Application Security Highlights (Sep 2011)

“Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.” (Douglas Adams, Mostly Harmless)

This is a list of articles, blog entries and studies related to application security that we found interesting and worthwhile reading this month at Astyran.

Active Defence

• Creating AttackAware Software Applications with Real-Time Defenses (by Colin Watson, 
  Michael Coates, John Melton and Dennis Groves). Discusses the use of OWASP AppSensor as a means to detect and neutralize a threat before the attacker exploits a known or unknown vulnerability.

Client Security

• Vetting Browser Extensions for Security Vulnerabilities with VEX (Sep 2011, by Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittmann, Samule T. King, P. Madhusudan, and Marianne Winslett), also publicized in Communications of the ACM, 09/2011, Vol. 54 No. 9. This study describes the tool VEX (using a JavaScript parser using ANTLR to examine flows between sources and sinks) to perform static information flow analysis of browser extensions. Given the fact that the world moves to more and more complex HTML5 and JavaScript driven applications, with a lot of the functionality implemented client-side, this is an important study. No doubt attackers will abuse popular browser extensions to attack sites.

Encryption

• DRAFT Recommendation for Applications Using Approved Hash Algorithms (September 14th, 2011). This is an update to the earlier released SP 800-107. The revision includes the security properties for SHA-512/224 and SHA-512/256, provides additional security information about HMAC and revises the discussions on hash-based Key Derivation Functions.

Framework Security

• ASP.NET 4.5 includes the core encoding routines from version 4.0 of the Anti-XSS library. No more excuses for XSS faults in your .NET application!
• A systematic Analysis of XSS Sanitization in Web Application Frameworks (by Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song). This study examines the XSS Sanitization provided by application frameworks such as Django, Rails and GWT. A few years ago I was convinced that frameworks would make it more difficult for developers to make mistakes, but I was proven wrong (topic of another blog). Nevertheless, understanding the possibilities and limitations of frameworks is crucial in building secure applications.
• Dissecting Java Server Faces for Penetration Testing, (August 25, 2011, by Aditya K Sood & Krishna Raja).  Exactly what the title says and this kind of publication is sorely needed.
• JNLP Application Security Assessment – Setting the scene (September 24, 2011, by zqyves). Nice overview of potential issues with applications using the Java Network Launching Protocol (JNLP),

Post Mortem

• The Fox-IT Forensics Report about the Diginotar hack (September 05, 2011): forensics report about the DigiNotar Certificate Authority breach.

Secure SDLC

• Building Security In Maturity Model (BSIMM, 3rd release, September 2011). The BSIMM describes 109 activities (and examples thereof) in 12 SDLC related practices. Use it to compare your secure SDLC initiative to a group of similar firms.

The Human Factor

• Training Johnny to Authenticate (Safely) (September 2011, by Amir Herzberg and Ronen Margulies). This article presents the results of a long-term study of site-based login mechanisms which force and train users to login safely as a counter-mechanism for phishing. Try out the demo (WAPP, Web Application Phishing Protection) or read more about the background of the article.

Web 2.0 and Beyond

• REST APIs and Next Generation Threats: Part 1 (September 26, 2011): Discusses scenarios and security risks from the perspective of end-users.
• W3C Launches New Web Application Security Working Group (September 7, 2011). The mission is to address security issues in modern web applications and mash-ups and will do this by defining lightweight policy expression mechanisms to tune the browser security model.

Well, that’s it for this month!

This post is not supposed to be a full list of all publications regarding application security in the this month but just a selection, based on the amount of time we had free to read them and the relevancy of the topics to our work. Anything I missed or that you think should be added to this list? Let me know!