Web Services Security at OWASP Twin Cities

Speaking tomorrow (Monday 4/27) at OWASP Twin Cities

What do Web apps, Web 2.0, Cloud Computing, SOA, and Rest all have in common? They all use Web services for functionality, data access and integration. Unfortunately, by default Web services also lack a security model. The OWASP Top Ten Web Services goes into the technical details of the vulnerabilities, remediations, and examples of common Web services security issues like authentication and authorization flaws, how sensitive data is disclosed, and why security standards like WS-Security and SAML can be your best friend or your worst nightmare.

Don't Give Money to Charities This Holiday Season - Loan it to a Business

No I am not talking about bailouts, and I am obviously not suggesting that you not support your favorite charity; microfinance is a way to lend money to entrepreneurs who have good ideas, energy, initiative, and a real business, but lack capital. A relatively small amount of capital can help these businesses grow and thrive. For example, let's say you are a rice farmer in a small village in Cambodia, if you had a motorcycle you could get to the nearest big town and get a much better price for your rice. Only thing missing is the banker to cover the loan for the motorcycle. 

This is where microfinance comes in.Kiva is a site that makes it easy to be a "banker to the poor" and there is even a Team OWASP on Kiva, which has 33 loans in process, note Kiva's repayment rate on loans is over 99%, so to paraphrase Tom Barnett-  you don't have to wait for change from above, just get your own foreign policy.

OWASP Twin Cities Mini-Conference

Next week, there will be an OWASP Mini-Conference right here in the Twin Cities. I am sorry that I will have to miss it, but the lineup is great - Brian Chess, Jeff WIlliams, RIchard Stallman and a number of others. Brian and Jeff are both very engaging presenters. I am curious to hear what Stallman says, I am not sure I have heard of him being associated with OWASP or security work in general before, and I have read any number of his comments that seem to directly oppose security mechanisms. In any case it promises to be worth the price of admission.

I have spoken at a number of local OWASP conferences, and you can always see that the good ones are the result of a lot of hard work by a small group of people. Bob Sullivan really brought the Minnesota chapter through its adolescence very nicely, building a good base, and now Kuai Hinojosa is doing some phenomenal work growing the chapter. Kuai has serious networking skills, I would love to see Kuai, James McGovern and other successful OWASP leaders put together a Top 10 list for how grow a chapter. These are things I don't know the first thing how to do, but you can sure see the results. I am pretty sure a lot of other OWASP leaders could benefit from these guys' insights.

Web services talk at OWASP

The video from my OWASP AppSec Conference talk on OWASP Top Ten for  Web services  is online here.

OWASP is consistently the most interesting and practical security conference, its probably the closest thing we have to a true software security conference. Sure, we could use a few more builders, but I still think its the best we have right now.

Web Services and XML Security Training at OWASP

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM.  Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity 
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas.  This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats" 
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with." 
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST" 
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation" 
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

LolOWASP

Did you ever wonder what would happen if you made a hybrid between lolspeak and the OWASP Top 10? Pravir Chandra and I wondered the same thing. Teh result? icanhaspwn, of course.

Rogan Dawes at FOSDEM 2008

Most security people seem to have at least heard of OWASP, but a lot of developers have not. This by itself is a little scary, but it is also too bad, because one of the singular great things about OWASP is that it is a very developer friendly project that produces lots of tools, code and code level guidance (rather than just policy statements). So it is a great playground for developers to learn about building more secure web apps.

There is a great summary here by Christian Scholz on Rogan Dawes' talk at FOSDEM 2008, where he summarizes a lot of what OWASP is about and what some of the more interesting project are. If you are just learning about OWASP it is a great place to start. The author concludes

Everybody interested should have a look at WebGoat and WebScarab themselves.

Could not agree more. It is great to see OWASP getting out of the security community and into the wider developer communities. The security people can only take it so far, developers have to be on board.

