it was the OWASP Chapter meeting and it was as always very interesting to see Ken van Wyck and Jim Manico. Some whitehats from the USA speaking about application security issues.
1) OWASP intro by Seba
As always the same introduction to the OWASP organisation and asking to become member of the Belgian chapter.
2) Common iOS Pitfalls vs. OWASP’s iGoat (by Ken van Wyk, KRvW Associates)
Ken van Wyck talked about security issues when developers write applications for iOS phones (most are the same for android also). The session is recorded, so please check the OWASP site.
At OWASP, Ken has started a project to identify the top 10 most problems of iOS Apps (we are talking about Application and not Web Apps).
It is unbelievable what kind of information applications store on your mobile phone, like username/passwords (facebook, twitter, …), geo-locations,… Applications want to interact with those services, but doesn’t want the user always to re-enter their credentials, so they keep it in a XML file on the phone -> And they are mostly not protected. So when you loose the iPhone -> don’t forget wipe it remotely with the service of Apple.
Android is worse, because the control on the applications are less and they have an SDcard, where the unsecured data can be stored.
Second big problem…: UNSECURED Wifi. He tells how he can intercept the communication through MITM attacks or Sniffing on the Wifi. Starbucks coffee-shot have free and unsecured Wifi access. When the App has to logon a server SSL is not always used and the credentials and session tokens are send in clear.
He also gave some demonstrations of iGoat and how easy it is to write bad application (also how easy it is to do it right).
People interested in helping Ken to develop iGoat can contact him directly by mail (keep me also informed, please! You knowledge can be used within Smals also).
Check link 2)
There is also a project called Goatdroid.
3) Jim Manico. He was as always very excentric in his presentation about Access Control.
You have vertical access control and horizontal access control. Vertical is the assignation of the role to the user and the access that role has on resources. The horizontal access control is the differentiation of access to resources of users with the same role.
Can a user has edits to its own user information? If so, can the user edit another user’s user information. He still has the same role….
He described that you have can implement an Access Control system this using the “Command pattern”.
Also use a Filter in the WebApps to verify the access. In the filter you can check this using a boolean value to redirect the user to a page. On the backend you use assertions, because this should never happen. Last but not least, he even proposes to check it on the DAO layer.
Check link 3) for the slides.
1) OWASP Belgium chapter meeting