Friday, July 31, 2009

OWASP ModSecurity CoreRule Set (CRS) v2.0.0 Released

(posted by Ryan C. Barnett)

Greetings everyone,

We have some big news/changes with regards to the Core Rule Set (CRS). Please follow the information here to make sure that you understand the changes moving forward.


1) New Home for CRS
The Core Rule Set is now an official OWASP Project! Here is the new project site -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.


This is the new home of the CRS. The main goal of moving the CRS to OWASP is to better facilitate documentation and development of the rules. As you know, the OWASP pages are wiki-based so you all can go in there and help to document them :) I will add some example template pages soon to help get the ball rolling however my thinking is that we should emulate what Snort Sigs DB used to do and document the goal of each group of rules, what are they looking for, how are they looking for it and any false positive/exception fixes, etc...


Here is the new Download link page -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download


2) Changes to the CRS
The latest version of the CRS is v2.0.0 and there are significant changes. The most important ones are related to running in an anomaly scoring mode which allows the rules to collaborate to an overall anomaly score. This will allow users to set appropriate thresholds for their sites for logging/blocking. There are too many other changes to mention directly here so please review the CHANGELOG file -
http://voxel.dl.sourceforge.net/project/mod- security/modsecurity-crs/0-CURRENT/CHANGELOG


3) Rule Update Tracking for the CRS
While the new OWASP project site will mainly be used for documentation purposes, all CRS rule issues will be tracked by using our Jira app -https://www.modsecurity.org/tracker/. We want to track all bugs, false positives and false negatives (if there are any bypass evasion issues that you find), etc...


We are very excited about this new momentum for the CRS and we look forward to a more collaborative exchange with the community!


--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

Friday, July 24, 2009

AppSec Research 2010 Challenge

July's OWASP AppSec Research 2010 Challenge is posted. Let your chapter members know they can win a conference ticket by solving the first ever(?) OWASP crossword puzzle!

http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#AppSec_Research_Challenge_2:_OWASP_Crossword_Puzzle

Tuesday, July 21, 2009

How to start an OWASP Project

(posted by Mett Tesauro)

Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community.

Here are some of the guidelines for running a successful OWASP project:

  • The best OWASP projects are strategic - they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support.
  • You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.
  • You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.
  • You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!
Check out http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project#Creating_a_new_project for more information!

Saturday, July 18, 2009

OWASP AppSec USA 2009 Conference

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec DC 2009 conference in Washington, DC.

The conference will take place at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th of 2009. There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having three tracks.

Registration is now open!

Current pricing reflects an "Early Bird" discount of $50 off the at the door price of $395.

OWASP membership ($50 annual membership fee) gets you a discount of $50.

$345 General Public
$295 OWASP Members
$195 Student

For student discount, attendees must present proof of enrollment when picking up your badge

AppSec DC 2009 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

Tuesday, July 14, 2009

OWASP 2009 Q3 Update

I would like to provide a 2009 Q3 update about the OWASP Foundation on a couple of high-level items.


#0 - OWASP @ Blackhat 2009 - If you will making the trip to #Blackhat (that's twitter speak) be sure to join us for the OWASP breakout briefing about Critical Infrastructures July 29, 16:45 in Genoa room this is the OFFICIAL meet-up.


#1 - OWASP EU Poland Videos are now online (thanks Seba) and people can quickly get to them by going to http://www.owasp.tv or http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland see OWASP blip videos share any of them with your teams = free SDLC training


#2 - OWASP board meetings have been happening every month for sometime now. One of the most common questions I get personally is "what happened at the last meeting..." well its not a secret ivory tower actually - we keep agenda's and results of each monthly meeting ensuring that the OWASP ethics and principals are being adhered to. So you can find this information both historic and future meetings online see: http://www.owasp.org/index.php/OWASP_Board_Meetings - should you have a topic that you feel is critical for OWASP Foundation we request that you communicate first with the appropriate Global Committee as the purpose of these groups is to be a VOICE for each region in the world and then focus on a defined mission with a team of energy filled persons see:

http://www.owasp.org/index.php/Global_Committee_Pages note each committee is led by a board member as well.


Questions about money, tax returns etc., are all located online as well see: http://www.owasp.org/index.php/OWASP_Foundation and managed by Alison, what other professional technology group do you belong to that is this transparent?


#3 - Global Committee's brings out another point - if you would like to help OWASP continue to grow and have some cycles for selflessness volunteerism or simply a suggestion based on your experiences - join the mailing list and or contact the Global Committee http://www.owasp.org/index.php/Global_Committee_Pages the best way to change the world is to start with your local chapter, then region the globally.


#4 - OWASP Podcasts http://www.owasp.org/index.php/OWASP_Podcast got questions, comments or feedback for Jim Manico and team that have been working very hard to bring you interviews with AppSec folks globally, let them know send a email to podcast@owasp.org with your comments and favorite episode and why.


