Discussion with Jeff Williams, CEO, Aspect Security, Inc.

About Jeff Williams and OWASP (Open Web Application Security Project)

Jeff Williams is the CEO of Aspect Security, and the OWASP Chairman.  He also coauthored the OWASP Top 10, the developer of Stinger, and the OWASP Legal Project, and helps manage the OWASP Foundation.

The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  Our open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards.  The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists.

I recently talked to Jeff about OWASP and where they are at with Web Services and SOA Security.

Can you tell me about OWASP and what their mandate is?

Williams:  OWASP has been around for 4 or 5 years now and I took over running it after it had been around for about a year or two.  We’re trying to provide as much information and tools to help people build, deploy, and acquire secure software.  We have a lot of initiatives going and it is a pretty far flung enterprise.  We have 72 chapters around the world and there is about a chapter or two a week forming.  That has been pretty successful for us.  We get a lot of traffic to our site - millions of hits a month on our site.  What really catapulted us into popularity and public attention was we produced a top ten web application security vulnerabilities paper back in 2002 and it got us an unbelievable amount of attention - millions of downloads, lots of newspaper articles written about it and then it got built into VISA CISP standard.  Now it is part of the PCI standard.  It got a lot of attention that way.  A lot of vendors latched on to this and said that “our product solves the OWASP top ten” however I think this is ridiculous but the still ended up marketing OWASP for us.  So it grew pretty quickly.  We have a number of other tools.  I think they're pretty good - WebGoat and WebScarab for testing and learning about web application security.  This started some things in XML, web services, SOAP, and some other things.  Here is what we got: a couple chapters of OWASP guide which is a 300 page book, all things about application security.  There is some good information in there but is not super detailed.  We have built web services lessons into WebGoat which is an online training environment.  You can fire up a WebGoat and it has some web services with vulnerabilities associated with them.  You can experiment with them to learn.  It is a nice safe online learning environment for people.

WebScarab correspondingly has testing tools for web services.  You can load a WSDL into WebScarab and play around with the messages and introduce bad data web service and see what other messages are there, invoke them, etc.  It is a nice environment for testing web services, kind of similar to SOAPScope or one of those other products.  For security purposes I think WebScarab is really good because it wasn’t designed for testing to see if something works; it was designed and tests to try to break it, it is fully scriptable and those kind of things it is growing, it is not all the way there yet, but there is definitely some good power there.

We have a few prospects that are starting to look at web service project.  There is some potential here since a lot of people go to OWASP to look for these type of resources.

What is the relationship between Aspect Security and OWASP?

Williams: Legally, they are completely separate entities.  OWASP is a 501C3 charitable foundation.  So if people become members, their contributions are tax deductible.  OWASP has a separate leadership structure.  It has a group of leaders to make decisions on what we do.  The executive leadership is myself a chair, technical director Andrew van der Stock working out of Australia, Dave Wickers runs the conference series.  We have had five conferences now some in Europe and some in the States and those have been pretty successful for us.  Aspect works in this space and we have contributed a lot of our stuff to OWASP.  We wrote the first draft of the OWASP top 10 and contributed WebGoat.  I actually wrote WebGoat for some classes I was doing and decided to release it into open source.  Now it is used quite widely, and a lot of books reference it.  I'm happy with it.  It gave us some publicity and we look like we’re really good guys, who are supporting the Aspect community.  I really like the way it has been working and worked a while for Aspect and it has been good for OWASP as well.

What does Aspect Security do?

Williams: We are a consulting company that focuses on software security.

As far as SOA, have you been involved in SOA projects

Williams:  We regularly look at web service implementations.  Generally it is on the backend of a web application.  They are using a web service internally to access some data or some function they got and build a service around it.  At lot of it is fledgling and I think it's People's first or second effort at web services.  We have done a bunch of web services.  We test them, we do a lot of code reviews so we analyze the code for them.  We help them build requirements and those types of things.

I have been talking to SOA Appliances Vendors and trying to understand hardware versus software security and the need for these appliances.  What is your opinion on these devices?

Williams: In the first place an appliance isn’t really hardware it is just a filter sitting in front of an application. 

Yes an appliance is actually embedded software.  However I think a lot of organizations that don’t have in-house software security people are throwing these devices on their networks.  What is your feeling about this approach?

Williams:  They can solve certain kinds of problems; the box can detect certain kinds of attacks.  Generally though the generic attacks and not ones that are custom tailored to that particular application.  They can identify certain attacks.  The biggest problem with them is they can give you a false sense of security, and I think a lot of places feel that they have the box and therefore they are good [protected].  I really think it is much more a 20/80 kind of protection rather than the 80/20 that people believe that they are getting.  My take on this is that if you want something external to the application to actually enforce some security properties then you have to teach it what to enforce.  And it actually turns out to be pretty hard to extract the rules out of your application for what should be allowed and shouldn’t be allowed.  So it is pretty hard to pull these rules out and put them into something else like a box.  It also creates the problem of keeping the external representation of security in synch with your application code.

So there is an on-going maintenance problem right?

