OPA: Language Support for a
                   Sane, Safe and Secure Web



                          David Rajchenbach-Te...
What Automated Solutions Miss
 What it’s all about

!!Theoretical
   "!Logic flaws (business and application)
   "!Design ...
What it’s all about                         What Automated Solutions Miss

                                           !!Th...
What it’s all about                                  What Automated Solutions Miss

                                      ...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
Web Applications
(high-level design)

                          Logics


                          App               App

...
Web Applications
(what we see)

             JavaScript



    Web                     Web
   Browser                 Serv...
Web Applications
(what we see)               Web
                           Server
             JavaScript



    Web     ...
Web Applications
(what we see)               Web
                           Server
             JavaScript

              ...
Web Applications
(what we see)                                    Web
                                                Serv...
Web Applications
(what we see)                                                       Web
                                 ...
Web Applications
(what we see)                                                           Web
                             ...
The general idea




                   OWASP   6
The general idea


               “If you can’t solve the problem, change the problem.”
                                  ...
The general idea


                            “If you can’t solve the problem, change the problem.”
                     ...
The general idea


                            “If you can’t solve the problem, change the problem.”
                     ...
The general idea


                            “If you can’t solve the problem, change the problem.”
                     ...
The general idea


                            “If you can’t solve the problem, change the problem.”
                     ...
Web applications
(with OPA)

                        Logics
                                 OPA



                      ...
Web applications
(with OPA)

                        Logics
                                 OPA



                      ...
Web applications
(with OPA)

                             Logics
                                      OPA



            ...
General OPA design




                     OWASP   8
General OPA design
Clean-slate design
  Based on formal methods
  Safe languages from the bottom up




               ...
General OPA design
Clean-slate design
  Based on formal methods
  Safe languages from the bottom up

One language for ...
General OPA design
Clean-slate design
  Based on formal methods
  Safe languages from the bottom up

One language for ...
General OPA design                           Joe doesn’t need
                                                 to know

C...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
Hello, web




             OWASP   10
Hello, web




  server = one_page_server("Hello, web", -> <>Hello, web</>)



1) Compile
                               C...
URL shortener (22 loc)

 db /abbrevs: intmap(string)
 db /abbrevs[_] = "/"

 make_shorter(url:string):string =
   key = Db...
URL shortener (22 loc)

 db /abbrevs: intmap(string)
                                        Database
 db /abbrevs[_] = "/...
Nice web chat
       type mess = {id: string; message: string}
       room = Network.empty():Network.network(mess)
       ...
Nice web chat
       type mess = {id: string; message: string}
       room = Network.empty():Network.network(mess)
       ...
Nice web chat
       type mess = {id: string; message: string}
       room = Network.empty():Network.network(mess)
       ...
Nice web chat
       type mess = {id: string; message: string}
       room = Network.empty():Network.network(mess)
       ...
There’s more

Games

Productivity tools

Development tools

Security applications

e-Commerce applications

...


  ...
Things we can do (and check!)




                                OWASP   14
Things we can do (and check!)

                         Programmable security policies
     Ajax            SOAP          ...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
Transparent protections

       type mess = {id: string; message: string}
       room = Network.empty():Network.network(me...
Transparent protections

             type mess = {id: string; message: string}
             room = Network.empty():Networ...
Transparent protections

       type mess = {id: string; message: string}
       room = Network.empty():Network.network(me...
Transparent protections
                                        All communications
                  type mess = {id: stri...
Transparent protections

       type mess = {id: string; message: string}
       room = Network.empty():Network.network(me...
Transparent protections

          type mess = {id: string; message: string}
          room = Network.empty():Network.netw...
Transparent protections

       type mess = {id: string; message: string}
       room = Network.empty():Network.network(me...
More

        A1-Injection               A6-Security Misconfiguration


A2-Cross Site Scripting (XSS)   A7-Insecure Cryptog...
More

        A1-Injection               A6-Security Misconfiguration


A2-Cross Site Scripting (XSS)   A7-Insecure Cryptog...
More

        A1-Injection               A6-Security Misconfiguration


A2-Cross Site Scripting (XSS)   A7-Insecure Cryptog...
progress)



      What Automated Solutions Miss

   !!Theoretical
            "!Logic flaws (business and application)
  ...
progress)



      What Automated Solutions Miss

               ^
               other
   !!Theoretical
            "!Log...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
OPA: Language Support for a Sane, Safe and
Secure Web



General approach
Keeping in the Smart Useful
Filtering out the...
Theoretical foundations


Building on 30+ years of research in formal
 methods & language theory.

