I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me)
Defenses change the world. Defenses make software more secure – permanently, and not just for the week or two until the latest sexy attack is patched. But defenses aren’t sexy and don’t get invites to all the cool conferences, so there’s no prizes beyond a grateful planet.
I’m not very surprised to see that attacks are getting all the pretty girls and invites to sexy parties.
Researching attacks as a priority MUST stop. It’s wasting incredible talent. We KNOW that input validation and output encoding is the answer to nearly all the attacks in this year’s Top 2010 attacks (seriously – go look). Input validation and output encoding is unfortunately not sexy. It’s hard work.
As I’m starting so late, let’s make it serious to allowing all of 2010 to pass. Nominations can be sent in until Australia Day (January 26, 2011). I’ll put up a vote for folks to say which is their favorite. The winner of our eternal gratitude will be announced on Valentine’s Day.
Please e-mail me – vanderaj (a.t.) owasp.org with your nominations. I’ll update this post continuously until the cut off date.
I’d like to start with:
- Josh Zlatin’s mod_security rulesets that makes it easy to block known back doors and viruses in file uploads, password strength and brute force protection, eliminate session hijacking, and make broad inroads to CSRF protection even if your app is coded by Elbonia’s finest developers.
I know it’s heresy in some ivory tower circles that I nominated WAF modules written by a colleague, but honestly, we need defense in depth measures until coders and frameworks make WAFs somewhat obsolete.
Please send ’em in.