LinuxPlanet - Print - Moving The Open Web Application Security Project Out Of The Shadows

Moving The Open Web Application Security Project Out Of The Shadows

By: Rob Reilly
Wednesday, July 24, 2002 11:46:14 AM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/4332/1/

Are Your Web Applications Safe?

Nearly every news program, talk show and print media headline now has a security angle. If you are an IT Manager or Executive, you are probably pulling your hair out trying to secure your Information Technology systems...especially web applications. You think about firewalls. You think about hackers and terrorists. You think about your revenues if someone breaks your web based ordering system. So, while everybody talks about what to do... who really is doing something? Look to the people on the Open Web Application Security Project for many of the answers to these solutions.

The Open Web Application Security Project (OWASP) is a group of devoted volunteers that are hard at work developing platform independent tools, techniques and processes that enhance web applications. They are building a very comprehensive resource regarding security information and ways to manage potential security threats on web based systems.

Mark Curphey is the founder of the Open Web Application Security Project--a project he has been working on for a few years now.

"I created and have been moderating the webappsec mailing list (originally called www-mobile-code) at http://securityfocus.com since late 1999," Curphey said. From there, he noted a growing need in the IT community.

"Web application security has been an emerging area for quite some time and there has been a strong disconnect between application developers and security consultants. This resulted in a significant amount of FUD and hype from some vendors who were first to market with early products and lead users into either a false sense of security or an artificially heightened sense of concern. There was no place to go to get un-biased quality information about the issues and how to deal with them." Curphey illustrated his point when he talked about one of the OWASP's core documents.

"In the first two weeks since the initial release of our 'Guide To Building Secure Web Applications and Web Services', we had over 60,000 downloads. Quite impressive given that it's a 1.7Mb document. Applications usually receive a lot of attention, but this goes to show how much people are looking for knowledge, as well as tools," he said.

The reality of the business world is that there are an infinite number of hardware, software and platform components that can make up a Web application. There are multiple vendors, multiple networks and multiple operating systems thrown into the mix.

Asked about his personal choice of tools in the battle for Web Application Security, Curphey remarked, "Well I am typing this interview from a Redhat 7.3 box using my Evolution mail client! Myself and most of the volunteers are huge Open Source and Linux fans. I banned MS products from my home a while back, although I do have a work laptop with MS on it."

As far as other tools are concerned, "Part of the OWASP philosophy (and soon to be set down as principles) is to use Open Source tools and Open Source standards wherever possible and practical. All software is released under an OSI compliant license. We are in the process of building out a proper portal for the web-site which will be a Java based system on Linux," Curphey explained.

"Java and Linux are a naturally great combination, joining the power and security of two 'best of breed' technologies," he summarized.

When asked about OWASP's idea of platform independence, Curphey had a quick response. "We are very conscious of making sure our work is relevant to all people, irrespective of the platform they build on. The issues are usually not platform specific anyway." He went on to talk about Java.

"Most of us are huge Java fans. Java is a flexible language that enables cross platform development with relative ease and has an array of great security features. To date all of our development projects are being coded in Java."

Initial questions about the Open Web Application Security Project focused on why Curphey started the effort and what tools he used. The next section outlines the tools, documents, and processes that have been produced by the OWASP so far.

Components of the OWASP

The scope, depth and amount of useful information about web application security produced by the OWASP is staggering. Fortunately, Curphey has organized the sub-project tools, documents and processes into several broad categories:

WebScarab - a web application vulnerability scanner. The tool will crawl a web site searching for potentially vulnerable web applications and then dynamically build a set of security tests for problems based on scenarios it finds. Types of problems will include SQL Injection, Cross Site Scripting, Cookie Poisoning and Parameter Tampering. The tool have an interactive proxy for manual examination as well as using the VulnXML format for 1,000's of static checks.
Filters - a component based approach to sanitizing malicious user input and output used in attacks like SQL Injection or Cross Site Scripting. These API's would be released as Open Source to help protect all user's applications and serve as a reference implementation for those developers wanting to build their own. Common vulnerabilities would be widely known among developers allowing easily designed-in common safeguards.
VulnXML - a proof of concept project developing a common format from which security researchers can describe static vulnerabilities in web applications. They are things like how a known vulnerable CGI is installed or how a known URL will give admin access to an application. Conceivably, all new tools (commercial or free) would be able to share a common, open source, free and up to date repository of checks developed, maintained and QA'd by the community in the open. Time to market, quality of checks and access to security data would be controlled by the open source community and be available to everyone.
Web Maven - an intentionally insecure fake Internet Bank application donated to OWASP by David Rhoades of MavenSecurity. Web Maven will be an interactive learning environment for user training. It will demonstrate specific web application security holes, show models of the problem and how the security hole can be fixed. It will also be a test platform and can serve as an application honey pot. The first release of WebMaven slated for end of August 2002.
Guide to Building Secure Web Applications and Web Services - a documentation project to show how to design a secure web application.
Guide to Testing Security of Web Applications and Web Services - a definition of the structured framework to ensure that the appropriate security requirements have been implemented by a web application.
Application Security Attack Components Common Language and Definitions - The Web Application security dictionary.

