Sunday, June 12, 2011

OWASP AppSec EU 2011



OWASP AppSec EU 2011 (http://appseceu.org) was held in Dublin, Ireland between 7th and 10th of June. With a great selection of international presenters and with a good mix of IS professionals and developers, I can say (and I am not the only one) the conference was a success.

As for any major AppSec event, there is only a limited number of events you can effectively participate to. Between Defend, Prevent and Attack series of presentations, I followed the latter one as briefly summarized below.

Designing, Building and Testing Secure Application on Mobile Devices
training session held by Dan Cornell from Denim Group on 8th of June was a great introduction to security for mobile and smartphone applications. Dan introduced a threat model for smartphone applications which was used to analyze security of iOS and Android applications. A variety of open source tools were used as part of the hands-on applications analysis. While the course introduced techniques for analyzing mobile applications, it also provided recommendations on avoiding known security issues as part of the development of new smartphone applications. I guess there were not many design considerations discussed, this might be included in the next version of the course. Overall, an excellent course which will hopefully contribute to an increased awareness on building secure smartphone application. Highly recommended.

The plenary sessions started on 9th of June. Brad Arkin, senior director of product security and privacy at Adobe opened the session by presenting on various aspects of Adobe's security program - The Adobe Security Product Lifecycle. An interesting presentation, especially on the green/brown/black belt approach to certifying expertise of security engineers, and their responsibilities inside the company.

While I was looking forward for the first session of presentations (including Practical Browser Sandboxing on Windows with Chromium and Building a Robust Security Plan), I took the opportunity instead to catch up with some of the conference organizers (Eoin Keary and Fabio Cerullo), as well as having a quick chat with Tom Brennan about OWASP Security Baseline
project (details available below).

Back in the presentation room for the Attack track, Joe Basirico from Security Innovation had an entertaining presentation on Web Applications fuzzing - The Buzz About Fuzz: an enhanced approach to finding vulnerabilities. Pros and cons of common automated testing for Web applications were discussed, as well as the benefits of fuzz testing. Very well presented topic, with practical examples and testing tools.

Giles Hogben, secure services programme manager at ENISA discussed information risks, opportunities and recommendations for smartphone security - Current State of Application Security. He also introduced the work on mobile developer guideline project done in collaboration with OWASP, as well an on-going initiative on threat analysis of app store security. Finally, security implications of HTML5 and other related standards were discussed.

The Attack series of presentations continued with Intranet Footprinting: Discovering resources from outside presentation done by Javier Marcos De Prado and Juan Galiana Lara from IBM. Relying on exploitation of common Web applications vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and HTTP Response Splitting, several custom modules for BeEF (Browser Exploitation Framework) were introduced. Such custom BeEF modules allow browser-based port scanning, internal DNS discovery, OS detection, etc using known approaches based on JavaScript code and CSS. An excellent presentation.

Janne Uusilehto, head of Nokia product security started the second day of plenary sessions with a talk on software security engineering - Software Security is about coding securely, or is that all? Some key points discussed - security is a process, not a product & difficulty to ensure reasonable expectations towards software security. An interesting presentation.


The Attack series of presentations resumed with An Introduction to OWASP Zed Attack Proxy done by Simon Bennetts. A great tool for developers looking for a quick automated security assessmnet of Web applications. With his software development background, I think Simon has a good chance to make ZAP tool a worthy successor of Paros Proxy. Looking forward for ZAP updates - excellent work.

Testing Security Testing: Evaluating Quality of Security Testing presented by Ofer Maor from Seeker Security discussed various aspects of security testing, with an emphasis on what could determine the quality of security testing - good and bad security testing.

After this, I had a go with my own presentation A Case Study on Enterprise E-mail (in)Security Solutions. In an effort to increase the awareness on the necessity to secure enterprise anti-spam and anti-virus solutions, I briefly introduced various e-mail security solutions ranging from software, hardware/software appliances, virtual appliances and cloud-based services (SaaS and IaaS). While most of existing solutions rely on Web applications for remote administration and end-user quarantined e-mail management, exploitation of common vulnerabilities could allow internal and external attackers to gain access and maintain control to various internal resources. Various case studies on identified vulnerabilities in products/services from Google, Symantec, IBM, Barracuda Networks, Astaro and Marshal were discussed as well as some attacks which could exploiting such vulnerabilities. Finally, in the context of benchmarking enterprise e-mail security solutions, I took the opportunity to announce OWASP Security Baseline project, as an independent way to benchmark security of various enterprise solutions (including the security ones as well).

OWASP Security Baseline call for participation is now open, drop me a line for more details and if interested to contribute: marian dot ventuneac at owasp.org


The next keynote was delivered by Alex Lucas, principal security develpoper manager at Microsoft - Science, SDL & Openness. A good insight into what is being done to secure various Microsoft products, including automated fuzzing and how this lead to improved product security and available materials and tools to support secure development and testing.

The Dark Side: Measuring and Analyzing Malicious Activity on Twitter introduced the audience to recent research on analyzing and profiling suspicious/malicious Twitter accounts, lots of stats, trends, etc. Although the current percentage of malicious attacks identified by Barracuda Networks on Twitter is small (I think it was 1% of the analyzed data), such research has the potential to allow timely identification any (hopefully) prevention of any significant increases of such attacks.

And finally, Practical Crypto Attacks Against Web Applications presented by Justin Clarke from GDS Security described practical techniques on exploiting crypto weaknesses as identified in ASP .NET framework allowing oracle padded attacks against common Web applications - an excellent presentation.

While high expectations were for Ivan Ristic's presentation closing the AppSec EU conference, unfortunately he was not able to attend. However, Arian Evans from WhiteHat Security did a great job on reminding us once again that we (as an industry) failed on delivering the great promise on building secure software - and came with some useful suggestions. Hopefully it is not a lost battle - I believe OWASP greatly contributes to increasing awareness on application security, and OWASP AppSec EU 2011 conference proves this once again.

Congratulations to all conference organizers, this was an excellent AppSec event! I am looking forward for the next one.