Full Report
Hi All SensePost will be running their next Developer and Bootcamp courses for 2009, scheduled for November. Please drop me an email if you know of anyone in your area that would like to attend. – 1) Hacking by Numbers – Developer Edition (16-18 November 2009) – 2) Hacking by Numbers -Extended (Bootcamp) Edition (10-13 November) Information about courses: 1) HBN – Developer Edition ‘Hacking By Numbers – Developer Edition‘ is a course aimed at arming web application developers with knowledge of web application attack techniques currently being used in the ‘wild’ and how to combat them. Derived from our internationally acclaimed ‘Hacking By Numbers’ security training, this course focuses heavily on two questions: “What am I up against?” and “How can I protect my applications from attack?” During the course sample applications will be dissected to discover security related bugs hidden within the code. The class will then consider prevention, detection & cure.
Analysis Summary
# Best Practices: Web Application Security Development and Defense
## Overview
These practices are derived from the focus areas of the "Hacking By Numbers – Developer Edition" course, which aims to equip web application developers with knowledge of current attack techniques ("What am I up against?") and the methods to protect their applications ("How can I protect my applications from attack?"). The focus is on **prevention, detection, and cure** related to security bugs hidden within application code.
## Key Recommendations
### Immediate Actions
1. **Prioritize Attack Surface Mapping:** Immediately inventory all publicly accessible components of current applications to understand the immediate "What am I up against?" exposure.
2. **Implement Core Defense Principles:** Begin embedding fundamental security concepts (like secure input validation and least privilege) into developers' daily coding habits, referencing basic secure coding checklists.
3. **Establish Communication Channel:** Designate a clear contact point (e.g., a dedicated security email, similar to the provided contact for course info) for developers to raise immediate security concerns or report potential findings.
### Short-term Improvements (1-3 months)
1. **Code Dissection for Bugs:** Schedule mandatory, focused sessions where developers actively dissect sample application code (similar to course structure) specifically to hunt for and patch common, high-impact security-related bugs in existing codebase segments.
2. **Integrate Detection Mechanisms:** Implement application-level logging and monitoring specifically targeting suspicious activity patterns that indicate an active attack attempt (Detection phase).
3. **Develop Basic Remediation Scripts:** Define and centrally document basic "Cure" protocols for the most common vulnerabilities discovered, allowing for rapid response when an issue is found in production.
### Long-term Strategy (3+ months)
1. **Establish Continuous Training Program:** Mandate regular, technical security training (akin to the described Bootcamp) for all development and operations staff to ensure continuous knowledge transfer regarding evolving "attack techniques currently being used in the ‘wild’."
2. **Embed the Security Lifecycle:** Formally integrate security checks (prevention, detection, cure) into the entire Software Development Lifecycle (SDLC), moving security discussions earlier than typical QA phases.
3. **Deep Dive Practice:** Dedicate significant time for technical staff (including administrators and consultants) to engage in hands-on practice using technical security techniques to build deep, intuitive knowledge of defensive gaps.
## Implementation Guidance
### For Small Organizations
- **Focus on Foundational Knowledge:** Mandate that 100% of web-facing developers complete entry-level secure code training focused on the OWASP Top 10 vulnerabilities.
- **Manual Code Review Emphasis:** Due to resource constraints, prioritize high-risk, user-facing code segments for thorough, if manual, security code review procedures before deployment.
### For Medium Organizations
- **Developer/Operations Pairing:** Institute mandatory cross-training where developers attend introductory security workshops covering system administration concerns, and system administrators attend training covering application attack vectors.
- **Adopt Triage Teams:** Formalize a small internal team responsible for security testing (dissecting code) and rapid patch application (cure).
### For Large Enterprises
- **Specialized Bootcamp Implementation:** Roll out customized versions of the intensive "Hacking By Numbers" style training, segmented by role (e.g., deep dive for AppSec engineers, high-level awareness for product managers).
- **Automated Security Gates:** Implement automated scanning tools (Static Application Security Testing - SAST) to enforce baseline security standards programmatically during the build process, focusing heavily on **prevention**.
## Configuration Examples
*(The source article does not provide specific technical configurations. General guidance points to the necessity of configuring applications to prevent attacks discovered during code dissection.)*
**Guidance:** Developers must focus configuration efforts on:
1. **Input Sanitization:** Configured validation rules must reject unexpected input formats immediately upon receipt.
2. **Error Handling:** Application configurations must disable verbose error messages in production environments to prevent information leakage that aids attackers.
## Compliance Alignment
The practices described directly align with the objectives of:
- **ISO/IEC 27001 (A.14 Security in Application Development):** Focusing on secure development policies, secure coding, and system testing for security.
- **NIST SP 800-53 (SA series - System and Services Acquisition):** Ensuring security requirements are established, understood, and implemented throughout the application lifecycle.
- **OWASP SAMM:** By focusing on understanding "what you are up against" and implementing "prevention, detection, & cure."
## Common Pitfalls to Avoid
- **Treating Security as an Add-On:** Failing to integrate security discussions (prevention) early in the design phase, leading to expensive rework later.
- **Skipping the "Why":** Training that only lists dos and don'ts without explaining the underlying attack techniques ('wild' attacks) fails to instill necessary defensive thinking.
- **Neglecting Operations Staff:** Assuming only developers need security training; administrators require knowledge of network/system security prerequisites to support secure applications.
## Resources
- **Developer Security Training Framework:** Adopt structured training materials that dissect sample applications to reveal hidden bugs.
- **Attack Simulation Documentation:** Maintain an evolving repository of "attack techniques currently being used in the ‘wild’" (threat intelligence).
- **Secure Coding Documentation:** Utilize established secure coding standards to guide the "prevention" phase of development.