Application Security
11/21/2013
01:06 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Application Security: We Still Have A Long Way To Go

The past decade shows only trivial progress in improving web app security, according to new vulnerability guidelines in the OWASP Top Ten 2013.

Application security problems are not only the most common type of vulnerability, they also lead to the majority of breaches. In 2003, I wrote the first Top Ten Application Security Risks for the Open Web Application Security Project (OWASP). Our goal at the time was to raise awareness and improve software security through the establishment of free and open industry standards.

In case you are wondering, OWASP is an open-source community comprised of software developers from corporations, educational organizations, and other interested individuals from around the world.

The first Top Ten was based primarily on our members' experiences -- we didn’t have much data to support our choices back then. Today, there’s serious analysis backing the standard in the OWASP Top Ten 2013. The data comes from eight leading security firms specializing in application testing and verification. Collectively, the data is comprised of over half a million vulnerabilities, across hundreds of organizations, and thousands of applications.

The Top 10 items are selected and prioritized according to their prevalence and consensus estimates of exploitability, detectability, and impact. It’s been translated into dozens of languages and is implemented in most application security tools. There are three major updates this year:

  • Using Known Vulnerable Components. Modern applications frequently leverage hundreds of libraries. All of this code runs with the full privilege of the application, so vulnerabilities can be devastating. A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities. The new OWASP Top Ten has suggestions for finding and eliminating these problems.

  • Missing Function Level Access Control. When developers create web interfaces, they have to restrict which users can see various links, buttons, forms, and pages. Developers usually get this right because it is very visible. Unfortunately, making it pretty doesn’t make it secure. Developers often forget that they also have to put access controls in the business logic that actually performs business functions. The new OWASP Top Ten expands this category and provides helpful guidance.

  • Sensitive Data Exposure. The importance of encrypting both web traffic and sensitive data in storage cannot be underestimated. This new combined Top Ten item is intended to focus development teams on creating a unified strategy to identify sensitive data and encrypt it wherever it goes. You can refer to the new OWASP Top Ten for guidance on storing credentials safely, encrypting backups, caching, autocomplete and other often overlooked topics.

Important work is still ahead
Over the last 10 years, the OWASP Top Ten has been used by millions of people, referenced by the Federal Trade Commission, and the OWASP Foundation has grown immensely. We’re very proud of our efforts to date, but we still have a long way to go.

Initially, our principal goal was to raise the floor every few years, but we haven’t been able to do that, as evidenced by what I consider to be essentially trivial results in improving application security. In the decade between the 2003 and 2013 editions, we haven’t been able to stamp out even one category of application security problem. For example, SQL Injection appeared in 1998 and is still a huge problem that accounted for 83 percent of breaches over the last 15 years and resulted in the compromise of hundreds of millions of people’s credit card numbers, financial information, and healthcare information.

One reason for these disappointing results is because the OWASP Top Ten is only an awareness document -- just one tiny first step towards cultivating a culture that generates application security. To be sure, there’s no better first step for raising IT industry awareness of the application security issues that drive security managers to focus on cost-effective defense strategies.

To that end, I encourage you to pick just one of the Top Ten, create sensors in your development and test organizations, and establish a real-time dashboard across your application portfolio. Then expand your program to cover other risks. There is no "right" way to create an application security program, so don’t measure yourself against what others are doing.

If you know a developer, take a second and send them a copy of the OWASP Top Ten. It’s time to eliminate simple vulnerabilities like Cross-Site Scripting and SQL Injection forever.

Now it’s your turn. What are the application security problems that are keeping you up at night? Let’s chat about them in the comments and brainstorm ways we can make faster progress in improving application security.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
planetlevel
50%
50%
planetlevel,
User Rank: Author
12/9/2013 | 12:58:09 PM
Re: App security tools ?
@danielcawrey At least as far as security is concerned, I believe that the lack of management support is a direct result of the lack of visibility into security.  Management gets a very unclear and spotty view of security across their application portfolio -- even on projects where security is a priority.  Developers can improve this visibility dramatically by writing test cases and other simple tools that demonstrate the security of their code.  For example, write a tool that shows all of your HTTP headers are set properly.  Or that every controller has the proper access control checks.  You'll find problems earlier and create the visibility that allows management to support you better!

