Solving shameful security problems

PUBLISHER’S NOTE: Please note that, as of 9/29/03, all of your valued Network World Fusion newsletters will be delivered to you from nwfnews.com. If you use filters to manage your newsletters based on domain name, please adjust accordingly.

“The underlying reality is shameful: most system and Web application software is written oblivious to security principles, software engineering, operational implications, and indeed common sense,” noted Dr. Peter G. Neumann, Principal Scientist at independent research institute SRI.

Building secure Web applications is crucial if you are doing anything that involves personal privacy, financial transactions, or is regulated by a government agency. In fact, even non-critical Web applications need a solid security foundation otherwise the Web application platform itself could become an entry point for hackers.

In this newsletter we have covered all sorts of software and hardware for securing Web applications but the one thing we haven’t really discussed is what is arguably the most basic security component of all: good design.

One organization that you should keep an eye on is the Open Web Application Security Project or OWASP (see links below). The goal of the project “is dedicated to helping organizations understand and improve the security of their Web applications and Web services.”

On the OWASP site you’ll find lots of interesting resources and open source projects with a security bias but most usefully of all, you can examine the OWASP Top Ten List, “a broad consensus about what the most critical Web application security flaws are.”

The Project gathered a number of security experts who have shared their expertise to produce the list. The Top Ten is a really great place to begin your Web applications security thinking. In fact, the U.S. Federal Trade Commission strongly recommends the adoption of the list and the U.S. Defense Information Systems Agency has listed the OWASP Top Ten as key best practices in the DOD Information Technology Security Certification and Accreditation Process.

Visa’s Cardholder Information Security Program references OWASP standards as does Sprint, IBM Global Services, Bureau of Alcohol, Tobacco, and Firearms, Sun, British Telecom, PricewaterhouseCoopers, and many other major commercial and government operations.

So what’s on the Top Ten list? Let me summarize:

1. Unvalidated parameters – Web requests not being validated before being used by a Web application.

2. Broken access control restrictions.

3. Broken account and session management account credentials and session tokens.

4. Cross-site scripting (XSS) flaws – Web applications that “can be used as a mechanism to transport an attack to an end user’s browser.”

5. Buffer overflows – natch.

6. Command injection flaws – not trapping malicious command in parameters passed to external systems or the local operating system.

7. Error handling problems that compromise Web application integrity.

8. Insecure use of cryptography.

9. Remote administration flaws – easily done.

10. Web and application server misconfiguration.

If you haven’t seen and taken this advice to heart, do so. This are the best guidelines around and could save you a lot of grief if you’ve overlooked something.

Let me know what you think of the OWASP Top Ten.