We’re bombarded with news of security breaches, security vulnerabilities, and products that aim for some arguably novel approach at stopping something bad from happening to us. That’s why it’s so refreshing to see positive input – and for free, at that — that rises above the “badness parade” and gives you real actionable tips to make your software stronger.
Where can you find this free positive guidance? The Open Web Application Security Project (OWASP), for one.
They’re a non-profit organization that is doing a ton of great things to help software developers build secure products. If you’ve heard of OWASP, you’ve probably heard of their Top10 list of the most common web application security defects that, ironically, is not one of the examples of positive things I’m referring to. It’s good work, but it’s not positive.
If you’re a regular reader of my column here, you’ve probably heard me speak of positive practices like positive input validation. By that I mean proving something to be safe, otherwise it is presumed to be dangerous.
That’s an approach we see far too seldom in security, but one example of it is in defining firewall rule sets. Conventional wisdom in firewall rules tells us to only allow the network services we need, and to deny all else.
That same way of thinking can and should be applied to secure software development. In fact, if we applied it all the time in our IT shops, the world would be a far more secure place. But in software development, in general, it’s an approach that’s worthy of our attention.
Don’t just tell your dev team what mistakes to avoid—like, say, the OWASP Top 10 – but tell them what safe practices to follow – like, say, positive input validation, parameterized SQL queries, etc.
Where can you find out about these positive practices? Well, if you’re dealing with web or web-related technologies (e.g., SOA), OWASP is a fabulous place to start, and since all their stuff is released as open source, it won’t even break your budget.
Here are some examples of the great work I’ve seen coming out of OWASP, other than the Top10:
Without a doubt, the most powerful weapon against security defects is knowledge, and I’ve yet to encounter a better learning tool than OWASP’s WebGoat. Every single technologist in your organization who touches web technologies should run through WebGoat’s extensive lessons. It lays out these lessons in an easy to follow way. Give WebGoat to your team and have them work through one exercise a day. You won’t regret it.
WebScarab is a general purpose web application testing tool. It is a web equivalent of a program debugger that allows you to single-step through an application to watch it work, from behind a GUI interface. It is an absolute must-have for testing and validating the security of web applications, including SOAP interfaces to web applications.
Feel intimidated by installing WebGoat and WebScarab, or you just don’t want to install them on your system? Grab the OWASP LiveCD instead. It’s a scaled-down Linux distribution with many of the OWASP tools already installed, including WebGoat and WebScarab. Boot the LiveCD and you can use those tools without having to ever install anything on your system. (It runs great on a virtual box in VMware or Parallels also.)
We’ve all heard of XSS; it is the most prevalent web security defect according to the OWASP Top 10, after all. But preventing it from getting into our web applications isn’t as trivial as wishing it were gone. Well, the OWASP folks have been drafting a “cheat sheet” for software developers to work through while they’re coding. It’s actionable, positive guidance that every software developer should study and use.
Security issues in software go way beyond the OWASP Top-10, as I’ve said. Thinking positively about practices, after all, is my topic today. The folks at OWASP have been thinking about the bigger picture as well. They’ve been working on their Enterprise Security Application Programming Interface, or ESAPI. It’s a security API that provides classes and methods for doing many security things that pretty much all enterprise software requires, from authentication and access control to input validation. It won’t solve all your problems, but it sure does provide a pretty slick starting point for many of them – in particular that pesky OWASP Top10.
These are just a few things, but they’re all worth looking at, especially if, like me, you’re tired of hearing about the badness parade day in and day out. Here’s the proverbial “breath of fresh air” where you can find some useful positive things that you can start using today in your web applications.
Don’t get me wrong here. There is still much to do – ESAPI, for example, is currently only available in Java (but other languages are being worked). It’s still great to see this sort of stuff available, however.
Kudos and thanks to the folks at OWASP for their efforts!