Saturday, March 22, 2008

OWASP Summer of Code 2008

OWASP is now launching the Summer of Code 2008 (SoC 2008)

  • The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
  • The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
  • The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. The mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.
  • The only requirement is that the candidate shows the potential to accomplish the project's objectives/deliveries and the commitment to dedicate the time required to complete it in the appropriate period.

More Details

Friday, March 21, 2008

Hacking Web Applications – Truly Simple

Application Hacking is the trend of the industry. It started with viruses and worms – The age of anti-virus. It evolved with the internet as more corporations developed internal and external networks – The age of Network Security. Now as industry has been powered with World Wide Web, information security has reached its third age – The age of Application Security. Application attack is one of the hardest attacks to recognize and defend against, as it uses your programs and systems against you.

If we recall the attacks few years back, we see that most of the organizations including NASA, CIA and Yahoo were attacked. These attacks were mostly at network layer of the corporate systems. The network layer is now very secure and hackers find it difficult if not impossible to attack at the network layer. Today, applications are the target. Attackers steal credit card numbers from bank site and an intruder breaks into a corporate application stealing sensitive employee information. Hackers use the application sitting behind the strong firewall and use a loop hole in the application to access corporate and customer data. As the industry embraces the benefits of e-business, the use of Web based technologies will continue to grow. However, as these technologies evolve, the vulnerabilities are being discovered at a similar rate. Secure implementation of these technologies cannot be achieved without a consistent approach to Web Application Security. Also the convergence of regulatory demands for application security with an increasingly security-savvy software buyer is driving a serious impetus for change.

Whether a security breach is made public or confined internally, the fact that a hacker has broken into your online assets should be a huge concern to organizations. Quite a large number of organizations are reactive to security incidents, pretending that the problem will go away. They respond with short-term fixes and the problems re-emerge rapidly. They fail to recognize the value of information and company reputation as opposed to cost of addressing security vulnerabilities.

Unlike certain worms and viruses that exploit the network security weaknesses, web application attacks go after flaws in the application itself. For example, an attacker could tamper with a part of HTTP request and use buffer overflows to corrupt an application by having it execute arbitrary code. In this way, an attacker could take control of the web or application server.

Ahh! We have a very strong password policy. But are passwords sufficient? Passwords are only as trustworthy as the people using them. If you rely on passwords to protect your online assets, then you are relying entirely on the people logging in and out. Let’s just draw a real world example. With popularity of social networking sites like, we find thousands of people listing down their organization name and their work profile in public. What’s more concerning is they also list their family members with information of names and ages of their children. There is very high probability that a hacker may be able to find out a person’s password from the above information and get inside the organization’s defenses very quickly. Passwords are not sufficient to provide security to your online applications.

Does your firewall protect online assets? The traditional function of a firewall is to regulate the ports and services running on the server. Web applications by and large use port 80; and the firewall keeps this port open. This is the gold spot for the attackers. The beauty of application attack lies in sneaking through your firewall and use the application itself to break it. Firewalls cannot protect you from this happening.

With hacking tools being readily available and the complexity of attacking decreasing, it is relatively easy to find flaws in an application. A hacker could easily change the hidden fields of an online shopping site indicating price and smartly walk away without paying money. This is largely because while building applications, some of the most basic security measures, to keep information secure, were ignored. The cost of poor application security can be far greater than most organizations can imagine.

Organizations must take a proactive approach in protecting their critical web applications. The need lies in understanding how important application security is in the software development cycle. Application security must align as early as during requirement gathering, making way in secure design, development and deployment.

We are witnessing the emergence of more security-savvy buyer of software asking questions about the security practices and those are having a big impact on purchase decision. In long run, these companies will surely enjoy a higher return on investment.