I’m back from the first OWASP Belgian Chapter meeting
The room was full today! It seems that the chapter meetings have more and more success. That’s good! More and more people aware of web security. The meeting started with a review of the OWASP actuality: a new membership model and a podcast! Three presentations were scheduled today.
The first one, by Alex Meisel, was about WAF‘s (“Web Application Firewalls“). He started by some details about his country, Germany, where companies are legally responsible of the data they process. They must be able to prove that technical solutions have been used to protect their assets. That’s why the WAF market is so important in Germany. One of the “plus” of WAF’s is the possibility to short-circuit the classic development life-cycle in case of critical security issue or if the application cannot be easily patched (no source, too old, …). In such cases, deploying a WAF can temporary solve the issue. Alexander explained the aim of web application firewalls, what are they characteristics. A nice quote, he compared the HTTP traffic and classic firewalls as a door with a key hole. So true!
He also explained what WAF’s can do and how (cookie protection, data leak prevention, CRSF, sessions management) and the benefits but also risks (false positive alerts, increased complexity and some side effects – like errors returned by the WAF and not the application itself).
Do we need to run a WAF? It must be evaluated case by case. Finally, some best practices were reviewed (type, performance issues – take care of peak of traffic!). A very good presentation!
The second presentation was performed by Mario Heiderich, also a German guy, about the current browsers security issues. Mario is a lead developer at PHPIDS. All the browsers on the market announce them as the most secure browser! But all of them suffer of major issues. More and more plug-ins or add-ons are available and attached to browsers but, according to Mario, let’s focus on the core features of the browsers and secure them. Via technical slides, he demonstrated some vulnerabilities based on markup injections (Inline SVG, XML namespace, XUL artifacts, XXE, HTC via image). Unfortunately, due to a lack of time, the slides were very quickly reviewed. They must be clearly re-read carefully, they looked also very interesting.
Finally, the third presentation was the one of Richard Bennett. This guy performed an analyze of the Trojan attack which affected some Belgian bank end of 2008. For me, it was the most expected presentation of this evening. Unfortunately, Richard based his presentation on a PDF document instead of real slides. Details were not easily readable. But the topic was interesting as expected. What we learned? The trojan used was qualified of “low impact” by Symantec. Its goal was to steal as much as data possible and make profit. Richard also explained how it is easy to buy a Trojan ready-to-use to grab specific data. One important remark was about the way banks communicate with customers: they wrote “best practices” to protect the end-users but the documents are really too technical for a broaden public! Fail! I appreciated the way Richard performed his presentation. He just said that nobody can pretend to know everything and that he was ready to accept comments and remarks. Good point! The presentation ended on a small “debate” about potential ways to increase the security of e-banking and e-commerce applications (the basic proposition was to connect to a “safe cloud” using a live-cd).
It was a nice event. Next one already scheduled on Wednesday 4th March. Check out owasp.org for details about the today presentations and their authors.