Re: Paper draft: Enough With Default Allow in Web Applications!

[Adrian Pastor <adrian.pastor () procheckup com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ivan, I agree with you 100% but as you said it's easier said than done.
I think that a lot of insecure configuration settings are forgotten to
be fixed when moving from a UAT to a production environment.

You might want to take a look at the following:

http://blog.procheckup.com/2007/09/while-recently-studying-for-my-cissp.html

which also references an opposing - but surprisingly persuasive - view:

http://www.advogato.org/article/706.html

Ivan Ristic wrote:
| This post is about something that's been bugging me for years: web
| applications are normally designed to support a default allow security
| model, but I think that's fundamentally wrong. I've come to believe
| that, if we are ever going to get rid of our security problems, we
| must start doing things right, which means going back to address the
| root causes of insecurity. The default allow is one such root cause.
| Thus I propose that we switch to a default deny. Of course, this is
| easily said than done.
|
| I've just written a blog post on the subject, so if you want a bit
| more information you can go there:
|
|   http://blog.modsecurity.org/2008/07/enough-with-def.html
|
| Alternatively, you can dive straight into the paper (which is a
| revision 1 draft, by the way):
|
|   http://blog.modsecurity.org/files/enough_with_default_allow_r1_draft.pdf
|
| Although it would be ideal for everyone to switch to default deny we
| all know that's not going to happen, and that's why the modelling
| format was designed to work with existing applications as well. The
| bottom line is to make it possible for those who care about security
| to switch, even if software vendors don't.
|
| As far as the implementation is concerned, support can be implemented
| at many levels: web server, web application firewall, AOP,
| application-level filters (e.g. Java Servlet Filters), even
| application code all come to mind. (I don't view the proposal as a
| replacement of application-level input validation, by the way.) The
| format itself is platform independent. We (Breach Security) will be
| releasing an open source tool that will generate positive security
| models (for enforcement in ModSecurity) from recorded application
| traffic.
|
| I believe the following major use cases are all feasible:
|
|    1. Creation of full application models, which reduce application
| attack surface. Such models can be created by application developers
| (which is preferred) or by application users (which, we expect, could
| happen with very popular and/or open source applications).
|
|    2. Creation of partial application models for use in virtual patching.
|
|    3. Automated creation of application models through traffic analysis.
|
| Your thoughts will be appreciated.
|

- --
Adrian P. | Senior IT Security Consultant | ProCheckUp Ltd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfbq7UmN3xwbmU6YRAnzFAJ9MZsRxPZZhOaBj94NlcYwJsBsYRwCdHoEh
J0VkKCB5RiFYPRhA3T8Y7ko=
=LA3L
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------