OSDC : Web Application Security

Notes about a talk presented by Chris Burgess at the OSDC 2006 conference in Melbourne.

He talked for awhile about risk-management (vs elimination) and the need to assess risk and build strategies to manage it when problems arise (as they will). Lots of the usual sort of talk about the fact that no app is ever gonna be 100% safe, but he emphasised the need to not just have a good defense, but have a deep defense, ie protect at all layers.

Mentioned that some 70% of web applications are said to contain vulnerabilities, and that class breaks are a common problem (ie some depency class or library is broken or changes which has a downstream affect).

Discussed a number of myths, for example...

its only my application why would someone want to attack it
its an internal intranet app we should be ok
we run a hardened web server what can go wrong
we use language x so we should be fine
we have a web application firewall or intrusion defense system so no risk

Spent some time on the topic of prevention vs detection, this was a good thing to cover coz I believe most are guilty of focusing too much on prevention rather than using logging and error trapping methods etc to try and holistically detect possible problems, false positive or not.

Suggested methods like cron jobs to do things like check file permissions of folders and executables or other risk or sensitive files. Also suggested that monitoring conditions and progressivly (or abruptly) and proactively shutting down services when potential problems are detected.

Also reccomended use of search engines to look for content of your own that you know should not be available outside the organisation, google for content, apps or documentation for example.

He mentioned OSWAP which I wasnt aware of, but seems they have loads of useful tools, reports and resources. Definately worth checking out. Reccomnded the book Beyond Fear by Bruce Schneier. Also showed a couple of tools which seemed very useful. Cookieswap which is a Firefox plugin, and Niktd and Webinject.

I didn't have great expectations about hearing anything too new or shocking in this talk but Chris was a good presented and reinforced to me the need to take this topic very seriously.

See Also: OSDC 2006 | Web Development | Notes Index

See Also: Home Links Personal Site Blogroll FriendFeed CV
Wiki Menu: FrontPage Edit References Delete Changes Formatting Index Tags:	OSDC : Web Application Security Notes about a talk presented by Chris Burgess at the OSDC 2006 conference in Melbourne. He talked for awhile about risk-management (vs elimination) and the need to assess risk and build strategies to manage it when problems arise (as they will). Lots of the usual sort of talk about the fact that no app is ever gonna be 100% safe, but he emphasised the need to not just have a good defense, but have a deep defense, ie protect at all layers. Mentioned that some 70% of web applications are said to contain vulnerabilities, and that class breaks are a common problem (ie some depency class or library is broken or changes which has a downstream affect). Discussed a number of myths, for example... its only my application why would someone want to attack it its an internal intranet app we should be ok we run a hardened web server what can go wrong we use language x so we should be fine we have a web application firewall or intrusion defense system so no risk Spent some time on the topic of prevention vs detection, this was a good thing to cover coz I believe most are guilty of focusing too much on prevention rather than using logging and error trapping methods etc to try and holistically detect possible problems, false positive or not. Suggested methods like cron jobs to do things like check file permissions of folders and executables or other risk or sensitive files. Also suggested that monitoring conditions and progressivly (or abruptly) and proactively shutting down services when potential problems are detected. Also reccomended use of search engines to look for content of your own that you know should not be available outside the organisation, google for content, apps or documentation for example. He mentioned OSWAP which I wasnt aware of, but seems they have loads of useful tools, reports and resources. Definately worth checking out. Reccomnded the book Beyond Fear by Bruce Schneier. Also showed a couple of tools which seemed very useful. Cookieswap which is a Firefox plugin, and Niktd and Webinject. I didn't have great expectations about hearing anything too new or shocking in this talk but Chris was a good presented and reinforced to me the need to take this topic very seriously. See Also: OSDC 2006 \| Web Development \| Notes Index
Top Of Page Home Wiki Home Contact Author

http://webdev.co.nz/wiki/

Wiki Menu:

Tags:

OSDC : Web Application Security