Академический Документы
Профессиональный Документы
Культура Документы
Rix Groenboom
Support Manager
OWAS Parasoft UK Ltd
rix.groenboom@parasoft.com
P
AppSe
c
Copyright © 2006 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
Europ License.
e The OWASP
May 2006 http://www.owasp.org/
Foundation
What We Will Explore
3 MLOC of SW
50 lines = 25 cm
100 = 50 cm
200 =1m
1,000 =5m
10 kloc = 50 m
100 kloc = 500 m
1 Mloc = 5 km
3 Mloc = 15 km
8 Mloc = MARATHON
OWASP AppSec Europe 2006 4
Problems: Examples
bomb.xml
299 = 633825300114114700748351602688
Enterprise
network
protected by
firewall
Application is the
only way in
Must keep
application open
for business
User (potential
hackers) must
have access to
the application
OWASP AppSec Europe 2006 9
Software as a Service: Security
Challenges
Application
Legacy Thin Web
Logic
Client Site
Web
Services
Y2K problem:
Applications never designed to work > 30,40 years
Source code contains root cause of the problems
One defect (bug) is enough to cause serious problems
Source:
The Wall Street Journal Online (Feb 13, 2006)
http://online.wsj.com/article/SB113926053552466409.ht
ml
Imagine:
sUsername = ‘ or 1=1 #
sPassword = (ANY)
OWASP AppSec Europe 2006 27
Securing Web Services: Step 2
“Avoid Public
Data members”
class A {
public:
int a;
};
Available techniques:
Static / Dynamic Code analysis
Map policies to executable rules
Configure the rules based on the policies and projects at
hand
Compliance SOA Development Governance in SDLC
Like: SOAP, WSDL, Schema, XML Metadata.
Runtime SOA Governance
Management, Registry, Orchestration
Regression Testing
Software development is an iterative process
An iterative development process fails without
regression testing. The same applies to security
Fixing a security vulnerability should be coupled
with a policy and an enforcement mechanism to
prevent it from reoccurring again
Regression testing practices results in a visible
quality process that reinforces trust
Thank you
Resources
http://www.cgisecurity.com/ws/
http://www.oasis-open.org/committees/tc_cat.php?c
http://www.soaleaders.org/
Commercial
http://www.parasoft.com/