#5 - OWASP Projects have been updated. Have a review of the existing ones as well as detailed how-to on new projects see:

http://www.owasp.org/index.php/Category:OWASP_Project


#6 - HELP WANTED - The OWASP Job Board has lots of active postings of firms looking for the best in the industry, if you are looking for employment or if it is time to change gears and accelerate your career visit http://www.owasp.org/index.php/OWASP_Jobs to have a look around


#7 - OWASP Conferences -

http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference the USA, DC OWASP event is going to be a BIG event plan now to attend it lock in your hotels and travel early. If you would like to host a conference in 2010 be sure to contact Kate Hartmann with your proposal for consideration for 2010.


#8 - OWASP GRANTS/SoC want to work on a OWASP project? Want to sponsor a OWASP project take the time to review the following:

http://www.owasp.org/index.php/OWASP_Season_of_Code_2009

There is so much energy and passion with the OWASP Foundation, thank you for being a member of our mailing lists and if you are an Individual Member (a $50.00 annual donation) or a Organization Supporter (a $5000.00 annual donation) and Accredited University Supporters are FREE so talk to your University if they are not on the list already.


http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members


THANK YOU FOR YOUR SUPPORT TO ALLOW US TO CONTINUE ON THE MISSION of "to make application security visible, so that people and organizations can make informed decisions about true application security risks"


Tom Brennan

Volunteer Board Member

OWASP Foundation

Direct: 973-202-0122

http://www.linkedin.com/in/tombrennan

Sunday, July 12, 2009

Guía de pruebas OWASP v3

(posted by Juan Carlos)

Finally, after extensive editing work I am proud to announce the OWASP Testing Guide v 3.0 in Spanish is ready for public release, go to the guide main page to download it.

http://www.owasp.org/index.php/Category:OWASP_Testing_Project


This has being huge effort from the OWASP-Spanish team and I really appreciate all the time and enthusiasm of all of the participants to translate this 372 pages long document.

Congratulations Team!!!

OWASP Leaders, please help us to spread the word in all Spanish speaking chapters, this document is key for helping the community secure application and now in Spanish we should be able to cover more audience.

Cheers,
Juan Carlos

Tuesday, July 7, 2009

OWASP and the Nominet Best Practice Challenge 2009

Authored by Colin Watson.

In March, OWASP London submitted an entry to the Nominet Best Practice Challenge 2009, on behalf of The Open Web Application Security Project, in the Best Security Initiative Award category.

Nominet maintain the .uk internet name space and is a not-for-profit company with 3,000 members, managing about 8 million domain names. Nominet work with the UK government, liaise with ICANN and other domain name registry organisations. They are supporting the UK's input to the worldwide Internet Governance Forum (IGF), which is a forum mandated by the UN Secretary General to discuss policy issues, critical resources, imposition of internet governance, to promote availability throughout the world and to facilitate exchange of information and best practices. Nominet, the UK government, key parliamentarians and other organisations formed the UK Internet Governance Forum.

For the last 3 years, Nominet has organised the Best Practice Challenge to recognise organisations, groups and individuals who have embraced the challenge of making the Internet a secure, open, accessible and diverse experience for all. The four IGF themes of security, access, diversity and openness were reflected in the six award categories:
  • Best development project award
  • Best security initiative award
  • Raising industry standards award
  • Personal safety online award
  • Internet for all award
  • Open Internet award
In 2008, OWASP was shortlisted for the same award. The judges, chaired by the Rt Hon Alun Michael MP, praised OWASP's democratic and international structure and the way it helped to raise awareness, but that it would be good to see how we progressed. OWASP London discussed the idea again in early 2009 and decided to enter for the 2009 round. We thought it would raise further awareness about OWASP since winners are promoted as examples of best practice on the Internet, to industry, government and academia in the UK. Most importantly though, the winners are showcased at the next IGF meeting, in Egypt in November, to a worldwide audience. That visibility is what we were hoping for.

Our entry was proposed the whole of OWASP for the award, although we did try to highlight contributions to OWASP, its projects and other activities by UK participants, and the presence of two other chapters in the UK - Leeds and Scotland. We especially mention the great work done by everyone in the Summer of Code 08, improved project management, the new tools and guides recently published, the availability of at-cost books and translations, the summit in Portugal and the work of the new committees. We also highlighted some of the outreach work to government organisations. The people who helped put the entry together were Justin Clarke, Colin Watson, Yiannis Pavlosoglou, Kate Hartman, Paulo Coimbra, Dinis Cruz and Wayne Huang. Dinis suggested we send some books as well - so we printed some from Lulu and sent them separately with the suggestion of passing the viral books "on to your own web application developers or a local university, college or school" after the awards. Justin Clarke, London Chapter Leader, submitted our entry at the end of March.

In June we heard that we had been shortlisted and were invited to the awards dinner at the early 17th century Banqueting House in Whitehall, London. Short-listed entries in all categories showed some innovative work being undertaken across the UK in security, access, diversity and openness. OWASP did not win - the Yorkshire Business Crime Reduction Centre (BCRC) won the Best Security Initiative Award. The BCRC is supported by South Yorkshire Police and the Regional Development Agency, and undertakes e-commerce and physical security assessments for small and medium-sized enterprises (SMEs) in the area. Their recent E-Crime Guide is a very useful introduction to the issues.

Congratulations to all the winners. The entry has, at least, raised OWASP's profile with decision-makers in the UK.

