OpenID Security

Fri Feb 6 23:22:46 UTC 2009

Thanks James,

I don't believe it's quite so binary, nor was I advocating doing
nothing. Based on my experience, automated analysis tools really just
scratch the surface and often result in a false sense of security. If
it can be accomplished for free and with little effort, fantastic.
Furthermore, and as I'm sure you'd agree, I have much more of a
problem with the false negatives than I do with the false positives.
If I was walking into a field that contained a single land mine, I'd
much rather you tell me there are 40 than tell me there are none at
all. :)

With regard to the free OWASP OS analysis; that's great news. I'd love
to hear more about who's actually performing the analysis and how
OWASP is meeting the demand. Feel free to email me offline.

Darren

On Fri, Feb 6, 2009 at 3:43 PM, McGovern, James F (HTSC, IT)
<James.McGovern at thehartford.com> wrote:
>  Darren, I would challenge you by saying the following:
>
> 1. In the same sense that it is unreasonable for OpenID to satisfy every
> identity use case on the planet, you also shouldn't expect a static
> analysis toolkit to do the same either.
>
> 2. Which is worse, having to sort through false positives or to not
> perform static analysis at all and have OpenID fail once some bad guy
> busts the implementation so badly that everyone runs away from OpenID?
>
> 3. A small correction on OWASP. OWASP DOES perform analysis on OPEN
> SOURCE implementations at no cost. If you have a commercial version,
> then you need to pay. The open source implementations simply need to
> submit their code to http://owasp.fortify.com to get the process
> started.
>
> 4. The link above is merely hosted by Fortify and they provide the
> tools. The actual execution of scanning isn't even done by Fortify
> employees but other members of the OWASP community.
>
> 5. FYI, I am the project leader for several OWASP projects and am the
> chapter leader for Hartford (one of the largest). Our next meeting is on
> Tuesday at 5pm Eastern where we will have Mary Ruddy of Higgins
> presenting. Our meetings are free to attend and for this one, we will
> also be webcasting it. The webinar information will be sent out on
> Monday to the mailing list. Subscribe at:
> http://lists.owasp.org/mailman/listinfo/owasp-hartford If you would like
> to attend in person, here is the information:
> http://www.owasp.org/index.php/Hartford
>
> 6. Engaging a reputable third party isn't a bad idea but keep in mind
> that "part" of their assessment will use the same automated tools. Firms
> I like include Security Compass (http://www.securitycompass.com) Artec
> (http://www.artecgroup.net) and Cigital (http://www.cigital.com)
>
> Date: Thu, 5 Feb 2009 15:48:06 -0500
> From: Darren Bounds <dbounds at gmail.com>
> Subject: Re: OpenID Security
> To: "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>
> Cc: specs at openid.net
> Message-ID:
>        <26563eca0902051248o446aa21br23aeb19f743ae40e at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I do not believe OWASP presently does any active vulnerability analysis.
> Rather they provide definition around best practices and reference
> material around web application security as well as a small set of open
> source vulnerability analysis and penetration testing tools.
>
> With regard to the Fortify link you sent previously; in my experience
> thus far, I have not found a single automated vulnerability analysis
> tool that's worth the price tag or the effort involved in tuning it.
> More often than not they find nothing more than low hanging fruit and
> false positives. Even worse, they often miss ore than they catch,
> resulting in a large number of false negatives. Subsequently any
> 'certification' an automated tool can provide should be taken with a
> grain of salt.
>
> IMO, if a formal security assessment is desirable, it would be much more
> fruitful to engage a reputable 3rd party to perform one manually.
>
>
> Darren
> ************************************************************
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

-- 

Thank you,
Darren Bounds