**

Gunnar Peterson teaching Web Services Security training, NYC, March 10-11

OWASP Notes

Two OWASP notes today

1. I know some people in Hartford read this blog, James McGovern is starting up a new OWASP chapter in Hartford area. Read all about it. Excellent lineup - starting with Gary McGraw (More). If you are in the area check it out, knowing James this chapter will push OWASP in a new direction, will be fun to see what comes out of it.

2. OWASP is starting to get some more play outside of security geekdom

Linux.com has an article - Building Secure Web Applications with OWASP

and this from Tom Brennan on OWASP on tv (the fact that Hollywood has _not_ cast Dinis Cruz in a starring role is beyond me)

Watch the trailer: http://www.youtube.com/jinxpuppy (over 6000 views already)

I highly encourage you to TIVO/DVR this (there are 2 episodes) the 1st at
11:00pm and the 2nd at 11:30pm
http://www.courttv.com/schedule/index.html?tempDate=2&nextWeek=yes or
watch it live!

If this show gets picked up, in Episode #4 will have web application
hacking and OWASP mentioned as a source to find details on secure
development, testing guides and more! ;)

TV GUIDE BLURB
----------
TIGER TEAM - NEW!
Tuesday, December 25 at 11 and 11:30pm E/P
This vérité action series follows Tiger Team – a group of elite
professionals hired to infiltrate major business and corporate interests
with the objective of exposing weaknesses in the world’s most
sophisticated security systems, defeating criminals at their own game.
Tiger Team is comprised of Security Audit Specialists Chris Nickerson,
Luke McOmie and Ryan Jones who employ a variety of covert techniques –
electronic, psychological and tactical - as they take on a new assignment
in each episode.

http://www.courttv.com/onair/shows/upcoming_series/index.html#tiger_team

Update from ConferenceLand

Last week we did an App Sec track at the software developer conference QCon. One of the highlights was jOHN Steven's Threat Modeling talk. I am always amazed that many security architects don't do threat models. How in the world do you get a security requirement then? Anyhow, jOHN had a great quote which was we need to change the mindset of security people away from the traditional (and traditionally ineffective) auditor role and towards that of a shepherd.

This week is OWASP AppSec, and I have a deep affection for this conference, because useful stuff is produced everytime and it is noticeably absent of the its perfect or its broken crowd. Anyhoo, some highlights.

Mark O'Neill gave two stellar talks on Web services security. The first was real world case studies including Rest, SOAP, and a number indutry specific web services security integration scenarios. Then Mark gave a presentation on Covert Data Channels. Brad Hill closed the day with his excellent examination of the bloated attack surface we have in XML security today, and some concrete remediations.

Additionally, it was great to meet Andy Steingruebl in person (Andy wrote an interesting two part analysis of an OWASP Security metrics paper I wrote with Betsy Nichols). And maybe we can use some of this conversation to kickstart some progress on OWASP Security metrics project

Finally, 5 different people talked to me directly about struggling to implement XACML. This was music to my ears. It is lonely to be banging the XACML drum, but this a very important issue, once you improve the identity subject side, you still have this flaming bag of uncorrelated resources and policy domains. Some smart folks are on to this now.

So the two projects that look to be spawned out of this conference are an OWASP Top Ten for Web Services and XACML working group to define resource protection and policy patterns. Drop a note if you are interested in participating.

Why I Love OWASP AppSec

If you go to a software development conference, you hear a lot about innovation - distributed hashtables, massive scalability and so on. But you hear very, very little about security. If you go to a security conference, you hear a lot about why developers suck, and how the apps are broken. But you hear very, very little about what to *do* about any of it.

OWASP AppSec is on its seventh conference, these conferences have the best mix of people - developers, architects, security people - who can actually make positive forward progress in the software security space.

Today, we have the first Web services track with a great lineup of speakers - Rich Salz, Mark O'Neill, and Brad Hill. There are many great talks on other tracks on Web 2.0 security and such. What I would hope for OWASP is that the good ideas and code that is generated here will start to filter into the software conferences and the security conferences - both camps need a ton of help.