By Dan Cornell
LASCON 2011 is coming up Friday October 28th and there will be two talks from Denim Group folks. I had to miss LASCON last year because of a last-minute trip to India so I’m really looking forward to this year. The speaker lineup is fantastic and the Austin OWASP gang knows how to throw a party. It should be a really valuable event and a great preview of next year’s OWASP AppSec conference.
Phil Beyer from the Texas Education Agency (TEA) will be presenting with Denim Group’s Scott Stevens in a talk titled “OpenSAMM in the Real World: Pitfalls Discovered and Treasure Collected Along the Way.” The talk abstract is:
In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OpenSAMM in a large organization is kinda like playing that classic game.
It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. We will present the hazards he discovered and the treasure he found while playing the game.
Also, I will be giving a presentation on some automated virtual patching work we have been doing titled “The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching.” That talk’s abstract is:
Organizations often have to deploy arbitrary applications on their infrastructure without thorough security testing. These applications can contain serious security vulnerabilities that can be detected and exploited remotely and in an automated manner. The applications themselves and the infrastructure they are deployed on are then at risk of exploitation. Configuration changes or vendor-provided software updates and patches are typically used to address infrastructure vulnerabilities. However, application-level vulnerabilities often require coding changes to be fully addressed.
Virtual patching is a technique where targeted rules are created for web application firewalls (WAFs) or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. This allows applications to be “virtually” patched prior to actual code-level patches being applied. These virtual patches are most often applicable to vulnerabilities that have a strong detection signature such as SQL injection and cross-site scripting (XSS) because the detection rules can be targeted to detect these signatures, but limited only to specific parts of the application attack surface where the application is known to be vulnerable.
This presentation examines the automatic creation of virtual patches from automated web application security scanner results and explores scenarios where this approach might be successfully employed. It discusses theoretical approaches to the problem and provides specific demonstrations using Open Source tools such as the skipfish and w3af scanners and Snort and mod_security protection technologies. Finally, it looks at opportunities to apply these techniques to protect arbitrary applications deployed into arbitrary infrastructures so that short-term protection against common web application attacks can be consistently applied while minimizing false blocking of legitimate traffic.
Again – this should be a great conference. Contact us if you want to meet up at OWASP LASCON in Austin.
dan _at_ denimgroup.com