Last week I visited OWASP IL 2011 annual conference. OWASP is a non profit organization dedicated to promote web and application security. I first got to know this initiative when the lecture based on my university research was presented about 4 years ago. Since then local OWASP branch has grown and now one can actually find interesting presentations being shown there from time to time. I myself began regularly visiting OWASP meetings since then (who in their right mind would possibly give away free pizza opportunities?). Regretfully, during last two years I found it impossible to attend bi-monthly meetings since they took place too early for me (or – most importantly – I started working until too late for them), so I had to resort to taking a day off and attending annual conferences that were scheduled for the whole day.
This year the conference was divided into two tracks, so that two lectures were taking place simultaneously. Surprisingly, during most of the lectures the crowd was divided almost equally, so there was not problem of over population in one of two lecture halls. The organization of the event was adequate (especially for free of charge event). Speaking of quality and relevance of the presentations themselves – I left the conference with mixed feelings (which is not necessarily a bad feedback). Among other things, several cases of software vulnerability due to brainless coding were shown. I will briefly presented part of them in this post.
One of the nicer lectures I saw (and I naturally was present only at half of the lectures, to be fair) was about misconceptions and misuses of security mechanisms by the programmers by Erez Metula (full presentation is here). The presentation is rather basic, so it is highly recommended for everyone who deals with Internet based software development and does not require high level of technical proficiency.
Here’s one example of SSL improper use from the slides:
Many client-server based applications that rely on server certificates do not check the identity of certificate signer. Each X509 certificate is signed by entity called certification authority (CA). However, everybody can present himself as a CA and sign the certificate. In that case, certificate appears valid and it is up to the client to decide whether or not the signer is trusted (for example, web browsers come patched with list of trusted CAs and will not accept any other CA unless the user specifically says that this CA can be trusted). If the developer omitted signer identity check, then the whole certificate mechanism becomes useless (not to say – harming, due to false sense of security), since everyone can present valid certificate signed by himself.
This is example of C# code that disables check of certificate signer:
public static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain,SslPolicyErrors policyErrors)
{
return true; //force any the certificate to be accepted
}ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);
Obviously, developer who lets this code to be submitted into the production should seriously consider alternative career path.
I will bring more interesting examples from developer’s point of view, once more OWASP presentations are uploaded to web.
