OWASP Italy:The State of the Art of the Web Application Security and the OWASP guidelines for Companies

Back in 2005 my first involvement with OWASP was to help write the OWASP testing guide. The project was successfully lead by Matteo Meucci that is founder and chair of OWASP Italy and CEO of Minded Security. Three years later Matteo invited me to participate to the sponsored event on March 31st at the Congress Center of the University of Rome La Sapienza. The topic of the one-day event is "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies". The topic of my presentation is: "How to start a software security initiative within your organization: a maturity based and metrics driven approach."

As part of the event Matteo will moderate a round table talk on the following topics:

1. Which are the countermeasures that organizations adopted to mitigate new attacks?
2. Responsible information disclosure of vulnerabilities: what's the best approach?
3. How do you implement a security enhanced software development life-cycle that also provides a good Return of Security Investment (ROSI)?
4. Customers security awareness: does it provide fundamental leverage for implementing security controls?

My presentation can be found herein: http://www.owasp.org/images/a/ab/Owaspday2Morana.pdf

A detail program of the event can be found here

OWASP Top Ten and In-secure Software Root Causes



A security professionals diagnosis of vulnerabilities
is similar to a doctor diagnosis of viruses;
 there are causes and symptoms



I did a presentation last week for my OWASP local chapter on application vulnerabilities and in-secure software root causes. A little too much to cover in one hour, the next time, I will do just one session per vulnerability and be less Italian in my perception of time...

Here is the Abstract Of the Presentation:

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

The presentation can be downloaded from OWASP site herein:

https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf

Identity Theft and Phishing and How Affects Financial Institutions



MiTM attack to a bank:
 source http://www.securelist.com/



In the USA, online fraud has overtaken viruses as the greatest source of financial loss (Symantec threat report http://www.symantec.com/business/theme.jsp?themeid=threatreport )

Among on-line fraud threats, phishing represents a major threat for financial institutions and according to the Anti-Phishing group organization, 93.8% of all phishing attacks in 2007 are targeting financial institutions. Also a recent study indicates that phishing attacks in the USA alone soared in 2007 to 3.6 Million victims for a total reported customer loss of USD 3.2 Billion. In 2006 , the USA had 2.3 Million victims of phishing and USD 500 million in losses (Gartner study: http://www.gartner.com/it/page.jsp?id=565125)

Recent research on phishing by Rachna Dhamija at Harvard and J.D. Tygar and Marti Hearst at US Berkeley "Why Phishing works" http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf indicates the phishing is a very effective attack (how could not, target human factor that is the weakest!), and that the best phished sites were able to spoof 90% of participants in the study.

We tend to forget that most of web site phishing controls are "trust indicators" that are try to tell the user that indeed this is a trusted site. Among the controls, showing the address bar with a branded domain and obliviously prompting the user to recognize SSL are the most effective but from the user perspective can be ignored and from the hacker perspective can be spoofed. Therefore this is an area where better controls need to be addressed from usability and security perspective: if I force the user to use mutual authentication via SSL I will implement an effective control for phishing but I will impact usability (scaring my customers away) as well as my costs (for PKI for example). Deploy PKI for each customer is a cost that most financial institutions cannot afford today.

So there is a need to design a antu phishing solution at the application layer that addressed both usability and security. A possible solution could be using multi-layerd security such as to deploy multiple controls:anti-phishing deterrent controls and multi factor authentication preventive controls. The problem with phishing today is that the threat exploit is cheap to make. For example right now is very easy for an hacker to phish a site by exploiting web application vulnerabilities: it does not require an hacker to spoof the legitimate site and recreate all web pages but rather to send a malicious link to the user (the legitimate one) with the attack vector (for example an XSS vector) as part of the URL. Another very dangerous attack is phishing with a web proxy for a Man in the Middle Attack (MiTM). Assuming that the hacker get the opportunity to phish a victim via a malicious link that point to one or more web proxies (such as via a botnet), this attack will be very effective in breaking MFA authentication controls too.

Since a large amount of phshing attacks exploit web application vulnerabilities it is important to test that you build your web site immune from these vulnerabilities. Examples of vulnerabilities that you should tackle for mitigating phishing attacks are weak authentication and authorization controls, weak session management and especially input validation vulnerabilities. The OWASP Top Ten provides a mapping to vulnerabilities to attacks for phishing, privacy violations, identity theft, system alteration and data destruction, financial loss and reputation loss http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf

An example on how XSS vulnerabilities can be exploited for phishing is via a login page that uses frames: a malicious user can inject a malcious frame to collect username and passwords via the legitimate login web page. This attack has been used for identity theft with bank sites in Europe and has been covered on the February 2008 edition of the in-secure magazine http://www.net-security.org/dl/insecure/INSECURE-Mag-15.pdf

Unfortunately, phishing attacks through MiTM via a web proxy are not mititigated with one countermeasure alone such as a strong authentication control. For example the strongest multi factor authentication MFA solutions commercially available right now such as RSA OTPs, Cyota Risk Authentication, SiteKey etc are still vulnerable to these attacks. By RSA's Uri River admission, any type of token, if deployed as a single layer of security, is vulnerable to good social engineering and a MITM attack so the threat has to be addressed with multi layer controls and not MFA alone: http://www.rsa.com/blog/blog_entry.aspx?id=1114 The best way to respond to these threats is do a threat analysis and address the risk with multiple countermeasures such as multiple layer security controls not just MFA.

Regarding identity theft threats, a must read for information security practitioners that work for financial institutions is the recently published data from UC Berkeley Center for Law and Technology. This study is the first attempt to quantify risk of identity theft among institutions. Being the financial institutions the largest target for phishing I was not surprised to see some of the largest banks in USA being on the top of the list for number of reported identity theft incidents in 2006 by the FTC (Federal Trade Commission). The most surprise on my opinion was to see the largest telco At&t/Cingular/SBC coming #2 after BofA/MBNA. Among the largest financial institutions (based upon number of bank deposits) , HSBC has the highest number of incident reported then BofA, ING Bank with only one single event had the lowest no. of incidents of identify theft reported. The bank that I work for, Citibank ranks #7 among the top 25 in this study: http://repositories.cdlib.org/cgi/viewcontent.cgi?article=1045&context=bclt

These metrics should drive US banks to reconsider how effective are the countermeasures. Assuming that most US banks had MFA solution rolled out because of FFIEC compliance by 2006 these data tells us that the threat is still not adequately mitigated. IHMO this is a call for banks CIOs to change strategy and update the necessary audit controls by signing off new policies for mititigating the threat, for CISOs to implement more effective security review processes for threat analysis and for security practioners to test the effectiveness of current controls so that new countermeasures can be implemented as required.