--Jeff
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/9/2013 | 12:14:33 PM
Re: Re : Application Security: We Still Have A Long Way To Go
Gr8 advice, Jeff. Thanks. Here's the link to the OWASP DependencyCheck for anyone interested. This is also a good venue -- while you've got Jeff's ear -- to let him know how you like it and else resources you'd like to see in the OWASP libraries and frameworks.
planetlevel
50%
50%
planetlevel,
User Rank: Author
12/9/2013 | 11:57:57 AM
Re: Re : Application Security: We Still Have A Long Way To Go
@SachinEE -- Probably the first and best thing to do is to make sure you're using the latest version of your libraries and frameworks.   At least the ones with known vulnerabilities.  There are a few commercial tools, but the OWASP DependencyCheck is a great way to start.  Long term, we are going to a lot more help finding, selecting, integrating, maintaining, updating, and generally managing our libraries and frameworks.

--Jeff
planetlevel
50%
50%
planetlevel,
User Rank: Author
12/9/2013 | 11:54:07 AM
Re: App security tools ?
Hi irakov,

You're right that developers are often put into the very difficult position of being blamed for security problems without the proper process/tools/time/etc... to actually make that happen.  I gave a talk recently "Application Security at DevOps Speed and Portfolio Scale" that presents a new approach to this dilemma.  I'll be writing more about this, but I'd love to hear your thoughts.  youtube.com/watch?v=cIvOth0fxmI

--Jeff
SachinEE
50%
50%
SachinEE,
User Rank: Apprentice
11/27/2013 | 1:09:29 AM
Re : Application Security: We Still Have A Long Way To Go
This is quite understandable that when developers have to leverage their app with other sources like libraries which are not under their control they are dealing with danger. What could possibly be done about it? Should they be selective about giving access to libraries considering potential vulnerabilities which come with them? Or they can actually do something about those vulnerabilities?
SachinEE
100%
0%
SachinEE,
User Rank: Apprentice
11/27/2013 | 1:09:24 AM
Re : Application Security: We Still Have A Long Way To Go
@ danielcawrey, I strongly agree with you on this. It is a problem developers have always been complaining about that they are not given sufficient time to do their job thoroughly and their own way. When you are tightly running against time, you are sure to miss out on some minor things which in case of application development don't prove to be that minor vulnerabilities.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
11/26/2013 | 1:01:52 PM
applications security
Beyond encryption, new technologies/processes (keyless authentication) for secure applications are being developed. I believe that that will be the future of data integrity.
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
11/24/2013 | 4:54:35 PM
Re: OWASP A9 & Components
Time is not given for appropriate security testing because security still doesn't rate high enough in enough people's minds.  That has to change.
marktroester
50%
50%
marktroester,
User Rank: Apprentice
11/22/2013 | 2:33:02 PM
OWASP A9 & Components
Thanks for article Jeff, and your presentations at AppSecUSA! It's great to see that OWASP has recognized the prevalence of components in today's applications. Sonatype has done research that indicates that the average application consists of 80% or more open source components. While using components like web frameworks, logging utilities, database access routines, etc., speed development, if organizations don't manage the use of components, they can put the organization at risk.

We published a whitepaper that addresses the A9 requirement and application components -

http://www.sonatype.com/resources/whitepapers

There is also a PCI related whitepaper as well.

Thanks, 

Mark Troester

Sonatype

@mtroester

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/22/2013 | 8:08:55 AM
Re: App security tools ? & deadlines and security priorities
I've heard that complaint from developers many times, danielcawrey. What do you think management should know about the software development process that would lead to better application security? 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant