[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!

From: "Ivan Ristic" <ivan.ristic@xxxxxxxxx>
Subject: [WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!
Date: Wed, 16 Jul 2008 08:45:51 +0100

This post is about something that's been bugging me for years: web
applications are normally designed to support a default allow security
model, but I think that's fundamentally wrong. I've come to believe
that, if we are ever going to get rid of our security problems, we
must start doing things right, which means going back to address the
root causes of insecurity. The default allow is one such root cause.
Thus I propose that we switch to a default deny. Of course, this is
easily said than done.

I've just written a blog post on the subject, so if you want a bit
more information you can go there:

 http://blog.modsecurity.org/2008/07/enough-with-def.html

Alternatively, you can dive straight into the paper (which is a
revision 1 draft, by the way):

 http://blog.modsecurity.org/files/enough_with_default_allow_r1_draft.pdf

Although it would be ideal for everyone to switch to default deny we
all know that's not going to happen, and that's why the modelling
format was designed to work with existing applications as well. The
bottom line is to make it possible for those who care about security
to switch, even if software vendors don't.

As far as the implementation is concerned, support can be implemented
at many levels: web server, web application firewall, AOP,
application-level filters (e.g. Java Servlet Filters), even
application code all come to mind. (I don't view the proposal as a
replacement of application-level input validation, by the way.) The
format itself is platform independent. We (Breach Security) will be
releasing an open source tool that will generate positive security
models (for enforcement in ModSecurity) from recorded application
traffic.

I believe the following major use cases are all feasible:

  1. Creation of full application models, which reduce application
attack surface. Such models can be created by application developers
(which is preferred) or by application users (which, I expect, could
happen with very popular and/or open source applications).

  2. Creation of partial application models for use in virtual patching.

  3. Automated creation of application models through traffic analysis.

Your thoughts will be appreciated.

-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: RE: [WEB SECURITY] Nice little XSS trick
Next by Date: [WEB SECURITY] Auditing mailing scripts for web app pentesters
Previous by thread: [WEB SECURITY] Call for Participation - CIS MOSS 2007 and Tomcat 5.5/6.x Security Configuration Guides
Next by thread: Re: [WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site