Whitepapers
| 2007 | Aspect, "Enterprise Security Architecture Managing Security across the Lifecycle" The IT industry is doing a good job in “patching” the security holes in our networks and host operating |
| 2006 | Aspect, "OWASP Top Ten - Part I" and "OWASP Top Ten - Part II" These two presentations cover the OWASP Top Ten Most Critical Security Vulnerabilities and what you can do to identify, remediate, and prevent them. |
| 2006 | Aspect/Ounce, "Opening the Black Box: A Source Code Security Analysis Case Study" The report describes a detailed source code security review of a popular open source application, including how specific flaws may affect users, security trends of open source development, and guidelines that professionals should use for verifying the security of applications within their organization. The report documents a detailed security verification of Azureus, the popular open source BitTorrent client, by Aspect’s team of application security experts supported by Ounce Labs’ source code security analysis technology. |
| 2005 | Aspect, "Application Security Initiatives - The Best Defense Is a Good Offense" Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressures by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern – organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications. |
| 2004 | Aspect/OWASP, "Let's Sue the Idiots -- Security, Software, Contracts, and Lawyers" What would you do if you outsourced your web application development to a software shop, only to find out years later that the code they produced is full of security holes? What would you do if you were a developer who wrote the code? Sound familiar? In manyorganizations, the knee-jerk reaction is to sue the developers on a breach of contract or negligence theory, but that's about the biggest mistake you can make. This column discusses how these disputes happen, how the contracts work, some of the arguments on both sides, and suggests a middle ground that will hopefully help guide you through a delicate situation. Read more... |
| 2003 | Aspect/OWASP, "How to Build an HTTP Request Validation Engine for Your J2EE Application" "Never trust anything from the HTTP request." That's rule number one for web application security. If you fail, you open your application to many different forms of injection, overflow, and tampering. So validate everything, before you use it, right? It always sounds so simple, yet most development projects ignore the requirement or implement it very haphazardly. There are many alternative methods of implementing validation, but which is the best? In this article, we'll discuss approaches for validating all of the different parts of the HTTP request. Once we've nailed down a few requirements, we'll use the new regular expression package in Java 1.4 to demonstrate one way of implementing validation. Read more... |
| 2003 | Aspect/OWASP, "Access Control (aka Authorization) in Your J2EE Application" I'm not sure how the web application development community got started using the term "authorization" -- but I'm not crazy about it. The simple problem is that developers frequently confuse it with "authentication" -- especially when it is abbreviated "auth". But, more fundamentally, people have used the term "access control" for the past 30 years on every type of system except web applications, and it's confusing to change. For this article, I'm going to talk about "access control" -- just remember that there are a whole bunch of people who like to call it "authorization." Read more... |
| 2003 | Aspect/OWASP, "Trustworthy Java - Are your apps bulletproof?" |
| 2003 | OWASP, "The Ten Most Critical Web Application Security Vulnerabilities" |
| 2002 |
A rigorous code review focused on finding security flaws is really the only way to manage the security of your web application or web service code. These reviews are a cost-effective way to identify problems and start the process of remediation. The cost of code review services is dramatically outweighed by the expected consequences of attacks by hackers. Aspect has examined the code for complex web applications across many vertical markets, including healthcare, financial, e-commerce, and biotechnology. To date, we have not seen any that did not have at least one major exploitable hole |
| 1998 | Jeff Williams, "A Practical Approach to Improving and Communicating Assurance" Abstract: Assurance in the security of rapidly evolving enterprises depends on a complex set of evidence. In this paper, we describe a method for structuring this body of evidence into a manageable framework called an "assurance argument." The method is extremely flexible, and is capable of including all relevant claims and evidence. The structure allows the practitioner to compare the costs and benefits of different assurance approaches, to keep track of the rationale for each piece of evidence, and to identify areas where additional evidence is indicated. Further, the approach is modular and allows assurance to be communicated and reused efficiently. Ultimately, assurance arguments enable a better understanding of all the factors that go into creating assurance. This understanding, in turn, plays a major role in the intelligent management of risk. |
| 1998 | Jeff Williams, " Can a 'Social Protocol' Help Protect Privacy?" Abstract: The "Platform for Privacy Preferences, or " P3P" is a protocol from the World Wide Web Consortium (W3C) which allows web sites and browsers to negotiate about privacy. Essentially, web sites offer a proposal to browsers, which details the information requested, provides a rationale for its collection, and describes how it will be protected. This paper responds to unfounded criticisms in the press that P3P will enable sites to force disclosure of personal information. The paper argues that there is no way to tell what effect enabling privacy will have on privacy in general. Further, mandatory privacy law and contractual P3P agreements work well ttogether to provide complete coverage, even across multiple legal jurisdictions. |
| 1998 | Jeff Williams, "Jini and Mobile Agent Security" Abstract: Sun's new Jini technology offers some services that can help mobile agents deal with the problems presented by unreliable networks like the Internet. In particular, the distributed event, distributed event, and transaction manager services could be used for interagent communication. Further, the paper describes how the Linda-based JavaSpace service could provide an asynchronous and anonymous coordination mechanism for agent communication. |
