Netherlands April 10, 2013
April 10, 2013
"In this Chapter meeting we will not REST until we have designed an access control mechanism to protect your web services..."
- 18:30 - 19:15 Registration & Pizza
- 19:15 - 20:00 “Access Control Design Best Practices” – Jim Manico
- 20:00 - 20:15 Break
- 20:15 - 21:00 “RESTful services, the web security blind spot” – Ofer Shezaf
- 21:00 - 21:30 Networking
Access Control Design Best Practices
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
RESTful web services, the web security blind spot
As a light weight alternative to web services, RESTful services are fast becoming a leading technology for developing mobile applications and web 2.0 sites. Upon first glance, RESTful services seem very different than web services and suspiciously similar to regular web technology. The similarity of RESTful services to regular web leads to the misconception that RESTful services are secured in the same way. However, RESTful services share many of the security risks of web services without the compensating Web Services security controls. The presentation will describe RESTful services and their use, the complexities in protecting them and common attack vectors that specific to REST services such as ULR embedded attacks. The presentation concludes with a discussion of the challenges of security testing for RESTful services and present novel approaches for automated testing of RESTful services using grey-box testing, a method combining a client attack tool and a server based monitor.
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.
Ofer Shezaf is an internationally recognized application security expert. Ofer manages security solutions at HP ArcSight and prior to that managed web security research at HP Fortify and at Breach Security. Ofer is an OWASP (Open Web Application Security Project) leader, the founder of the OWASP Israeli chapter and a WASC (Web Application Security Consortium) officer. Ofer is leading the Web Application Firewall Evaluation criteria project and founded the ModSecurity core rule set project and the WASC web hacking incident database project. Ofer is blogging about the role and value of information security at www.xiom.com trying to separate myth and reality in the information security world.