The list of sub-projects looks deceptively simple. That doesn't mean that the OWASP team has not had it's hands full. Another round of questions provided a window into the future of the OWASP.

The Short-Term and Funding

What about the future short-term direction of the group? Curphey spoke candidly about the inquiry.

"[That is] one I don't really know the answer to. There never really has been a great master plan or a thought about the limits of what we can do. I have tried to make sure all projects are doing work for the right reasons in a professional and responsible manner."

With a thriving project on his hands, Curphey talked about how organizing and funding the work may change. "Things are now at the stage where we may need to get a little more formal. We need some sponsorship to enable us to build out the web portal to provide things like customized vulnerability alerting and aggregated news as well as providing some work flow for the contributors. We have toyed with th idea of a not-for-profit foundation, but it's costly and doing accounting and taxes will certainly take some fun away." He commented further on the issue of funding.

"I think OWASP is providing an important public service but with appropriate funding could do a lot more. We are a best efforts volunteer group today. I would love to see us grow to a not-for-profit funded group who can dedicate our efforts to the project. I am sure you can appreciate the daily work demands on the developers we have contributing code for WebScarab for instance. With a few full time developers the world would have some great products much faster. In an ideal world we would be able to pay the developers to build Open Source tools. When we have the first release of several of the current development projects under our belts, I think we will be in a better position to attract long term funding."

Like any other project, Curphey has faced his share of funding challenges. Other areas that are testing his leadership skills and his team's resources include coordination with other organizations, malicious use of the group's work and the continued guidance of the project.

Agency Coordination, Use of Technology By the Bad Guys, and the Long Term

The events of September 11th. and current state of the security in the United States have focused much attention on the coordination of information between organizations. Curphey talked about his contact with various entities such as company security departments, government groups (CIA, FBI, etc.) and individuals.

"We have had some preliminary discussions with some of the agencies and continue to get regular and frequent praise from large corporates. But to be honest we have all been disappointed that we haven't been approached with a grant or major sponsorship so far, especially post Sept 11th. WebScarab and the Filters project have the potential to allow everyone to find and prevent holes in critical systems using a free Open Source tool."

"The Open Source development model also allows people to quickly implement new checks and distribute them quickly and efficiently to those that need them," he added.

Turning attention to the question of what happens if Open Source projects and tools fall into the hands of malicious hackers and terrorists, Curphey was straightforward and practical about the subject.

"There is no doubt that some tools could be used maliciously as well as in the spirit we are designing and building them. But that's been true of any security technology from SATAN to Nessus. I can promise you the closed source commercial community wouldn't turn down a large sale of an unlimited scanner license to a one man company in Kansas as long as he has the cash!" Curphey pointed out.

"However there is a duty of all OWASP projects to act responsibly and we will be working with vendors to make sure that official checks using VulnXML have patches where possible. The focus is always on creating professional security tools and not hacker tools," he emphasized.

Asked about putting OWASP processes into the real world, Curphey explained: "The foot print from WebScarab will light up any half decent IDS like a Christmas tree and so it should. If it doesn't the vendors can contact us and we will make sure they build appropriate signatures or point them to SNORT for help! Again, funding would certainly help us build a good process and investigate some ways to alleviate this."

So, what is the future of Web Application Security over the next one, three, and five years?

"Education will go a long way to help improve the safety of web applications. OWASP has a role to help everyone make the net a safer place and to help people secure our personal and national assets. I am hopeful that security products will improve to address the current problems more effectively. If you look at the technology in a film like Toy Story and compare it to the average web application scanner we are presently 'Buzz Lightyears' apart," he said.

"In the short/medium term I think frameworks will develop that will make it easy for developers to do the right thing. The OWASP Filters project would be an example of a framework component. Within 5 years I would hope that security technology will start to catch up with the rest of the world and smart tools using Artificial Intelligence (AI), for instance will help find problems at a code level before they ever get into the wild," Curphey added.

Curphey and his dedicated team of 'rock star' volunteer developers have taken the often fragmented world of web security and tried to make it safer. Take a look at the great work being done by the OWASP and then ask yourself the question: are my web applications safe?

Rob Reilly is a Technology Consultant who writes and speaks about Linux, business integration, innovation and automotive design. He has 16 years experience in the technology, manufacturing and the utilities industries. He is always 'on-the-lookout' for stories and projects that focus on Linux, business, and the cutting edge. Send him a note or visit his web site athttp://home.cfl.rr.com/rreilly.