AppSec Blog

AppSec Blog

Safer Software through Secure Frameworks

We have to make it easier for developers to build secure apps, especially Web apps. We can't keep forcing everybody who builds an application to understand and plug all of the stupid holes in how the Web works on their own — and to do this perfectly right every time. It's not just wasteful: it's not possible.

What we need is implementation-level security issues taken care of at the language and framework level. So that developers can focus on their real jobs: solving design problems and writing code that works.

Security Frameworks and Libraries

One option is to get developers to use secure libraries that take care of application security functions like authentication, authorization, data validation and encryption. There are some good, and free, tools out there to help you.

If you're a Microsoft .NET developer, there's Microsoft's Web Protection Library which provides functions and a runtime engine to protect .NET apps from XSS and SQL Injection.

Java developers can go to OWASP for help. As a starting point, someone at OWASP wrote up a summary of available Java security frameworks and libraries. The most comprehensive, up-to-date choice for Java developers is OWASP's ESAPI Enterprise Security API especially now that the 2.0 release has just come out. There are some serious people behind ESAPI, and you can get some support from the OWASP forums, or pay Aspect Security to get help in implementing it. ESAPI is big, and as I've pointed out before unfortunately it's not easy to understand or use properly, it's not nicely packaged, and the documentation is incomplete and out of date — although I know that people are working on this.

Or there's Apache Shiro (FKA JSecurity and then later as Apache Ki), another secure framework for Java apps. Although it looks simpler to use and understand than ESAPI and covers most of the main security bases (authentication, authorization, session management and encryption), it doesn't help take care of important functions like input validation and output encoding. And Spring users have Spring Security (Acegi) a comprehensive, but heavyweight authorization and authentication framework.

If you aren't using ESAPI's input data validation and output encoding functions to help protect your app from XSS attacks and other injection attacks, you could try OWASP's Stinger declarative validators (although unfortunately Stinger isn't an active project any more). Or maybe OWASP's AntiSamy, an un-cool name for a cool library to sanitize rich HTML input data; or the newer, faster Java HTML Sanitizer built with technology contributed by Google: handy if you're writing a bulletin board or social network.

Or you could check out the new auto-escaping technology that Jim Manico presented at this year's SANS AppSec conference including Facebook's XHP (for PHP programmers), OWASP's JXT Java XML Templates , Google's Context-Sensitive Auto-Sanitization (CSAS),and Javascript sandboxing from Google (CAJA — used in the new OWASP HTML Sanitizer) or from OWASP (JSReg). And JQuery programmers can use Chris Schmid'ts JQuery Encoder to safely escape untrusted data.

To add CSRF protection to your app, try OWASP's CSRFGuard. If all you want to do is solve some encryption problems, there's Jasypt — the Java Simplified Encryption library — and of course The Legion of the Bouncy Castle: a comprehensive encryption library for Java (and C#).

For developers working in other languages like Ruby and PHP and Objective C, there are ports or implementations of ESAPI available, although these aren't as up-to-date or complete as the Java implementation. Python developers working with the Django framework can check out Django Security a new library from Rohit Sethi at SD Elements.

There are other security frameworks and libraries out there — if you know where to look. If you use this code properly, some or maybe even a lot of your security problems will be taken care of for you. But you need to know that you need it in the first place, then you need to know where to find it, and then you need to figure out how to use it properly, and then test it to make sure that everything works. Fast-moving Agile teams building new apps using simple incremental design approaches or maintenance teams fixing up legacy systems aren't looking for auto-escaping templating technology or enterprise security frameworks like ESAPI because this stuff isn't helping them to get code out of the door — and many of them don't even know that they need something like this in the first place.

Frameworks and Libraries that are Secure

To reach application developers, to reduce risk at scale, we need to build security into the application frameworks and libraries, especially the Web frameworks, that developers already use. Application developers rely on these frameworks to solve a lot of fundamental plumbing problems — and they should be able to rely on these frameworks to solve their problems in a secure way. A good framework should protect developers from SQL Injection and other injection attacks, and provide strong session management including CSRF protection, and auto-escaping protection against XSS. Out of the box. By default.

Ruby on Rails is one example: a general-purpose Web framework that tries to protect developers from CSRF, SQL Injection and now auto-escaping protection against XSS in release 3. Ruby and Rails have security problems but at least the people behind this platform have taken responsible steps to protect developers from making the kind of fundamental and dangerous mistakes that are so common in Web apps.

Solving security problems in frameworks isn't a new idea. Jeremiah Grossman at Whitehat Security talked about this back in 2006:

The only way I see software security improving significantly is if "security" is baked into the modern development frameworks and be virtually transparent. Remember, the primary developers mission is to pump out code to drive business and that's what they'll do not matter what. When developers find that its WAY easier and WAY better to do RIGHT by security, then we'll get somewhere.

Unfortunately, we haven't made a lot of progress on this over the last 5 years. A handful of people involved in OWASP's Developer Outreach are trying to change this, working within some of the framework communities to help make frameworks more secure. It seems hopeless — after all, Java developers alone have dozens of frameworks to choose from for Web apps. But Jim Manico made an important point: to start making a real difference, we don't need to secure every framework. We just need to make common, important frameworks safer to use, and secure by default: Spring, Struts, Rails, the main PHP and Python frameworks. This will reach a lot of people and protect a lot of software. Hopefully more people will stick with these frameworks because they are feature-rich, AND because they are secure by default. Other teams building other frameworks will respond and build security in, in order to compete. Building safer frameworks could become self-reinforcing as more people get involved and start understanding the problems and solving them. Even if this doesn't happen, at least developers using some of the more popular frameworks will be protected.

Building secure frameworks and frameworks that are secure isn't going to solve every application security problem. There are security problems that frameworks can't take care of. We still need to improve the tools and languages that we use, and the way that we use them, the way that we design and build software. And the frameworks themselves will become targets of attack of course. And we're all going to have to play catch up. Changing the next release of web application frameworks isn't going to make a difference to people stuck maintaining code that has already been written. Developers will have to upgrade to take advantage of these new frameworks and learn how to use the new features. But it will go a long way to making the software world safer.

There are only a handful of people engaged in this work so far — most of them on a part-time basis. Such a small group of people, even smart and committed people, aren't going to be able to change the world. This is important work: I think some of the most important work in application security today. If a government or a major corporation (unfortunately, I don't work for either) is really looking for a way to help make the Web safer, this it — getting the best and brightest and most dedicated people from the appsec and application development communities to work together and solve foundational problems with wide-reaching impact.

To find out more, or to engaged, join the OWASP Developer Outreach.

1 Comments

Posted June 07, 2011 at 1:32 PM | Permalink | Reply

Rohit Sethi

Hey Jim, great post. I should point out that I'm not the one creating the Django security library - it's a bunch of smart guys on my team, lead by Sam Chapin.

I've spent a lot of time on this very problem. One of the biggest issues here is that there's no wide consensus on which features ought to be in "by default". Not everyone is security conscious, and so while some of us may think that adding security controls like automatic contexual escaping is a good idea there will be others who think this kind of control creates undesired behavior.

My guess is that we'll see a divergence of frameworks that actually want to be known as taking security seriously (such as Django, Lift, Snap, etc.) and others which prefer security to be largely relegated to third party packages rather than default settings or options.

Post a Comment






Captcha

* Indicates a required field.