The Application Security Desk Reference [LWN.net]

By Jake Edge
June 18, 2008

The Open Web Application Security Project (OWASP) has undertaken an ambitious project to create a reference manual—in the same vein as the Physician's Desk Reference—covering application security. The book, along with a companion wiki are meant to be the starting point for researchers, developers, and code reviewers when performing a number of security-related tasks. The book is currently in an alpha state, with OWASP looking for more reviewers and authors to get the book into a finished state by August.

The Application Security Desk Reference (ASDR) will be a 900+ page book, extensively tagged—cross-referenced in the wiki—to provide a multi-dimensional view of security threats, attacks, vulnerabilities, and impacts. The book introduces a set of principles that will help guide developers in avoiding these problems along with controls (aka countermeasures) to evade or eliminate them. The authors provide a description of why they took this approach:

Application security information cannot be organized into a one-dimensional taxonomy that is useful for all purposes, although many have tried. For example, organizing application security by vulnerability helps tool vendors, but makes it very difficult for architects to select controls. We've adopted the folksonomy tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these categories to help get different views into the complex, interconnected set of topics that is application security.

The PDF 0.9 version is available, and it is already quite useful, though there is still a fair amount of work to do. An important goal is to provide a foundation:

The ASDR is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk. The ASDR provides that basic information to help ensure all stakeholders are involved.

Technical books have a unfortunate tendency to rapidly go stale because the industry moves so quickly. Maintaining the wiki will help alleviate this problem by allowing for a dynamic reference that can be periodically produced in dead tree form as well. Much of this kind of information can be found in books and on the web, but collecting it up into one place is very valuable.

Three sections of the current draft stand out as being closest to completion: Principles, Attacks, and Vulnerabilities. Principles contains 17 basic things to keep in mind as part of gaining a "security consciousness". It defines terms in clear language and provides reasons why the principle should be followed. An example:

Security through obscurity is a weak security control, and nearly always fails when it is the only control. This is not to say that keeping secrets is a bad idea, it simply means that the security of key systems should not be reliant upon keeping details hidden.

More than 50 attacks are listed, along with examples and concise descriptions. In addition, there are several hundred vulnerabilities listed, each with examples as well as information on which platforms or languages are affected. It clearly sets out to be a clearinghouse of application security information and looks like it is succeeding in that.

For anyone with an interest in security, it is well worth a look. For those who are skilled in security techniques, assisting with the review and content creation might be in order.

(Log in to post comments)