RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Bryan Sullivan <bryansul@xxxxxxxxxxxxx>]

"IMO the biggest and best bang-for-buck security measure is for the
architects and developers to read something like the OWASP Guide and
then compile a security standard (a set of security requirements) for
their web application (or for all their organisation's web
applications)."

You mean something like this? http://www.microsoft.com/sdl :)

-----Original Message-----
From: Stephen de Vries [mailto:stephen@xxxxxxxxxxxxxxxxxx]
Sent: Monday, October 06, 2008 8:41 AM
To: Rafal @ IsHackingYou
Cc: bugtraq@xxxxxxxxxxxxxxx; WASC Forum
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack


Hi Rafal,


> On Oct 6, 2008, at 4:41 PM, Rafal @ IsHackingYou wrote:


Have you registered IsProtectingYou.com ?  ;)

> <rant>
>   So this brings me to one of my biggest gripes and complaints about
> our community.  We're so damn good at telling people (developers,
> and anyone who will listen) about how great we are at breaking
> technologies.  We've been dubbed as an industry (IT Security) that
> "breaks stuff" but the obvious part missing is what to do about all
> this breakage.

Yeah, it's a good point and I think you're right to a degree.  But
there are many freely available online resources that help developers
and architects build secure applications.  Just some that spring to
mind:
- The OWASP Guide project
- The OWASP ESAPI, Java, .NET and PHP projects (and numerous other
OWASP projects)
- The US' "Build Security In" project
- CERT's secure coding standards
- Microsoft's "Improving Web Application Security: Threats and
Countermeasures"

IMO attacks receive more attention because they're at the forefront of
security research.  No one's going to defend against an attack that
doesn't exist yet.

>  In response, products like WAFs have sprung up simply because we
> haven't offered a better alternative, and people are scared.  Then
> we complain about how broken WAFs are, how they don't stop anything
> and how no reasonable human being should use WAFs... but what
> alternative are we offering up?  Let me correct that, what
> REASONABLE alternative are we/have we been offering up?

See above.  One of the problems is that the solution isn't a product
that you can buy and install.  It's a process you should adopt - so
it's a trickier sell for security companies used to shifting software.
IMO the biggest and best bang-for-buck security measure is for the
architects and developers to read something like the OWASP Guide and
then compile a security standard (a set of security requirements) for
their web application (or for all their organisation's web
applications).  The vast majority of security vulnerabilities in sites
I've tested are basic security issues which could simply have been
stated in a requirements document.  If the architects knew what the
security requirements were during design and if the developers
implemented those requirements in the code and then the testers tested
for those requirements during testing - they'd be well on their way to
developing a secure app that didn't even involve any security
specialists ;)
The current problem with insecure apps is mostly just a lack of
communication.

regards,
Stephen

> --------------------------------------------------
> From: "Sebastian Schinzel" <sebastian.schinzel@xxxxxxxxxxxxxxx>
> Sent: Monday, October 06, 2008 1:26 AM
> To: <bugtraq@xxxxxxxxxxxxxxx>
> Cc: <websecurity@xxxxxxxxxxxxx>
> Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on
> ClickJacking attack
>
>> Hi Robert,
>>
>> bugtraq@xxxxxxxxxxxxxxx schrieb:
>>> I've just published an interview with Jeremiah grossman on
>>> ClickJacking.
>>> Looks as though CSRF token based protections may not be as safe as
>>> we
>> thought...
>>
>> Thanks for the interview!
>>
>> In the article you write:
>> "Does this break protections for flaws such as Cross-Site Request
>> Forgery?
>> Yes. Clickjacking has the potential of breaking CSRF token-based
>> protections."
>>
>> It is clear to me that token-based protections were never
>> "academically
>> strong", but they were efficient in terms of cost-benefit for CSRF
>> protection.
>>
>> If token-based protections may be busted soon, what protections
>> should
>> now be used in today's productive Web applications to prevent CSRF
>> vulnerabilities?
>>
>> Regards,
>> Sebastian
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA