OWASP Periodic Table of Vulnerabilities

= Main =

Introduction
After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.

Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

Browsers, Standards, and Protocols
The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single custom application. The amount of industry collaboration required to implement a protocol/standard change can be enormous, but some classes of vulnerabilities simply cannot be addressed without this kind of change (e.g. Clickjacking). A solution at this level is also incredibly powerful: a CSP-based solution to Cross-Site Scripting might allow most application owners to write a simple policy file instead of implementing a costly framework or custom code solution to protect their existing application assets.

Perimeter Technologies
Less scalable, but almost as effective, is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services (e.g. Akamai), and proxies. These technologies can shield vulnerable applications without requiring changes to the applications themselves. While most classes of vulnerability depend heavily on the application code and aren't easily solved by a generic perimeter solution, some are generalizable to the point where a perimeter solution could protect any application behind it before an attack even has a chance to do damage. Anti-automation and protocol validation are especially good solutions for perimeter technologies to address.

Generic Application Frameworks
The next most scalable approach requires upgrading popular application frameworks so they are robust against common attack classes. Common web application platforms such as Java Struts/J2EE, Ruby on Rails, and PHP can theoretically prevent developers from introducing most classes of vulnerability in the first place. However, the current state of the framework industry is more driven by features than by security; any conflict between the two is usually decided in favor of adding features and ease of use, as opposed to difficult-to-use security enhancements. Some frameworks even have built-in vulnerabilities out of the box!

Improvements to application frameworks won't immediately help protect existing applications (though they would make any new applications built on the platform much safer). Many applications currently rely on insecure features of their frameworks that would be eliminated or refactored when the framework is secured. Existing applications would need to follow an upgrade path provided by a "secure" branch of existing frameworks before these solutions could take effect. Many applications don't even use popular frameworks at all, and so could never be helped by improvements to common development platforms.

Generic Framework solution guidelines would, however, help application owners prioritize refactoring efforts for their existing applications in order to make their application code more robust against future development mistakes. This is true whether their applications use popular frameworks or not. Implementing a robust solution to a vulnerability class is much more cost-effective in the long run than training every developer to understand every vulnerability and continuously patching new instances of the vulnerability each time they appear. Cross-Site Scripting is a classic example of the "whac-a-mole vulnerability" that recurrently wastes developer time and attention and could be solved more holistically with a framework wrapper.

Custom Application Frameworks
Some solutions are unique to a specific application and can't be defended by a generic framework solution. For example, a generic framework might ship with a Social Security Number (SSN) validator, but a custom framework solution would be needed for a CustomWidgetItem validator. The SSN data type is well-defined and not unique to a specific application or business, but the CustomWidgetItem is unique to that application and has its own validation rules.

Organizations should still customize application frameworks to support their own application-specific APIs and security controls. Developers can leverage these controls during development instead of having to build the controls in during their daily coding efforts. If developers use a CustomWidgetItem object that has already been validated by framework code, it is much more likely that they will use it safely than if they have to remember to do their own validation each time they use the object.

Custom Code
If none of the other solution options are possible for a given vulnerability class, developers will be required to protect against that class in every line of code that they write, which does not scale effectively at all. Some classes of attacks, such as Abuse of Functionality, depend completely on the custom code and cannot be abstracted at all into other solution models.

The set of vulnerabilities which must be eliminated in custom code is only a small fraction of the total vulnerability space. By focusing training and testing efforts on just this set of issues, after addressing all other problems in a more scalable manner, developers have a much better chance of building secure applications in the future.

= Periodic Table of Vulnerabilities =

= Solution Detail =

Root Cause Summary
Applications do not define or detect when request rates are outside the bounds of normal, acceptable use.

Browser / Standards Solution
None

Perimeter Solution
Perimeter technologies including geocaching/proxy services must support automatic and/or manual "panic button" anti-automation, enforcing progressive CAPTCHA for unvalidated requests, triggering on excessive 5XX responses, or direct signal from application.

Complexity: High Impact: Medium

Generic Framework Solution
Provide configurable per-user/session request rate limits. For authenticated transactions, limits should be configurable on a per-user or per-session basis. Configuration should allow combining multiple limits of the form "# of requests per time period". For example, an administrator should be combine "10 requests per minute" with "500 requests per day" in order to simultaneously apply policies which prevent users from automatic crawling/screen scraping as well as longer-term slow leeching activities.

Complexity: Low Impact: High

Custom Framework Solution
Provide a common configuration functionality available to any feature/function. Configuration settings should allow multiple per-user rate limits as well as global rate limits to prevent denial of service.

Complexity: Low Impact: High

Custom Code Solution
Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.

Complexity: Low Impact: High

Discussion / Controversy
Generic framework solution requires too much overhead to track request limits. Request rate limiting should be done in perimeter, not framework. Should combine with Denial of Service (Application-Based)? Custom Code solution is the same as Custom Framework Solution; Custom Code solution should be pushed into framework.