74 stories
·
0 followers

How to Secure Your Web App with HTTP Headers

1 Share
Comments
Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete

Why OWASP Top 10 is no longer relevant

1 Share

At this point, OWASP Top 10 is considered one and the only bridge between security researchers and developers. There are some books and blog posts here and there but if you’re looking for “top threats & vulnerabilities” that’s what you will be offered by others including Google.

Unfortunately OWASP is out of touch with reality. First Top10 was released in 2003 and back then the web was a mess. CSRF? Everywhere. XSS? Give me a minute. SQL injection? Just try another parameter.

Now most misdesigned vectors are treated on framework level (and you should always use one - don’t build a house from scratch, reuse blocks that have proven track record). I will use Rails as an example but others are very similar.

Let’s take up-to-date list from here and comment every item.

A1. Injection - not going to happen with major frameworks. There are some corner cases such as barely used ORM methods which could be fixed by renaming “calculate” to “unsafe_calculate”. In fact every library developer should expose dangerous method with “unsafe_” prefix if you care about your users.

Injection is still a relevant threat but only because ORM developers made naming mistakes.

A2 Broken Authentication and Session Management - session management is long time solved problem since we all use auth libraries.

Seriously do not roll out your own auth library, use Devise or Omniauth. They pop first during the audits.

A3. XSS - (should be under A1 Injection) is generally solved problem. The output uses templates, client side frameworks use templates, corner cases like JSON-in-script-tag is also solved. Try to put '"><img src=x onerror=alert(0)> in every input you see on a website (some people do it for a living) - yields nothing these days.

There are still ways you can be hit by 3rd party libraries but there’s nothing you can do as a developer. Just don’t html_safe on unsafe strings. Obvious.

A4 - Broken Access Control. Unfortunatelly business logic and access management isn’t a solved problem. The best approach is to always chain your code as current_user.comments.find(params[:comment_id]) and manually assign things like topic_id (instead of mass assign) so the access is checked on all read/write operations. CanCan is also a great solution.

A5 - Security Misconfiguration. This is good one and there’s nothing a framework can do for you. There are things like Redis that is exposed by default. There’s not much you can do about your coding style, just read manuals carefully and listen to others.

A6 - Sensitive Data Exposure. You must be using https by now. Just use LetsEncrypt. Not worth a dedicated item.

A7 - Insufficient Attack Protection. That’s the last straw that made me write this post. So now companies like Contrast Security can use OWASP to literally add “A7. Not enough of Contrast Security”.

A8 - CSRF. Solved problem. State-changing action must be non-GET and non-GET should require authenticity_token - simple as that.

A9 - Using Components with Known Vulnerabilities - patch your stuff when CVE is out. Far from a solved problem but regular “bundle update” is all you can do.

A10 - Underprotected APIs. Frankly, this one is written for complete noobs. If you don’t realize that the attacker can fake arbitrary requests looking like from JS or mobile app, you’re not ready to write production code.

We are left with A1, A4, A5 and A9 as somewhat relevant and a dozen of other attack vectors common app faces with no single mention.

From top of my head:

Race conditions - Look at BlockChain Graveyard (ironically the Graveyard is great OWASP replacement with sorting by damage). Only few mentions race condition (many reasons are undisclosed) but reality is harsh.

SSRF - Webhooks, download this URL, instant payment notifications etc

OAuth - There is a list of known OAuth design flaws and that doesn’t fit into a single item of Top10.

If you aren’t maintaining some PHP app written 10 years ago, Top 10 list is irrelevant to you. By reading Top 10 you gain no useful knowledge. It’s now just a marketing term and rather good indicator the company using it is a snake-oil. No, it’s not even a “good start”.

Many years ago when websites had more vulnerabilities than features, it was a nice short list to get basic sense of what secure coding is. Now it is not enough.

It’s also true there’s no alternative. There’s no one big bible about all known platform-specific bugs. Creating one would be a very hard task and honestly not in best interest of us, security researchers.

Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete

Test for Real Life

1 Share
“Most of us are anxious pretty much all the time – but frequently imagine that other people aren’t. It’s time to admit the truth. Anxiety is just a basic fact about being human.” ~ Alain de Botton We are all human, we are all worried and anxious pretty much all the time, people just don’t … Continue reading "Test for Real Life"
Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete

Compared to what?

1 Share

A quick look at Yelp reviews will show you that NY restaurants are not quite as good as those in some suburbs.

This, of course, makes no sense. New York is insanely competitive, with a ton of turnover and a very demanding audience. A fast casual restaurant in Shaker Heights can coast for a long time, because... it's better than the alternatives.

Thanks to marketing, the media and our culture, we spend a lot of our time comparing before we decide whether or not we're happy.

Turn back the clock just 60 years. If you lived in 1957, how would your life compare to the one you live right now? Well, you have access to lifesaving medicines, often in pill form. You can choose from an infinite amount of entertainment, you can connect with humans all over the Earth, for free, at the click of a button. You have access to the sum total of human knowledge. You have control over your reproductive cycle. You can eat sushi (you've even heard of sushi). You can express yourself in a thousand ways that were forbidden then...

That's in one lifetime.

But we don't compare our lives to this imaginary juxtaposition. Instead, we hear two things from the media we choose to engage with: Other people have it better, way better. And, it's going to get worse. Add to that the idea that marketers want us to believe that what we have now isn't that good, but if we merely choose to go into a bit of debt, we can buy our way to a better outcome...

Comparison leads to frustration which sometimes leads to innovation.

More often than not, though, frustration doesn't make us happy. It only makes us frustrated.

If a comparison isn't helping you get to where you're going, it's okay to ignore it.

       
Read the whole story
karlosmid
3 days ago
reply
Zagreb
Share this story
Delete

Avoiding the good/great chasm

1 Share

You can be good at Twitter in about five minutes a day. Spending ten minutes doesn't make you twice as good... in fact, there's probably little measurable improvement. To be great at Twitter might take five hours of daily effort.

All the time in between five minutes and five hours is wasted. You're in a chasm with no measurable benefits.

We see the same thing happen with your Yellow Pages ads or your customer service. Showing up takes some effort and it often pays off. Showing up a bunch more is often worthless. If you want to truly be great, you're going to have to do things most people couldn't imagine. That's what makes it great, after all. The scarcity of it.

This is the underpinning of the Dip. Don't get caught doing more than you need to but less than you want to.

       
Read the whole story
karlosmid
3 days ago
reply
Zagreb
Share this story
Delete

Complicated problems rarely require magical explanations

1 Share

One clue that someone doesn't understand a problem is that they need a large number of variables and factors to explain it.

On the other hand, turning a complex situation into something overly simple is an even more common way of demonstrating ignorance of how the system works.

What we're looking for isn't the number of countable variables. It's the clarity of thought. The coherence of the explanation. The ability to have that explanation hold water even if small inputs change. The explanation might be long, but it makes sense.

Too often, the overly simplistic explanation is just a form of hand waving. We beg the question because we mention the simple explanation plus the miracle. It's the miracle, the homunculus, the little man in the machine, that actually holds the answer, and punting on explaining it is lazy. We use magic to kick the explanation down the road, making it not simple, but obtuse.

[Examples: Magical faeries. Conspiracy theories. Science denialism. Simplistic views of marketing or culture...]

A useful description is one that can be tested, expanded and makes accurate predictions. A lazy one just makes us feel better until we actually have to engage with the system in a useful way.

It's entirely possible that you're trying to work with a complicated system, one that can't be boiled down to a simple catch phrase. That's okay. Clarity is still possible.

If you've committed to only working in systems that are simple enough to be explained in sixty seconds on cable news, you've opted out of making the impact you're capable of.

       
Read the whole story
karlosmid
3 days ago
reply
Zagreb
Share this story
Delete
Next Page of Stories