Web application security: lessons from OWASP NZ Day 2020
By Katherine Nagels
11 March 2020
The OWASP New Zealand Day conference was a wide-ranging, thought-provoking and at times eye-opening look at web application security. Here are a few technical tips, ethical considerations and historical insights from the day.
Web application security has become a major topic in web development over the last few years. This is in large part due to the efforts of the Open Web Application Security Project. OWASP is a key part of the growing and vibrant app security community. Over the last two decades, OWASP has held conferences and events all over the world. Here in Aotearoa, the NZ OWASP chapter recently held their 11th edition of OWASP New Zealand Day. The conference was held on Friday 21st February at the University of Auckland’s Business School.
Looking back at the history of infosec
Things started strong with Jim Manico’s keynote, The Abridged History of Application Security. He took a long historical view, even looking back to the development of WWII-era decryption device the Bombe as an early example of pen-testing. This enabled him to demonstrate the big improvements that the field has seen over time. Jim’s presentation covered a lot of ground, but here’s a brief overview of some of his infosec history key points:
- 1967: the birth of modern infosec, with the Advanced Research Projects Agency (ARPA) Task Force, created to comprehensively evaluate the safety of classified information. The results, published in 1970 as Rand Report R-609, were hugely influential on the field
- 1972: the publication of the Anderson Report, an in-depth look at computer security
- 1994: beginning of the modern password storage era, with the MD5 cryptographic hash becoming common by the mid-90s
- 1998: the appearance of SQL injection. Malicious SQL statements, for example a database deletion command, are entered into a user input field and then run as database queries
- 1999: first release of bcrypt, a secure password hashing function
- 2013: the beginning of the devops era
- 2015: the release of version 3.0 of the Content Security Policy (CSP) standard, an essential mechanism for web application security
This was a speedy but deep dive into the history of the infosec field! Jim was a dynamic and entertaining speaker who kicked off the conference in style.
Web application security for developers
Kirk Jackson’s overview of the OWASP Top Ten was a very useful talk for the developers in the audience. The Top Ten, one of OWASP’s flagship projects, lists the most critical security risks in web applications. Most devs will be familiar with at least some of these risks. SQL injection at number 1 is one of the most well-known. But some risks, like XML External Entities (XXE), are a bit fuzzier. Kirk’s demos of several of the Top Ten showed, among other things, how you can exploit XML to cause out-of-memory errors and how broken access control can lead to data being inadvertently exposed. He stressed the need for good logging and monitoring. You can’t react to attacks you don’t know about!
Similarly, later in the day, Sergey Ozernikov presented a lot of practical advice for web developers in Fighting an Uneven Battle: Simplicity versus Complexity in Web App Security. Some of his top tips were:
- Do your homework regarding frameworks and CMSs! Not all are equally good at security.
- Never roll your own crypto.
- Monitor not only for attacks, but also check if crucial security controls are operational.
- With cloud providers like AWS, audit your user privileges! And have alerts for when IAM roles are changed.
Technology is neither good nor bad, nor is it neutral. — Melvin Kranzberg
Petra Jane’s What’s the Worst That Could Happen? was a powerful talk. She looked at the dark side of technology: how it can be used, purposefully or not, to cause real harm to people.
Some of the examples she cited are well-known. Uber’s self-driving car killing a pedestrian and the use of Pegasus spyware against Washington Post journalist Jamal Khashoggi for example. But I was particularly struck by her discussion of how the London Metropolitan Police has recently used AI to recognise criminals. While the AI did successfully recognise criminals, what is less well-known is that it had an astonishing 96% false positive rate! The AI was also quite poor at distinguishing between non-white people. It had a near-100% accuracy for white men but this dropped to ~70% for women of colour. Between these two issues, a huge number of innocent people—overwhelmingly racial minorities—were introduced into police systems. This is a well-needed reminder of just how high the stakes are with technology of this kind.
And more generally, how can we work to ensure that the technology we create is safe and secure? The STRIDE model is a key reference point here. But as Petra pointed out, it has a major flaw: the model relies on our imagination. Unfortunately, as humans, we don’t know what we don’t know, and we’re not good at acknowledging our biases. As such, having a diverse team to assess risks is crucial.
Bicultural info security
Karaitiana Taiuru gave a cross-cultural perspective in Māori Cultural and Ethical Considerations in Information Security. Karaitiana talked about changing expectations around Maori culture, Māori activism online, and vigilante developers & hackers. The concept of data as a taonga was central to his talk, as well as the idea of digital colonisation. Karaitiana highlighted that there is a huge need to codify how data will be collected, maintained and used, and to make sure that data use adheres to the principles of Te Tiriti.
Karaitiana also discussed the newly-redesigned OWASP NZ logo (pictured below). While he declared himself in favour of the logo, appreciating its incorporation of biculturalism, he described how it has an unintended double meaning: there’s a link between wasps and protection, but there’s also an association between wasps/fleas/other similar insects and the malevolent god Whiro, who fought Tane Mahuta.
All in all, there was a lot to take in at OWASP New Zealand Day 2020. With three conference streams running in parallel, there was a lot that I didn’t get to see. But the sessions I did see gave me plenty of food for thought.
A special thanks to OWASP New Zealand for covering my flights to the conference as part of their diversity programme!