Eoin Keary

The OWASP Code review guide was completed a little while ago. It can be downloaded from http://www.lulu.com for free or purchased as a nice book. This is not release V1.0 yet as a little work still needs to be done.

I’ve had many discussions with clients on risk and what real risk is. I am tired with applications and newbie security peeps looking at tool results and saying all issues found are high risk (coz the tools says so, in red ink!!). I sometimes feel that security consultants need to categorise as many findings as high risk for the reason of making the report look good. This really pisses the CISO/Business off and raises alarmist uncalled-for panic. As mentioned in the code review guide its all about context of the vulnerability. Professional criminals are not bothered with a silly bug on a silly little site which may be SQL injectable but only when the moon is full and planets aligned, there are easier targets than that to exploit and money is money [or information, what criminal element is after]regardless of the website.

Another thing that is a pain in ths ass are chairs with no arm rests, but thats for another days rant

Well I attended the ISC2 Dusseldorf conf on identity management. Most of the attendees were are German friends, which I personally like the German way of doing things. They also have nice beer.

The confrence itself was not  a “life event” by any means.

It had a number of presentations, the most interesting was the presentationsgiven by a guy called Tom Koehler, a director of security @ microsoft, he talked about TRUST. Another presentation was by a guy called Rainer Rehm on federated identity management and the use of the mobile phone to access all of ones accounts.

The Panel discussion was a discussion amongst the panel (boring) with not much opportunity for the audience to get involved, I blame the chair on that count.

Also the discussion was about “Is there a Need for Security Breach Disclosure Law for Data Subjects in the EU?” but the panel interchanged the idea of information theft and security breach too much for my taste.

Dusseldorf = Nice + Beer.

SecureDüsseldorf Conference = Not so nice. They have much to do to get to the RSA/BH/OWASP level

The Live CD and Testing Guide are complete thanks to the autumn of code interns Josh and Matteo.  Matteo is now the Testing guide lead as I have moved onto the code review guide. Josh remains the main man on the Live CD.Links to both the Live CD and Testing Guide are here: 

http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
Check out the Live CD project its pretty good. The Testing guide is finally in a mature state thanks to the support of all the authors.

Now for the Code review guide, this is one of the final pieces in the puzzle of the OWASP suite of guides. If you would like to contribute a chapter in an area you have expertise in please feel free.

I hope to get some sponsorship via a spring of code to finish this guide.

 Later-ek

Gartner published a document titled

“Impediments and Drivers of Application Security” (Feb 16th) ->

It contains the same message OWASP have been talking about for years: “Firewalls/IDS are not enough, Intranet is not as safe as you thought…” (Think of the enemy within: http://www.darkreading.com/document.asp?doc_id=117605&WT.svl=news1_2 )

It also says that the AppSec early adopters are the large e-business corps. Companies which rely on e-business more than “over-the-counter” business.: Mutual fund banks, etc….

 It also mentions that Application developers must accept responsability for security which I think is on the right track but PM’s (Project Managers) and key business units must take this responsibility also. Factor security into development time-lines would be a nice start.

Rely on outsource development is not good. One should require security as part of the functional spec.

Bottom line: Integrate security into the Software Development Lifecycle. Perform security tests as part of unit and functional testing.

Wakey, wakey, If Gartner say it then it must be true!!!

The OWASP Testing Guide was published on Feb 10th

http://www.owasp.org/index.php/OWASP_Testing_Project

It is the most complete open source web application security testing guide on the web.

Thanks to the OWASP Autumn of Code we got some quality contributors and a great tech lead (Matteo).

I’ve handed over the Lead position of the guide to Matteo and have moved on to other things (OWASP Code review guide).

http://www.owasp.org/index.php/OWASP_Code_Review_Project

Hello again, Eoin here,

The New OWASP testing guide has been completed and shall be on official release on the 10th Feb.

You can get a sneak preview on the OWASP site:

http://www.owasp.org/index.php/OWASP_Testing_Project

SO it has taken a ling time to get this far. Kudos to the AoC initiative as without the AoC we (OWASP) would not of have as much energy to complete this massive task.

The AoC technical Lead was Matteo Meucci (Italy) and fair play to him for digging in, but also fair play to everyone else, you know who you are.

-ek

Hi,

We are trying to ramp up the OWASP code review guide, in other words, get people involved. the guide currently has plenty of good stuff in it mostly written by me but we (OWASP)need more heads to add content about how to review code for potential vulnerabilities.

If you would like to write about reviewing/detecting common mistakes in PHP, AJAX, Web Services, Java, .NET, C/C++ or any other web dev framework or language you are welcome.

thanks,

ek (PS. you can find me on the OWASP site if you wish to contact me).