Williams: Sure because now you have to maintain security in two places.  The places where I’ve seen it work is where you have legacy application where you are not going to change the code and you can’t in some cases and you want to drop something in to get a limited amount of protection.  The other place I have seen it work is where you go into the application development with one of those appliances in mind.  I am going to build this whole application assuming that there is going to be a box in front of the application and so I won’t build certain kinds of security into my application.  I am not going to waste my time in application development because I already have it in the box.  In that case the security appliance becomes a security component of the application.  It just happens to be hosted on a separate box.  And that is fine too.  But I think it is very difficult for companies to understand what the box is actually doing and what protection they are actually getting.  I really don’t see the idea of putting these boxes on your network in most cases.

A lot of companies are putting boxes in front of their application and feeling they are secure?

Williams:  They think that they are getting 80% protection, but they really aren’t.  I think the false sense of security is the most dangerous risk of using these appliances.  The same sort of thing applies to using application scanning technologies.  To say that you have scanned using Web Inspect so it’s fine, is sort of silly.  The problem is that scanning works great on network technologies because everyone is using the same sort of thing Pix firewall, Checkpoint firewall and they are running Windows, Linux, or Solaris.  If you have a database of signatures for those products it’s great and you can scan and find some good findings.  It doesn’t work in the application space because applications are custom, everyone has custom one and no body is out there building custom signatures for your internal application.  So scanning it with a scanner that is full of signatures that don’t match your application is just silly.  And that leads to this false sense of security problem.  This is the whole message that is what OWASP is absolutely championing.  It is saying that you have to make smart informed decisions about applications security.  If you want to build secure applications you can’t just throw technology in front of it, you’ve got to fix your software development process, you have to worry about requirements, testing, secure coding, and all the process steps.

Does OWASP talk to things like process?

Williams:  Yes we have a project called CLASP (Comprehensive Lightweight Application Security Process) which has 7 base practices and then 21 activities that fit into those base practices, all targeted towards achieving secure software.  That is a project which we are actively building to be consistent with Microsoft’s SEP, McGraw’s Touchpoints and all sort of stuff.

In the future we are going to share more metadata through the use of SOAP and WS Standards, between enterprises.  What kind of problems do you think this is going to cause? 

Williams: The future is going to be a lot more interconnected, a lot more trust relationships. I think it is going to be difficult, not to create the connectivity that is sort of the easy part.  Web Services make it really easy for parties to communicate data.  But the real hard part is figuring out the trust relationships.  What are you trusting people to do and what guarantees come along with that data.  Who is allowed to access what, etc.  I am pretty optimistic about the future there.  But the current web services stuff really only simplifies the connectivity and that is the easy part.  The hard part is actually figuring out what does security actually mean.  For example take XML-SIG for instance.  It isn’t that complicated to write some code that signs an XML document or some element within the document.  But what does it mean – does it mean that you wrote it, that you like it, that you saw it, etc?  To understand what a signature means is a really hard problem?  It all comes down to all these different trust relationships that we are building up between all these parties.  Negotiating that stuff is hard, it takes developers to think about it.  Just having a standard to say how you do it, is really only the easiest part of the problem.  Sure I can put a SAML schema in place that says who is allowed to access what and what they are allowed to do.  But until you work out what the different roles and groups are, that part of the problem is the hard part.  I am optimistic that all of these standards will eventually get simple enough to use them and implement them. 

Security seems to be a major roadblock before we can move forward.  As a business person I want to build business processes across enterprises.  Are we going to get past this security roadblock?

Williams:  And it is a good roadblock.  It means that you haven’t worked out exactly what it means to exchange certain information with other parties yet.  I have lived through this a couple of times.

There was this ‘web of trust” idea that evolved with PGP and then there was the PKI craze that has various incarnations over the last couple of decades.  It is very difficult when you finally get down to all these relationships and what it means.  It’s hard stuff!  Even HIPPA has the train of trust idea which you can talk about conceptually but actually implementing it technologically, it’s tricky.  What I want to do at OWASP, I want to gather together the best resources available for people to help wrestle with the real problems.  I kind of want one place for developers know where the best stuff related to web services security.  We want to produce standards, not in the sense of WS-Security kind of standards, but standards for the kind of processes that you need to have in place when you are building a web services interface, etc.  But we can produce those kinds of standards and guidelines as well.  Maybe guidelines for helping people review web service security, how to test it, here is how to figure out whether it is secure enough, those kinds of things.

Are Security Certifications keeping up to date with what is going on with XML, Web Services and SOA?

Williams:  You can’t teach students everything all at once.  You have to understand networking and you need to understand data structure design, etc.  My sense is that they understand XML and it isn’t all that complicated for networking people to pick up on.  As far as security certifications, I think they are just silly since there is really not anything for developers.  Is it all theoretical and how can you provide enough training for Java, .net developers, etc.  This is a real challenge and maybe someday OWASP will address this security certification need.   

Security is this never ending challenge, Right?

Williams:  AJAX is next, and now we have to worry about the security of that.

------

Jeff sees the need to include XML, Web Services, and SOA into the OWASP mandate and is looking for volunteers who want to help them move in this direction.  For more information on OWASP check out www.owasp.org.

For more information on Aspect Security products and services at www.aspectsecurity.com

___________________________________________________

>> Back to Main Page

Gary E. Smith
SOA Security Architect