Authored by Colin Watson.

Saturday, July 4, 2009

OWASP Security Spending Benchmarks Project Report for Q2 Published

The OWASP Security Spending Benchmarks Project Report for Q2 was published on June 30, 2009.

This project measures security spending in the development process. This quarter we focused on cloud computing. We were trying to measure how much use companies are making of cloud computing, how this affects spending, and how they are dealing with related legal and business issues.

We are lucky to have some great security folks volunteering their time on this OWASP project - Jeremiah Grossman, Rich Mogull, Dan Cornell, Bob West, and others have all provided valuable feedback and support. We were also very fortunate to have organizations like the Open Group and the Computer Security Institute (CSI) join our project over the last quarter. They join organizations such as eema, Teletrust and companies such as nCircle, Cenzic, Fortify and others that have been actively contributing to this effort. A full list of partners can be found on the project website.

Cloud computing gets some people's eyes rolling because it sounds like a marketing gimmick or meaningless term. But whatever you want to call it, infrastructure, platforms, and software are resources that are increasingly being outsourced or externally hosted. This has enormous security implications because it undermines the traditional notions of ownership and management that security has been based on in the past.

Here are the key findings in the OWASP Security Spending Benchmarks Q2 report:

THE OWASP SSB Q2 SURVEY RESULTS:

1. Software-as-a-Service is in much greater use than Infrastructure-as-a-Service or Platform-as-a-Service. Over half of respondents make moderate or significant use of SaaS. Less than a quarter of all respondents make any use of either IaaS or PaaS.

2. Security spending does not change significantly as a result of cloud computing. Respondents did not report significant spending changes in the areas of network security, third party security reviews, security personnel, or identity management.

3. Organizations are not doing their homework when it comes to cloud security. When engaging a cloud partner, only half of organizations inquire about common security-related issues, and only a third require documentation of security measures in place.

4. The risk of an undetected data breach is the greatest concern with using cloud computing, closely followed by the risk of a public data breach.

5. Compliance and standards requirements related to cloud computing are not well understood. Respondents report having the greatest understanding of PCI requirements relating to cloud computing and the least understanding of HIPAA cloud requirements.

SURPRISES AND NON-SURPRISES IN OUR SURVEY RESULTS...

1) The fact that SaaS is reported as the most prevalent of all cloud models is not surprising at all. Leveraging Platform-as-a-Service requires a level of expertise and sophistication many companies still do not have. And Infrastructure-as-a-Service has been dogged by performance issues and has yet to really supply an appropriate ROI model.

2) It is more perplexing that organizations do not report significant spending changes as a result of cloud computing. On the face of it, one would expect that cloud computing would result in lower expenses in a number of security areas, particularly network security. The fact that this has yet to occur may mean that organizations have been slow to adapt security budgets as a result of their cloud activities. Over time, both budgets and the role of security management will be increasingly focused on managing and auditing cloud relationships. Which brings us to number 3...

3) It is also somewhat surprising that organizations are not doing their homework when it comes to cloud computing. The survey found that only a third of organizations ask for the security policies of cloud partners. With all the talk of cloud security dangers, you would expect there to be heightened awareness and that companies would take the time to look into cloud partners' security narratives. That this has not been happening indicates that companies see cloud computing in the same vein as other outsourcing arrangements - the actual under-the-hood operations or security are not that important as long as the issues are contractually addressed. This approach may be more a result of necessity than choice, since for a small company with significant operations in the cloud it is hard to see how they could make any significant assessment of their cloud partner's security posture.

4) Data breaches are and will always remain the main fear factor driving the security industry. While compliance has always a bit fuzzy (especially when it comes to non-technical regulations, where there is a lot of wiggle room), the same cannot be said of a breach. You have either been breached or you haven't, which probably accounts for the greater concern survey respondents reported. It is interesting however that despite this very high level of concern with data breaches, organizations are still doing very little to vet cloud partners. Most organizations seem to have come to the conclusion that although there are many data security dangers related to cloud computing, there is not much they can do to mitigate this risk.

(5) Compliance is the issue that is really raining on the entire cloud computing parade. While PCI has fairly detailed supporting documentation to guide companies, other standards and regulations are much more vague so it is easy to see why people are confused. Regulators are still struggling to understand Web 1.0, so I do not expect we will be seeing much concrete guidance in this area in the near future.

MOVING FORWARD...

I gave a whole bunch of caveats the last time we published our survey results about why web surveys need to be taken with a healthy grain of salt. This still holds true for our cloud computing survey, and probably even more so because no one seems to agree on what cloud computing is. But even so there are some important take-aways from the data we collected.

The most significant warning sign in the survey results in my opinion is that companies are moving to the cloud without really inquiring about the security policies and posture of their cloud partners. And when they do ask about these issues, they rarely ask for documentation. This does not bode well for the future security of cloud computing. Although smaller companies rarely have the resources to truly assess the security of their cloud partner, asking for written documentation of security policies at least forces the cloud partner to maintain a security narrative they share with customers. As more customers inquire about security, this security narrative takes on an increasingly strategic role for the cloud partner.

You can read the full report here.