The Open Web Application Security
Project was setup to build an industry
standard framework for testing the
security of web applications. We have
several main objectives including
to;
- define the security requirements
for secure web applications
- develop an industry standard web
application security testing framework
- build quality open source tools
to support the testing framework
- define a standard data exchange
format to allow commercial, open
source and research tools to communicate
and interoperate
We will be developing the www.owasp.org
website into a place where;
- people can learn about the common
security problems that occur with
web applications and web services
- developers and system architects
can learn about security requirements
to build secure web applications
and web services
- security professionals and developers
can learn how to effectively test
the security of web applications
and web services
- system owners can learn what to
expect of a security company or
tool testing their applications
- security professionals can understand
if tools are appropriate and doing
what they should be doing
Application
security is still relatively immature
and there is significant FUD (Fear,
Uncertainty and Doubt) being purveyed
by the industry. This project aims
to be an open source reference point
for system architects, developers,
vendors, consumers and security professionals
involved in the Design, Development,
Deployment and Testing the security
of web
applications and web
services. Security professionals
will be able to use the work to incorporate
in their work. Security vendors will
be able to base services and software
on this project and consumers will
be able to baseline and test applications
or services they receive.
In short the project aims to help
everyone build more secure web applications
and a web services. We
will be covering a wide range of related
work over the coming years and have
initially defined three areas to concentrate
on.
Application Security Attack Components
The Application Security Attack Components
project was started as an attempt
to create common language and definitions
for which much of the other work planned
at OWASP could benefit. When describing
security issues in web applications
or when attempting to model security
it is very easy to describe the same
issue in many different ways, seemingly
creating new problems. When analyzing
problems described on Bugtraq it is
evident that most problems are simply
variants of common issues, but on
different applications or systems.
Also when testing security you often
find yourself using the same basic
technique to test different problems
only with different parameters or
targets. The Application Security
Attack Components projects aim is
to define and document those primary
attacks components that everyday hacks
are made up of.
Most of the real-world hacks you
will see in the media will of course
be a series of several attacks, usually
in a certain sequence. By using these
descriptions people can describe issues
in an unambiguous manner and reference
descriptive write-ups of the problems
without having to re-hash the same
ground. An example of how the initial
work is already stating to be used
can be found in this
posting to Bugtraq on November 5th.
Eventually we aim to have documented
and described all of the common attack
components used. This will also help
to create a list of what to protect
against and how to protect against
them in future work we may do. Currently
the list is heavily focused on "black-box"
pen test type issues, however we are
expanding this into classic white-box
issues issues like cryptanalysis and
Open API's etc. The aim is definitely
not to build the biggest list of problems
or describe attacks like Nimda or
Code Red; but to document the underlying
primary attack components that are
used in attacks so people can learn
to avoid developing them and others
can learn to test for them.
Web Application Security Testing
Framework - (Due to Start 2002)
This project is setting out to define
a structured framework to ensure that
the appropriate security requirements
have been implemented by a web application.
By providing a structured community
derived methodology covering both
"white box" (source code
analysis) and "black box"
(penetration test) analysis, along
with open source testing tools to
support the framework, we hope to
be able to improve the quality of
security testing for all web applications.
At a minimum the testing framework
will include;
- Why, when, what and how to test
- A comprehensive list of each potential
problem
- Guidelines on how to test each
problem
- Open source tools to conduct those
tests
- Guidelines on how to analyze the
results
- Sample reports
We want to seek widespread adoption
of the framework, and are driving
towards an official standards body.
This work will be able to be used
by a variety of people; from security
professionals looking to adopt an
industry derived and proven methodology,
through to system owners looking to
conduct tests themselves or seeking
to ensure their consultants are comprehensively
checking their applications.
Web Application Security XML Data
Exchange Format- (Due to Start 2002)
This project is setting out to define
a data format and procedures that
can be used to exchange web application
security vulnerability information
between both systems and users.The
goal is to encourage interoperability
between commercial, open source and
research tools and ensure that all
users can consume a credible, up to
date and open set of knowledge. A
formal XML specification will be published
with a reference implementation of
a testing tool written in Java.
Today knowledge about a security
problem and exactly how its being
testing is typically buried deep inside
tools. This leads to a high degree
of false positives and false negatives.
Most security processionals use a
suite of tools but without a data
exchange format, and open unambiguous
testing knowledge it is almost impossible
to choose the best tool for the job
and keep a consistent set of tests
and results persisted across applications.This
project will facilitate putting a
comprehensive set of technical data
about web applications into the public
domain as well as facilitate its open
exchange and expansion.
We believe it may be possible in
the future to create SOAP services
based on such a XML specification
to allow the open source community
to publish new vulnerabilities in
real-time to tools which are capable
of reading the specification.
|