Paper draft: Enough With Default Allow in Web Applications!

["Ivan Ristic" <ivan.ristic () gmail com>]

This post is about something that's been bugging me for years: web
applications are normally designed to support a default allow security
model, but I think that's fundamentally wrong. I've come to believe
that, if we are ever going to get rid of our security problems, we
must start doing things right, which means going back to address the
root causes of insecurity. The default allow is one such root cause.
Thus I propose that we switch to a default deny. Of course, this is
easily said than done.

I've just written a blog post on the subject, so if you want a bit
more information you can go there:

  http://blog.modsecurity.org/2008/07/enough-with-def.html

Alternatively, you can dive straight into the paper (which is a
revision 1 draft, by the way):

  http://blog.modsecurity.org/files/enough_with_default_allow_r1_draft.pdf

Although it would be ideal for everyone to switch to default deny we
all know that's not going to happen, and that's why the modelling
format was designed to work with existing applications as well. The
bottom line is to make it possible for those who care about security
to switch, even if software vendors don't.

As far as the implementation is concerned, support can be implemented
at many levels: web server, web application firewall, AOP,
application-level filters (e.g. Java Servlet Filters), even
application code all come to mind. (I don't view the proposal as a
replacement of application-level input validation, by the way.) The
format itself is platform independent. We (Breach Security) will be
releasing an open source tool that will generate positive security
models (for enforcement in ModSecurity) from recorded application
traffic.

I believe the following major use cases are all feasible:

   1. Creation of full application models, which reduce application
attack surface. Such models can be created by application developers
(which is preferred) or by application users (which, we expect, could
happen with very popular and/or open source applications).

   2. Creation of partial application models for use in virtual patching.

   3. Automated creation of application models through traffic analysis.

Your thoughts will be appreciated.

-- 
Ivan Ristic

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------