We are extremely pleased to finally officially launch OWASP, the "Open Web Application Security Project". For those that have been following the site and mailing list for the last 8 weeks you'll be a part of the 250,000 web hits, and this will be nothing new; but given our new technical committee it made sense to re-launch the efforts with some basic work already done. In short the project aims to help everyone build more secure web applications and web services. We will be covering a wide range of related work over the coming years and have initially defined two areas to concentrate on. Attack Components - The Application Security Attack Components project was started as an attempt to create common language and definitions for which much of the other work planned at OWASP can later benefit. When describing security issues in web applications or when attempting to model security it is very easy to describe the same issue in many different ways, seemingly creating new problems. When analyzing problems described on Bugtraq it is evident that most problems are variants of common issues, but applied to different applications or systems using different parameters or targets. The aim is definitely not to build the biggest list of problems or describe attacks like Nimda or Code Red; but to document the underlying primary attack components that are used in attacks so people can learn to avoid developing them and others can learn to test for them. We have a good initial start although focused on mainly external attack black-box type issues. The current list can be found here.With our new team we hope to flesh out this list to include internal "with knowledge" attacks as well as cryptographic issues and any other classes we need to include. The work is scheduled to take place in December of this year. Testing Framework - As with any emerging technology like web application security where there is a lack of documented knowledge and experience, it is hard to know how to be sure that security has been implemented correctly; protecting the application, the data and the user. As in the early days of network security some people would have you believe application security is a black art. If you ask a security vendor to conduct an application security review today, it could consist of anything from a consultant pressing "scan now" on an automated tool designed to find holes in operating systems, to a full blown line by line code review. What is the correct way to test security of web applications and web services? The Web Application Security Testing Framework is setting out to produce an industry standard blueprint for how to methodically test the security of all web applications and web services. The work is likely to include modelling security attacks (maybe in XML) and is likely to use "Attack Trees" to define paths of attack. The framework will be open to all and will be extensible to be able to be used in all web applications scenarios. It will discuss the difference between white-box testing and black box testing, describe tool and techniques as well as describe how to conduct tests, analyze results, fix problems and report findings. The framework will help everyone build more secure web applications and web services. One ultimate goal that has been put forward is to also produce a web service where all users can download sets of known or experimental attacks (and possibly build them online) for import into reference tools either developed by the project or commercial tools. The specifications would be published and made freely available. The web service effectively would de-couple the current situation where commercial tools have both knowledge and techniques, thus making the security knowledge available to everyone and the tools stand on the merit of the tools themselves. This idea will depend on funding, probably from the government.
|