Key for precise analy...
False positives

False positives are annoying but not that bad --
 as long as they are predictable and there’s a
 workaro...
Future

Eliminate CSRF.

Extend per-application security policy.

Extend per-library/per-data safety policy.

Plenty o...
That’s all, folks!




  http://www.mlstate.com

                           OWASP   23
That’s all, folks!


Thanks and apologies to David Byrne & Charles Anderson
                for hijacking their slides



...
Upcoming SlideShare
Loading in...5
×

Opa @ owasp 2010

1,514

Published on

Web applications and services have critical needs in terms of safety, security and privacy: they need to remain available constantly and can at any time be the object of attacks by malicious and anonymous distant users attempting to take control, alter data or steal it, or cause unwanted behaviors. Unfortunately, recent history shows numerous cases of popular web applications falling victim to such attacks, despite careful attempts to secure them.

In this talk, we introduce OPA (One Pot Application), a new platform based on formal methods, designed to make web development sane, safe and secure. OPA provides an integrated methodology where the complete application is written with one simple language with consistent semantics, enforces safe use of the infrastructure through compile-time static checking and a novel programming paradigm suited to the web and encourages correct-by-construction development.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,514
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 7 years project coming to fruition
    I had to swear upon everything I hold sacred that I would not attempt to sell anything to you. So, I&amp;#x2019;m going to do by something else. I&amp;#x2019;m going to steal one of yesterday&amp;#x2019;s presentations.






  • I&amp;#x2019;d like to introduce you to a concept that may be new to some in this room. In technical terms, we call it a web application.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.
  • And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven&amp;#x2019;t even started securing your application itself.

    Ok, if you&amp;#x2019;re like me, at this stage, you&amp;#x2019;re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We&amp;#x2019;re in a 21st setting and we&amp;#x2019;re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we&amp;#x2019;re addressing them with what? With patches and sandboxing.





































































































