OWASP AppSecEU 2012 Athens Recap: Scanner Benchmarking and Database User Security

I just got back from Athens, Greece where I attended and and presented at the OWASP AppSecEU 2012 conference. I had a great time and I wanted to thank Kostas and his crew for putting on a great conference and extending such impeccable hospitality while I was in town.
I gave two talks while in Greece. Friday I presented some new material in a talk titled “Benchmarking Web Application Scanners for YOUR Organization.” This talk looked at some of the currently-available public scanner benchmarks and then walked through the process of creating your own benchmarks using ThreadFix. The abstract for the presentation is:
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.

You can see some of Colin Watson’s comments on the talk in his blog post. Also, an interesting thing (for me, at least) was that scanner benchmarking wasn’t originally an intended use case for ThreadFix and its scan normalization and merging capabilities. But as it turns out those capabilities can be pretty useful for scanner evaluation. Bonus!

The slides for this talk can be found online here:

Thursday I also presented an updated version of my talk “What Permissions Does Your Database User REALLY Need?” The abstract for that talk is:
Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model  for making “least privilege” database accounts a standard practice in web application deployment.

Slides for that talk can be found online here:

Again – many thanks to Kostas and the OWASP Athens folks for putting together a great conference as well as many enjoyable opportunities to explore their city and culture. I had a wonderful trip and I’m looking forward to heading back as soon as possible.

dan _atdenimgroup.com

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.