is an insane proposition without a dose of security
  • REST will be put to rest, as it is insecure and cannot made to be so… without looking an awful lot like WS-*. At which point you may as well use WS-* and be done with it. SSL != secure.
  • A lot greater focus will have to be paid to business logic security. Code scanners and app scanners CANNOT find this stuff, and yet it is the raison d’etre for the web apps. Securing business logic requires hard graft, and a great deal of focus in the architecture and business requirements phase. Hopefully, OWASP will be working on secure architecture, business requirements and design resources this year.

However, it’s going to be a annus horribulous for folks who cannot or will not undergo PCI compliance. PCI compliance is mandatory in 2008, and doing brain dead stuff like storing credit card details will mean many smaller CC gateways and providers will have to shut down, leaving only the big providers. This will mean higher processing fees and less competition. However, the reality is that the financial and identity theft losses from non-compliant places outweigh the benefits from letting them live. I’m happy to pay a little extra and know that my details are reasonably safe from unsavory types.

Comments

2 responses to “WebAppSec Past and Future”

  1. Datasecurity Avatar
    Datasecurity

    Thank you for the link and remembering us people who *do* normally remain hidden. My/our goal is to increase the information available to people about PCI to help them through their audit plan and to better understand their risks.

    If you know me please email and say so so I can add your RSS feed to my reader. =)

  2. decula Avatar
    decula

    I just was cruising looking for info on how IE 7.0 users
    at a kids hospital where having the start page changed to a p0rn site and had to leave a comment…

    “All browsers need to look at IE 7.0 and think of that as a starting point.”

    Good thing they don’t have open source code to pick on them about.

    However, the terrified look on the teachers face was PRICELESS!

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts