As mentioned before, John Dickson and I are up at the OWASP AppSec 2007 San Jose conference this week. I had a chance to attend some great sessions and talk witha bunch of great folks today. Here are some notes:
- The keynote speakers were Dave Cullinane and Michael Barrett from eBay and PayPal. Michael had to run off to catch a plane, but Dave gave a great overview of the scale of the problem eBay faces trying to build a trusted platform for commerce.
- Chris Wysopal‘s talk about finding backdoors in software was fantastic. It had some great analysis of backdoors discovered in software in the past and great discussion of possible signatures for static analysis tools that can help identify potential backdoors. It is hard enough to find security vulnerabilities introduced into software accidentally – looking for backdoors intentionally crafted and inserted is just that much harder.
- Eric Sheridan’s talk about Cross Site Request Forgery was very informative and I am looking forward to trying out his two new CSRF tools.
- I caught up with IBM Watchfire‘s Ory Segal. He gave me a demo of some of the new AppScan 7.7 features. I have been slacking off but I finally got a copy of the beta and will be looking at it through the end of this week. So far it looks to be pretty impressive. I’m looking forward to the new “state inducer” feature that allows you to record more complicated workflows to get an application into a state where you can actually test it. Think of an application with a three step process – you need to go through steps one and two before you can test the functionality at step three. This has been a problem with scanners we have used in the past when we are testing more complicated web applications implementing multi-step processes.
- Amichai Shulman’s talk about defeating Web 2.0 vulnerabilities was basically a web application firewall commercial – but I suppose that is to be expected. He did have an excellent point that given the number of CSRF vulnerabilities that exist in existing code it is a daunting task to try to eliminate them all in code. From that standpoint WAFs certainly do have a place in any serious application security infrastructure.
- I caught the tail-end of Robert “RSnake” Hansen’s talk about browser insecurities. OWASP is launching a Working Group to deal with browser insecurity issues and I look forward to seeing what the come up with.
- The “Building and Effective Application Security Assurance Program” panel did a good job of laying out what does and does not work when creating such programs. Hint: don’t pick a tool and think that your problems are solved.
- The OWASP Leaders meeting was a good chance to put some names with faces. It also made me realize that the Texas chapters – San Antonio, Austin, Houston – need to do a better job of attending the OWASP national conferences.
- As always the OWASP Dinner was a great chance to relax after an day packed with great information.
So that is a wrap up of Day 1. More info to come on Day 2.
dan _at_ denimgroup.com