I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me)
Defenses change the world. Defenses make software more secure – permanently, and not just for the week or two until the latest sexy attack is patched. But defenses aren’t sexy and don’t get invites to all the cool conferences, so there’s no prizes beyond a grateful planet.
Yet.
I’m not very surprised to see that attacks are getting all the pretty girls and invites to sexy parties.
Researching attacks as a priority MUST stop. It’s wasting incredible talent. We KNOW that input validation and output encoding is the answer to nearly all the attacks in this year’s Top 2010 attacks (seriously – go look). Input validation and output encoding is unfortunately not sexy. It’s hard work.
Building is far, far, far harder than breaking. If you have elite security researcher skills, you should show your stuff by putting your research time and resources into making the planet safer for everyone. Not everyone can do it. Building a solid defense is at least two to three orders of magnitude harder than finding a new form of XSS or a defect in some poor Gawker PHP script. Just one novel concept can take thousands of hours of hard graft. You still need to know how to break – a defense is useless unless you’ve tested it. But on top of that, you need to know how to code and know HTML/JavaScript backwards. Building defenses takes a lot of effort and in my view is why we have so few serious defence researchers.
Nominations
As I’m starting so late, let’s make it serious to allowing all of 2010 to pass. Nominations can be sent in until Australia Day (January 26, 2011). I’ll put up a vote for folks to say which is their favorite. The winner of our eternal gratitude will be announced on Valentine’s Day.
Please e-mail me – vanderaj (a.t.) owasp.org with your nominations. I’ll update this post continuously until the cut off date.
I’d like to start with:
- Josh Zlatin’s mod_security rulesets that makes it easy to block known back doors and viruses in file uploads, password strength and brute force protection, eliminate session hijacking, and make broad inroads to CSRF protection even if your app is coded by Elbonia’s finest developers.
I know it’s heresy in some ivory tower circles that I nominated WAF modules written by a colleague, but honestly, we need defense in depth measures until coders and frameworks make WAFs somewhat obsolete.
Please send ’em in.
Leave a Reply