  • Opa @ owasp 2010

    1. 1. OPA: Language Support for a Sane, Safe and Secure Web David Rajchenbach-Teller Head of R&D MLstate David.Teller@mlstate.com OWASP twitter.com/mlstate +33 1 55 43 76 55 June 24th, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
    2. 2. What Automated Solutions Miss What it’s all about !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 26
    3. 3. What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 OWASP 2
    4. 4. What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 “Oh, yeah?” The MLstate team AppSec Research 2010 OWASP 2
    5. 5. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
    6. 6. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3
    7. 7. Web Applications (high-level design) Logics App App Storage Delivery UI User User OWASP 4
    8. 8. Web Applications (what we see) JavaScript Web Web Browser Server PHP? Language Database OWASP 5
    9. 9. Web Applications (what we see) Web Server JavaScript Web Web Web Browser Web Server Server Server PHP? +scripts Who knows? Web Language Language Framework Browser Database Database Database Java? Language OWASP 5
    10. 10. Web Applications (what we see) Web Server JavaScript Config Web Web Web error? Browser Web Server Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Config Database error? Database Database Java? Language OWASP 5
    11. 11. Web Applications (what we see) Web Server Protocol JavaScript ? Config Web Web Web error? Browser Protocol Web Server ? Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Protocol Protocol ? ? Config Database error? Database Database Java? Language OWASP 5
    12. 12. Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Config Web Web Web error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Who knows? Config Web XSS error? Language injection SQL Language Framework Browser injection Config error? Protocol Protocol ? Memory Contami ? injection nation Config Database error? Database Database Java? Language OWASP 5
    13. 13. Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Contami Config Web Web Web nation error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Protocol Who exploit Known knows? Config Web XSS error? exploit Language injection SQL Language Framework Browser Protocol injection exploit Config error? Protocol Protocol ? Memory Contami ? injection nation Config + Phishing Database error? Protocol + (D)DoS, economic (D)DoS Database Database Java? exploit + Flash, Silverlight, Gears, XPCOM, Language Java(FX), NativeClient, Acrobat, QT... + Keyloggers + ... OWASP 5
    14. 14. The general idea OWASP 6
    15. 15. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 OWASP 6
    16. 16. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) OWASP 6
    17. 17. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. OWASP 6
    18. 18. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) OWASP 6
    19. 19. The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) “Haven’t I answered that question already?” Ferengi Rule of Acquisition #408, contd. “...oh, and don’t forget to make sure that Joe can still use the tools!” Ferengi Rule of Acquisition #408, contd. OWASP 6
    20. 20. Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
    21. 21. Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7
    22. 22. Web applications (with OPA) Logics OPA App App Untrusted Storage Delivery UI User User OWASP 7
    23. 23. General OPA design OWASP 8
    24. 24. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up OWASP 8
    25. 25. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch OWASP 8
    26. 26. General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch “Just” a distributed system In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
    27. 27. General OPA design Joe doesn’t need to know Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Simpler than LAMP Glue & checks generated automatically No impedance mismatch “Just” a distributed system Joe doesn’t need to know In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8
    28. 28. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
    29. 29. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 9
    30. 30. Hello, web OWASP 10
    31. 31. Hello, web server = one_page_server("Hello, web", -> <>Hello, web</>) 1) Compile Complete web opa hello.opa application. 2) Run ./hello.exe 3) Test browse http://localhost:8080 OWASP 10
    32. 32. URL shortener (22 loc) db /abbrevs: intmap(string) db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
    33. 33. URL shortener (22 loc) db /abbrevs: intmap(string) Database db /abbrevs[_] = "/" make_shorter(url:string):string =   key = Db.fresh_key(/abbrevs)   do /abbrevs[key] <- url   "{key}" _ = @server(make_shorter) Control do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) UI urls = parser | "/" dest=Rule.integer ->     Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* ->     Resource.html("MLstate redirector",     <>Please enter a URL you wish to shorten<br/>     <input id="origin"/><button onclick={do_shorten}>Shorten</button>     <div id="shortened"></div>     </>) server = simple_server(urls) OWASP 11
    34. 34. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
    35. 35. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
    36. 36. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
    37. 37. Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time   Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start URLs resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12
    38. 38. There’s more Games Productivity tools Development tools Security applications e-Commerce applications ... OWASP 13
    39. 39. Things we can do (and check!) OWASP 14
    40. 40. Things we can do (and check!) Programmable security policies Ajax SOAP Complex database ... XML processing Comet Fine-grained sessions Time-unlimited rollback Distribution Multitasking Higher-order database User interface Concurrent transactions WSDL Higher-order programming Data history Capabilities OWASP 14
    41. 41. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
    42. 42. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 15
    43. 43. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    44. 44. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) All insertions user_update(x:mess) = ( = ( are checked user_update(x:mess)   line = <div class="opa-line">   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>     <div class="opa-message">{x.message}</div></div>   </div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show)   do exec([#show +<- line ]) )   Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    45. 45. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    46. 46. Transparent protections All communications type mess = {id: string; message: string} are checked room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    47. 47. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    48. 48. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)       styled_page("Chat",  //Display styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div> Per-user      <div id="show"></div>      <div id="header"><div id="logo"></div></div> capability?*      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>      <div id="show"></div>      )    <input id="entry"/> )      <div class="opa-button" onclick={broadcast}>Send!</div>    urls      = parser .* -> start ) resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    49. 49. Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = (   Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = (   line = <div class="opa-line">     <div class="opa-wrap"><div class="opa-user">{x.id}:</div>     <div class="opa-message">{x.message}</div></div>   </div>   do exec([#show +<- line ])   Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = (    id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")    broadcast = make_broadcaster(id)    styled_page("Chat",  //Display      <script onload={_ -> connect()}/>      <div id="header"><div id="logo"></div></div>      <div id="show"></div>      <input id="entry"/>      <div class="opa-button" onclick={broadcast}>Send!</div>    ) ) urls      = parser .* -> start resources = @static_include_directory("resources") server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16
    50. 50. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
    51. 51. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
    52. 52. More A1-Injection A6-Security Misconfiguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufficient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17
    53. 53. progress) What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 16 18 6
    54. 54. progress) What Automated Solutions Miss ^ other !!Theoretical "!Logic flaws (business and application) (in progress) "!Design flaws "!The Stupid (what we do best) !!Practical (been there, done that) "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) (been there, done that) "!Cross-Site Request Forgery (CSRF) (in progress) "!Uncommon or custom infrastructure (abstract&specify them away!) "!Authorization enforcement (been there, done that) "!Abstract information leakage (been there, done that) OWASP OWASP 16 18 6
    55. 55. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
    56. 56. OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 19
    57. 57. Theoretical foundations Building on 30+ years of research in formal methods & language theory. Key for precise analysis. Key for precise optimizations. OWASP 20
    58. 58. False positives False positives are annoying but not that bad -- as long as they are predictable and there’s a workaround. Experienced developers make safety/security mistakes quite often. False positives often later reveal themselves as true positives. OWASP 21
    59. 59. Future Eliminate CSRF. Extend per-application security policy. Extend per-library/per-data safety policy. Plenty of additional features! Hiring you? OWASP 22
    60. 60. That’s all, folks! http://www.mlstate.com OWASP 23
    61. 61. That’s all, folks! Thanks and apologies to David Byrne & Charles Anderson for hijacking their slides http://www.mlstate.com OWASP 23
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×