Tuesday, July 25, 2006

Registrations for OWASP Mumbai Meet [31st July 15:00hrs]

Hi All,

Everyone is welcome to join us at our next chapter meet to be held on Monday, 31st of July.

Registrations for the event are free. If you are willing to attend, just send

a mail to dharmeshmm@owasp.org as a confirmation.

If you would like to speak at the event or sponsor, contact me ASAP.

Theme of Meeting: Securing Web Services

Details of the Meet:

Time: 03:00 PM - 05:00 PM

Sponsor and Venue Details:

Tech Mahindra Ltd.

Tech Mahindra Limited. Wing 1, Oberoi Estate Gardens, Chandivali, Andheri (E), Mumbai 400 072, Maharashtra, India.

Details of Event: http://www.owasp.org/index.php/Mumbai

Incase of any queries, please feel free to contact at +91 98670 75327.

Thanks & Regards,

Dharmesh M Mehta | Technology Cell | Unit 183, SDF-6 SEEPZ, Mumbai, India |
(O) +91-22-6695 2222 Ext: 1005
| (M) +91 98670 75327 | www.mastek.com

http://smartsecurity.blogspot.com

Dream as if you'll live forever. Live as if you'll die today. - James Dean

Friday, July 14, 2006

What is STRIDE

Threats faced by the application can be categorized based on the goals and purposes of the attacks. A working knowledge of these categories of threats can help you organize a security strategy so that you have planned responses to threats. STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE stands for:

Spoofing. Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.

Tampering. Tampering is the unauthorized modification of data, for example as it flows over a network between two computers.

Repudiation. Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove.

Information disclosure. Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. Any of this information can be very useful to the attacker.

Denial of service. Denial of service is the process of making a system or application unavailable. For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.

Elevation of privilege. Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.

STRIDE Threats and Countermeasures

Threat

Countermeasures

Spoofing user identity

Use strong authentication.

Do not store secrets (for example, passwords) in plaintext.

Do not pass credentials in plaintext over the wire.

Protect authentication cookies with Secure Sockets Layer (SSL).

Tampering with data

Use data hashing and signing.

Use digital signatures.

Use strong authorization.

Use tamper-resistant protocols across communication links.

Secure communication links with protocols that provide message integrity.

Repudiation

Create secure audit trails.

Use digital signatures.

Information disclosure

Use strong authorization.

Use strong encryption.

Secure communication links with protocols that provide message confidentiality.

Do not store secrets (for example, passwords) in plaintext.

Denial of service

Use resource and bandwidth throttling techniques.

Validate and filter input.

Elevation of privilege

Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Tuesday, July 04, 2006

OWASP Mumbai - Next Meeting

Next Meeting - Tentative Monday July 31st 2006
[03:00 PM - 5:00 PM]

Invitations are OPEN for all to present at the Next OWASP Mumbai Meet.

The meeting is to be scheduled tentatively on Monday, 31st July 2006 from 3:00 to 5:00 PM.

Venue and Sponsor Details:

Tech Mahindra Ltd..

Tech Mahindra Limited. Wing 1, Oberoi Estate Gardens, Chandivali, Andheri (E), Mumbai 400 072, Maharashtra, India.

If you would like to speak, please drop in a mail at dharmeshmm@gmail.com

OWASP, the free and open application security community, has gone Wiki.