Friday, November 20, 2009

OWASP Top 10 -2010 RC



Open Web Application Security Project (OWASP), an open-source application security project, has published a release candidate version of the OWASP Top 10 Project for comments and feedback. You can download it from http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf.
It was always perceived that OWASP Top 10 is about 10 most common weaknesses in web applications; this release makes it clear that OWASP Top 10 Project is about Top 10 risks. As a result, OWASP reshuffled the order of the items on the list since now it is based on the estimate risk, instead the frequency of the associated weakness.
In addition, there are two new items:
  • ADDED: A6 –Security Misconfiguration
  • ADDED: A8 –Unvalidated Redirects and Forwards
  • REMOVED: A3 –Malicious File Execution
  • REMOVED: A6 –Information Leakage and Improper Error Handling.
Please review and contribute your thought and comments.

Tuesday, November 10, 2009

Ubuntu 9.10 Is Out!


Ubuntu 9.10 (nicked named Karmic Kuala) is out and it has number of security improvements (over the previous version) that I would like to highlight:
  • AppArmor - AppArmor was introduced earlier that Karmic Kuala; In this release, it features an improved parser that uses cache files, greatly speeding up initialisation on boot making it less likely to be switched off by users, and a bunch of additional profiles.
  • Uncomplicated Firewall - Another "not new" feature which now supports filtering by interface and egress filtering.
  • Non-eXecutable Emulation - Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), can help block many exploits an attacker might run from stack or heap memory. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation.
  • Blocking Module Loading - To block the loading of any further modules after boot, the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.
  • Position-Independent Executables - All programs built as Position Independent Executables (PIE) with "-fPIE -pie" (gcc -pie -fPIE) can take advantage of the exec Address Space Layout Randomisation(ASLR). This protects against "return-to-text" and generally frustrates memory corruption attacks.
A full list of Ubuntu security features can be found at https://wiki.ubuntu.com/Security/Features.