WebApp Sec mailing list archives
Paper draft: Enough With Default Allow in Web Applications!
From: "Ivan Ristic" <ivan.ristic () gmail com>
Date: Tue, 15 Jul 2008 10:07:19 +0100
This post is about something that's been bugging me for years: web applications are normally designed to support a default allow security model, but I think that's fundamentally wrong. I've come to believe that, if we are ever going to get rid of our security problems, we must start doing things right, which means going back to address the root causes of insecurity. The default allow is one such root cause. Thus I propose that we switch to a default deny. Of course, this is easily said than done. I've just written a blog post on the subject, so if you want a bit more information you can go there: http://blog.modsecurity.org/2008/07/enough-with-def.html Alternatively, you can dive straight into the paper (which is a revision 1 draft, by the way): http://blog.modsecurity.org/files/enough_with_default_allow_r1_draft.pdf Although it would be ideal for everyone to switch to default deny we all know that's not going to happen, and that's why the modelling format was designed to work with existing applications as well. The bottom line is to make it possible for those who care about security to switch, even if software vendors don't. As far as the implementation is concerned, support can be implemented at many levels: web server, web application firewall, AOP, application-level filters (e.g. Java Servlet Filters), even application code all come to mind. (I don't view the proposal as a replacement of application-level input validation, by the way.) The format itself is platform independent. We (Breach Security) will be releasing an open source tool that will generate positive security models (for enforcement in ModSecurity) from recorded application traffic. I believe the following major use cases are all feasible: 1. Creation of full application models, which reduce application attack surface. Such models can be created by application developers (which is preferred) or by application users (which, we expect, could happen with very popular and/or open source applications). 2. Creation of partial application models for use in virtual patching. 3. Automated creation of application models through traffic analysis. Your thoughts will be appreciated. -- Ivan Ristic ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Paper draft: Enough With Default Allow in Web Applications! Ivan Ristic (Jul 15)
- Re: Paper draft: Enough With Default Allow in Web Applications! Adrian Pastor (Jul 16)