WebApp Sec mailing list archives
Re: Paper draft: Enough With Default Allow in Web Applications!
From: Adrian Pastor <adrian.pastor () procheckup com>
Date: Wed, 16 Jul 2008 10:09:15 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivan, I agree with you 100% but as you said it's easier said than done. I think that a lot of insecure configuration settings are forgotten to be fixed when moving from a UAT to a production environment. You might want to take a look at the following: http://blog.procheckup.com/2007/09/while-recently-studying-for-my-cissp.html which also references an opposing - but surprisingly persuasive - view: http://www.advogato.org/article/706.html Ivan Ristic wrote: | This post is about something that's been bugging me for years: web | applications are normally designed to support a default allow security | model, but I think that's fundamentally wrong. I've come to believe | that, if we are ever going to get rid of our security problems, we | must start doing things right, which means going back to address the | root causes of insecurity. The default allow is one such root cause. | Thus I propose that we switch to a default deny. Of course, this is | easily said than done. | | I've just written a blog post on the subject, so if you want a bit | more information you can go there: | | http://blog.modsecurity.org/2008/07/enough-with-def.html | | Alternatively, you can dive straight into the paper (which is a | revision 1 draft, by the way): | | http://blog.modsecurity.org/files/enough_with_default_allow_r1_draft.pdf | | Although it would be ideal for everyone to switch to default deny we | all know that's not going to happen, and that's why the modelling | format was designed to work with existing applications as well. The | bottom line is to make it possible for those who care about security | to switch, even if software vendors don't. | | As far as the implementation is concerned, support can be implemented | at many levels: web server, web application firewall, AOP, | application-level filters (e.g. Java Servlet Filters), even | application code all come to mind. (I don't view the proposal as a | replacement of application-level input validation, by the way.) The | format itself is platform independent. We (Breach Security) will be | releasing an open source tool that will generate positive security | models (for enforcement in ModSecurity) from recorded application | traffic. | | I believe the following major use cases are all feasible: | | 1. Creation of full application models, which reduce application | attack surface. Such models can be created by application developers | (which is preferred) or by application users (which, we expect, could | happen with very popular and/or open source applications). | | 2. Creation of partial application models for use in virtual patching. | | 3. Automated creation of application models through traffic analysis. | | Your thoughts will be appreciated. | - -- Adrian P. | Senior IT Security Consultant | ProCheckUp Ltd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIfbq7UmN3xwbmU6YRAnzFAJ9MZsRxPZZhOaBj94NlcYwJsBsYRwCdHoEh J0VkKCB5RiFYPRhA3T8Y7ko= =LA3L -----END PGP SIGNATURE----- -------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Paper draft: Enough With Default Allow in Web Applications! Ivan Ristic (Jul 15)
- Re: Paper draft: Enough With Default Allow in Web Applications! Adrian Pastor (Jul 16)