| 1998 | Jeff Williams, "A Practical Approach to Measuring Assurance" Abstract: Assurance has been defined as "the degree of confidence that security needs are satisfied." The problem with this definition is that, unless one has a way to specify security needs in some measurable way, assurance can not be expressed in a measurable way either. The definition leaves the practitioner with the challenge of determining what "security needs" are, whether or not they have been "satisfied," and how to determine "confidence." In this paper, we define assurance as "a measure of confidence in the accuracy of a risk or security measurement." A critical feature of the view of assurance presented here is that it is orthogonal to the measurement of risk and security. High assurance ratings have traditionally been associated with high security and low risk. Our definition permits high assurance to be associated with low security and high risk as well. It also provides a way of deciding whether or not the assurance one has is sufficient. |
| 1998 | Jeff Williams, "System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0" Abstract: The SSE-CMM provides a community-wide (Government and industry) standard metric to establish and advance security engineering as a mature, measurable discipline. The model and its appraisal methods ensure that security is an integral part of engineering efforts that encounter hardware, software, systems, or enterprise security issues. The model defines characteristics of a security engineering process that is explicitly defined, managed, measured, controlled, and effective in all types of engineering efforts. |
| 1997 | Jeff Williams, "A Framework for Reasoning About Assurance" Abstract: Informed decisions about security depend upon a complex set of factors related to both assurance and risk. In this paper we argue for a new definition of assurance, specifically describing its relationship to measurements of risk or security. The following definition expands the traditional definition of assurance to include a broad range of evidence, while narrowing the scope to a specific type of confidence: Assurance is a measure of confidence in the accuracy of a risk or security measurement. In addition, we offer a structure for assurance arguments as a powerful way to communicate the information used in making security decisions. An assurance argument starts with claims about risks and then packages all the evidence and supporting arguments into a logical hierarchical structure. The goal is that these arguments will be capable of reuse in a wide variety of applications, easing the burden of security evaluations. Although this paper does not provide a means by which one can determine assurance need in the sense of some quantitative or even qualitative statement, it does provide a way of deciding whether or not the assurance one has is sufficient, and this, we claim, is quite good enough. |
| 1996 | Jeff Williams, "Just Sick about Security" Abstract: This paper explores the similarities between people's health and the security of complex computer systems. The endless battle between threats to human health and our defense mechanisms has been going on for hundreds of thousands of years and has resulted in an extremely flexible set of protections. Our intrusion detection and immune systems are so good that most attacks go unnoticed. In other disciplines, looking to nature has proven extremely valuable. For example, in aviation, we have found many of the most efficient wing designs in birds and even whales. Perhaps we can look to nature for help understanding the threats to computer systems and even find strategies for protecting against them. In addition to the defenses we have evolved, humans also practice medicine. Advances in nutrition and health care have greatly improved the quality and length of human life. While we have been practicing medicine for almost as long as we have been human, we have only a few decades of experience with protecting computer systems. This is another area to search for help in computer security. |
| 1996 | Jeff Williams, "An Enterprise Assurance Framework" Abstract: This paper explores generating and conveying confidence in enterprise security. An enterprise assurance framework provides a structure enterprise assurance evidence that strengthens and clarifies the overall enterprise assurance argument. The structure and components of these arguments are defined and then applied to an enterprise. Finally, standards of evidence and evidence trade-offs are mentioned. |
| 1995 | Jeff Williams, "Pretty Good Assurance" Abstract: This paper describes the need for pretty good assurance: clearly stated claims about the security properties of systems, accompanied by evidence that explains in clear terms why we should believe that these claims are substantiated. Several different types of threats are identified and their relationships to assurance are explored. The developer's role in creating an assurance argument is distinguished from the user's role consuming assurance. Finally, some thoughts on the future are presented. |
| 1995 | David Wichers and Jeff Williams, " Need for a Framework for Reasoning about Assurance" Abstract: There has been considerable research into areas such as "process" and "developmental" assurance. Others are pursuing risk-based approaches to securing products and systems. We strongly support this trend towards increasingly flexible assurance. This paper is intended to help define a framework for discussing assurance beyond that provided by testing and analysis of the system design and implementation. |
| 1994 | Jeff Williams, "Assurance is an N-Space (Where N is Hopefully Small) " Abstract: Significant progress in the area of assurance cannot be made without recognizing its multi-dimensional nature. Our challenge is to create a vehicle for understanding and reasoning about assurance that supports its many dimensions. The creation of an assurance N-space provides a framework which supports many different aspects of assurance and, more importantly, the needs of its many consumers. This position paper describes such a space. |
| 1994 | Jeff Williams, "A Capability Maturity Model For Security Engineering" This paper presents a framework for a mature security engineering process and organization that can lead to better, cheaper, and faster development of secure systems and products. A Security Engineering Capability Maturity Model (SE CMM) is being developed to guide process improvement in the practice of security engineering. The model consists of a sequence of levels that guide a security engineering organization toward process improvement through small, incremental steps. The goal of the model is to develop an organizational culture of continuous process improvement. Development and acceptance of the SE CMM can lead to improvements in the practice of security engineering and also the production and measurement of assurance. This paper describes the concept of a SE CMM, promotes an understanding for its need and use, and states our objectives and approach for producing the model. |
