Menu Close

Excellent ISACA event on Web Application Security

This morning (1/21/15) attended ISACA (previously the Information Systems Audit and Control Association) meeting:

The past present and future of Web Application Security by Christopher Boyd


Good quote  sometimes I talk to the “Security echo chamber”  i.e. talking to other security people


the first web page is still on the Internet:  The Web became publicly accessible on Aug. 6, 1991.


OWASP is important

OWASP top 10:

1. Injection

2. Broken authentication and session management

3. (XSS) Cross-Site Scripting

4. Insecure Direct Object Reference

5. Security Misconfiguration

6. Sensitive data exposure

7. Missing level function access control

8. (CSRF) Cross-site request forgery

9. Using components with known vulnerabilities

10. Unvalidated redirects and forwards


All of the Web app problems stem from 3 basic issues

1. Input validation

2. Redirection

3. authentication


Of course SQL injection is important, but not as prevalent as it used to be

I focus on more esoteric problems, since many programmers have fixed many security issues already, like improper error handling where an error sends more information than you anticipated to the hacker.  (Burp Suite can find the differences in bytes)


How to fix some of these problems?

Validate all input

context sensitive escaping/coding (redirection)

use libraries for encryption


for cross-site scripting the enemy is the following: < ‘ ”

this is a typical test case: <script> alert(“xss”) ; </script>


The browser exploitation framework (BeEF is a good program to work with testing your programs) and typically if someone is trying hook.js someone is using BeEF.


CSRF (Cross-site Request Forgery) means to click on a link and use all the current open connections


Double submit cookies is a no no


creating a Data flow Diagram will help you. you can even use Microsoft flow diagram

WAF – Web Application Firewall “But control”   App profiling


OWASP top10 Proactive controls are important to understand


But the OWASP App security verification standard is really good.  (Chris thought this would appeal to ISACA due to the auditing nature of the group)


TLS 1.2 is current SSL version (POODLE takes advantage of SSL v3.0)

POODLE is the https downgrade attack example

HSTS is ok Strict Transport Security even though programmmers don’t like to be shoe horned


Certificate transparency is coming

“Content Security Policy” on your websites

report collection

Source whitelisting

OWASP Appsensor   Application  Intrusion Detection & Response

embedded into logic


Ubiquitous HTTPS is coming

chrome SPDY protocol requires TLS already

” Let’s encrypt”   was another good quote before time ran out.

Leave a Reply