LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

The Application Security Desk Reference

By Jake Edge
June 18, 2008

The Open Web Application Security Project (OWASP) has undertaken an ambitious project to create a reference manual—in the same vein as the Physician's Desk Reference—covering application security. The book, along with a companion wiki are meant to be the starting point for researchers, developers, and code reviewers when performing a number of security-related tasks. The book is currently in an alpha state, with OWASP looking for more reviewers and authors to get the book into a finished state by August.

The Application Security Desk Reference (ASDR) will be a 900+ page book, extensively tagged—cross-referenced in the wiki—to provide a multi-dimensional view of security threats, attacks, vulnerabilities, and impacts. The book introduces a set of principles that will help guide developers in avoiding these problems along with controls (aka countermeasures) to evade or eliminate them. The authors provide a description of why they took this approach:

Application security information cannot be organized into a one-dimensional taxonomy that is useful for all purposes, although many have tried. For example, organizing application security by vulnerability helps tool vendors, but makes it very difficult for architects to select controls. We've adopted the folksonomy tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these categories to help get different views into the complex, interconnected set of topics that is application security.

The PDF 0.9 version is available, and it is already quite useful, though there is still a fair amount of work to do. An important goal is to provide a foundation:

The ASDR is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk. The ASDR provides that basic information to help ensure all stakeholders are involved.

Technical books have a unfortunate tendency to rapidly go stale because the industry moves so quickly. Maintaining the wiki will help alleviate this problem by allowing for a dynamic reference that can be periodically produced in dead tree form as well. Much of this kind of information can be found in books and on the web, but collecting it up into one place is very valuable.

Three sections of the current draft stand out as being closest to completion: Principles, Attacks, and Vulnerabilities. Principles contains 17 basic things to keep in mind as part of gaining a "security consciousness". It defines terms in clear language and provides reasons why the principle should be followed. An example:

Security through obscurity is a weak security control, and nearly always fails when it is the only control. This is not to say that keeping secrets is a bad idea, it simply means that the security of key systems should not be reliant upon keeping details hidden.

More than 50 attacks are listed, along with examples and concise descriptions. In addition, there are several hundred vulnerabilities listed, each with examples as well as information on which platforms or languages are affected. It clearly sets out to be a clearinghouse of application security information and looks like it is succeeding in that.

For anyone with an interest in security, it is well worth a look. For those who are skilled in security techniques, assisting with the review and content creation might be in order.

Comments (none posted)

Security news

SSL Certificates Vulnerable to OpenSSL Flaw on Debian (Netcraft)

Netcraft has discovered a "significant number" of bad SSL certificates due to the recent Debian OpenSSL flaw. Some Extended Validation (EV) certificates are among those they found that were generated with the vulnerable code. "The vulnerable certificates afford opportunities to create deceptive sites which use apparently valid SSL certificates, giving the user the impression that the site belongs to the certified organisation. In the case of EV certificates, browsers will also turn the address bar green, even though the certificate may be cloned."

Comments (21 posted)

New vulnerabilities

cbrpager: execution of arbitrary code

Package(s):cbrpager CVE #(s):CVE-2008-2575
Created:June 17, 2008 Updated:June 18, 2008
Description: From the Gentoo advisory: Mamoru Tasaka discovered that filenames of the image archives are not properly sanitized before being passed to decompression utilities like unrar and unzip, which use the system() libc library call.
Alerts:
Gentoo 200806-05 2008-06-16

Comments (none posted)

freetype: multiple vulnerabilities

Package(s):freetype CVE #(s):CVE-2008-1806 CVE-2008-1807 CVE-2008-1808
Created:June 18, 2008 Updated:May 22, 2009
Description: The freetype library suffers from integer overflow (CVE-2008-1806), multiple free (CVE-2008-1807), and heap overflow (CVE-2008-1808) vulnerabilities, all of which could potentially be exploited remotely. Version 2.3.6 contains the fixes.
Alerts:
rPath rPSA-2008-0255-1 2008-08-14
SuSE SUSE-SR:2008:014 2008-07-04
Gentoo 200806-10 2008-06-23
Mandriva MDVSA-2008:121 2007-06-23
CentOS CESA-2008:0556 2008-06-20
Red Hat RHSA-2008:0558-01 2008-06-20
Red Hat RHSA-2008:0556-01 2008-06-20
Fedora FEDORA-2008-5425 2008-06-18
Fedora FEDORA-2008-5430 2008-06-18
Debian DSA-1635-1 2008-09-10
Ubuntu USN-643-1 2008-09-11
Mandriva MDVSA-2008:121-1 2008-10-31
Red Hat RHSA-2009:0329-02 2009-05-22
CentOS CESA-2009:0329 2009-05-22

Comments (none posted)

openoffice.org: arbitrary code execution

Package(s):openoffice.org CVE #(s):CVE-2008-2366
Created:June 16, 2008 Updated:June 18, 2008
Description:

From the Red Hat advisory:

It was discovered that certain libraries in the Red Hat Enterprise Linux 3 and 4 openoffice.org packages had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run OpenOffice in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-2366)

Alerts:
CentOS CESA-2008:0538 2008-06-14

Comments (none posted)

roundcubemail: cross-site scripting

Package(s):roundcubemail CVE #(s):CVE-2007-6321
Created:June 16, 2008 Updated:June 18, 2008
Description:

From the Red Hat bugzilla:

Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands.

Alerts:
Fedora FEDORA-2008-5333 2008-06-14
Fedora FEDORA-2008-5342 2008-06-14
Fedora FEDORA-2008-5315 2008-06-14

Comments (none posted)

typo3: several vulnerabilities

Package(s):typo3 CVE #(s):
Created:June 13, 2008 Updated:June 18, 2008
Description: From the Debian advisory: Several remote vulnerabilities have been discovered in the TYPO3 content management framework.

Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user.

User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use.

Alerts:
Debian DSA-1596-1 2008-06-12

Comments (none posted)

xorg-server: multiple vulnerabilities

Package(s):xorg-server CVE #(s):CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-2362
Created:June 12, 2008 Updated:September 26, 2008
Description: From the Debian alert:

CVE-2008-1377 Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption.

CVE-2008-1379 An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space.

CVE-2008-2360 An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow.

CVE-2008-2361 An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server.

CVE-2008-2362 Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.

Alerts:
Mandriva MDVSA-2008:179 2008-08-21
Slackware SSA:2008-183-01 2008-07-02
CentOS CESA-2008:0504 2008-06-26
rPath rPSA-2008-0201-1 2008-06-21
rPath rPSA-2008-0200-1 2008-06-20
Gentoo 200806-07 2008-06-19
Mandriva MDVSA-2008:116 2007-06-16
Mandriva MDVSA-2008:115 2008-06-16
Fedora FEDORA-2008-5254 2008-06-14
Fedora FEDORA-2008-5279 2008-06-14
CentOS CESA-2008:0503 2008-06-14
Ubuntu USN-616-1 2008-06-13
SuSE SUSE-SA:2008:027 2008-06-13
Fedora FEDORA-2008-5285 2008-06-12
CentOS CESA-2008:0512 2008-06-13
Red Hat RHSA-2008:0504-01 2008-06-11
Red Hat RHSA-2008:0503-01 2008-06-11
Red Hat RHSA-2008:0512-01 2008-06-11
Red Hat RHSA-2008:0502-01 2008-06-11
CentOS CESA-2008:0502 2008-06-12
Debian DSA-1595-1 2008-06-11
SuSE SUSE-SR:2008:019 2008-09-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds