Wednesday, June 16, 2010

XSS/CSRF Webcast

Just to help keep you learning about this stuff, here is what sounds to be a really great SANS webcast on XSS and CSRF "taking over the world". Seriously, you have to hear stuff like this one. If it is anything like what it sounds like it will be, it will be worth it to have the pants scared off you. Yeah, sure, watch it nowhere near coworkers is rough to pick up your pants around them and have to explain your being scared.

But seriously, the whole battle is to keep yourself educated and acting on what you learn. I am telling people "CSRF is scary and should be taken seriously". It is #5 on the OWASP Top 10 Risks for 2010, but for me it is #3, behind XSS then SQLi. And I know, I switched XSS to #1. Injection is a huge risk, but XSS is the foundation behind all these crazy attacks. Stop XSS and a boatload of attacks are stopped.

In a New England GiveCamp talk I gave to developers and non-profits over the weekend, one attendee asked about how to stop the attack where they drop off mini VNC on your machine. I have to reiterate here -- I don't care what they drop off and I don't stay on top of what the flavors of attack are. It is irrelevant, frankly. The question was a good one, and I'm not in any way knocking his train of thought. But step back for a sec and see that these dangerous things are being left on our sites through an open door. Stop XSS and they can't do that anymore. We have to stop looking at who is knocking on the door and trying to figure out if they are a good guy or bad guy. Stop XSS and deny whatever isn't whitelisted on your site. Be a good maitre d' and only allow in those folks on the list, whether during input validation or some other function of input.

Speaking of GiveCamp (#negc2010 on Twitter), it was a very rewarding and satisfying experience as a web developer. But I have to admit I was disappointed in the turnout to my talk. Granted, people were cranking on Saturday morning at 9 am...but take 30-40 min to hear about web security, right? Out of the 150 or so people there, I had I think 10. I didn't count but it was around that. Security just isn't given the nod it needs to have, and we will continue to code crappy software. That being said, I know the folks on one team and they are security-conscious and really didn't need to go. But how many others built sites that fall short?

All I know is I better not hear excuses...

Saturday, June 5, 2010

Devs Should Be Primary Security Contact

Great article on --

The core of it is to have devs be in charge of security for a web app. Horrors!! Well, given today's developers, that is one scary and risky thing. But I am all for it. Find the right person, full of energy and willingness to stay on top of web app security trends and you have probably the BEST ally for your security conscious needs.

Here's why -- a) no one knows application development like a dev. Your security analyst can't read all your code and know where a hole might be. b) A good dev can talk to security guys and find a way to meet their needs from a development perspective. c) A dev will always get an ear of the other devs. It might take pulling teeth to get the other devs to code securely but it is sure a better chance than some security analyst or CISO coming in and dictating how they should code! (It's bad enough our project mgt, marketing and PR folks already think they can dictate site design and code to us, as well as the deadlines to meet their needs)

Companies serious about web application security need to train their developers, pick the best of the bunch and make them security analysts for web projects. It is one of the best ways to ensure secure apps.

Wednesday, June 2, 2010

Lightning in Your Cloud Tag Widget

There is a crafty little XSS hole in the cloud widgets of several big name content management systems. It takes advantage of Flash files that allow arbitrary HTML tags to be injected...sigh.

WordPress, Joomulus, JVClouds3D, Joomla and Blogumus as well as BlogEngine.NET and Kasseler CMS.

Read the article on it

So be careful what you put out there...encode it before you just slap it into your handy-dandy cool cloud tag thingy.