CSC/ECE 517 Fall 2009/wiki1b 8 va: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
(Edit start)
(Cleaned up and added initial thoughts for how Ruby / Rails address some of the bugs)
Line 1: Line 1:
Being edited by salt!
+++
+++
Remove these lines between the +++ when done, this is to keep us on track:  
Remove these lines between the +++ when done, this is to keep us on track:  
Line 13: Line 11:
     Security errors are a major problem in today's applications.  Ruby on Rails has many features that automatically prevent security holes.  There are additional tools and plugins for Ruby and Rails that can reduce the risks.
     Security errors are a major problem in today's applications.  Ruby on Rails has many features that automatically prevent security holes.  There are additional tools and plugins for Ruby and Rails that can reduce the risks.


Built in features:
Built in features that can enhance security:
* Largely automated design
* Largely automated design
* Virtual machine (lack of direct access to OS commands)
* duck typing ______ (this can be a good or bad thing)
* duck typing ______ (this can be a good or bad thing)
* Test case tools such as Test unit built in to Aptana's ruby plug-in for Eclipse
* Protection? ______ command


Tools and plugins: (Is this outside the scope, revisit later, lets get the basics down first) _______
Tools and plugins: (Is this outside the scope, revisit later, lets get the basics down first) _______
* Cucumber - Outside in test: (elaborate, add link) ________
* Cucumber - Outside in test: (elaborate, add link) ________
* Tarantula - A web site that tests applications for common vulnerabilities (add link) _____
* Tarantula - A web site that tests applications for common vulnerabilities (add link) _____
 
* R-spec - Another testing unit built in with eclipse which provides documentation capabilities
* Clearance - A gem used to perform user login with hashed passwords


Common security errors and their mitigations: ____ (Should we summarize the list later?  This may be copying too much from the site http://www.sans.org/top25errors/#s4.  Perhaps we don't need to show the mitigation of each error, just how certain features mitigate certain errors.  Perhaps we could make a table)
Common security errors and their mitigations: ____ (Should we summarize the list later?  This may be copying too much from the site http://www.sans.org/top25errors/#s4.  Perhaps we don't need to show the mitigation of each error, just how certain features mitigate certain errors.  Perhaps we could make a table)
Line 26: Line 28:
CATEGORY: Insecure Interaction Between Components  
CATEGORY: Insecure Interaction Between Components  
   * CWE-20: Improper Input Validation  
   * CWE-20: Improper Input Validation  
     Ruby: duck typing? ______
     duck typing?  
   * CWE-116: Improper Encoding or Escaping of Output  
    Ruby and Rails: Test case tools
   * CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')  
    Rails: Tarantula
   * CWE-116: Improper Encoding or Escaping of Output
    Same as above
   * CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
    Automated handling of SQL databases
   * CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')  
   * CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')  
   * CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')  
    Tarantula
   * CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
    Virtual machine: Ruby and Rails are command line interpreted and do not depend on the OS implementation.  This helps prevent this error as well as preventing other errors.
   * CWE-319: Cleartext Transmission of Sensitive Information  
   * CWE-319: Cleartext Transmission of Sensitive Information  
   * CWE-352: Cross-Site Request Forgery (CSRF)  
   * CWE-352: Cross-Site Request Forgery (CSRF)
   * CWE-362: Race Condition  
    Ruby has a feature called protection? _________ which is specifically designed to combat
   * CWE-362: Race Condition
    Ruby and Rails has testing tools (test unit / R-spec)
   * CWE-209: Error Message Information Leak  
   * CWE-209: Error Message Information Leak  
    _______


CATEGORY: Risky Resource Management  
CATEGORY: Risky Resource Management  
   * CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer  
   * CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
   * CWE-642: External Control of Critical State Data  
    _______
   * CWE-642: External Control of Critical State Data
    _______
   * CWE-73: External Control of File Name or Path
   * CWE-73: External Control of File Name or Path
    _______
   * CWE-426: Untrusted Search Path  
   * CWE-426: Untrusted Search Path  
   * CWE-94: Failure to Control Generation of Code (aka 'Code Injection')  
    _______
   * CWE-494: Download of Code Without Integrity Check  
   * CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
   * CWE-404: Improper Resource Shutdown or Release  
    Ruby allows this, but only if the developer writes the program to allow it.  If such functionality is provided in an application, it should be tested extensively.  Another mitigation is that Ruby is run in a virtual machine.  This somewhat limits the damage that could be done (e.g. someone should not be able to format your C: drive (erase everything) from a remote site through a ruby application.  There is still significant risk in allowing users to add their own code, and this functionality should be used sparingly, and tested thoroughly.
   * CWE-665: Improper Initialization  
   * CWE-494: Download of Code Without Integrity Check
  _______ No mitigation?
   * CWE-404: Improper Resource Shutdown or Release
  _______ Garbage collection?
   * CWE-665: Improper Initialization
  Test unit / R-spec, Tarantula
   * CWE-682: Incorrect Calculation  
   * CWE-682: Incorrect Calculation  
  Test unit / R-spec


CATEGORY: Porous Defenses  
CATEGORY: Porous Defenses  
   * CWE-327: Use of a Broken or Risky Cryptographic Algorithm  
   * CWE-327: Use of a Broken or Risky Cryptographic Algorithm
   * CWE-259: Hard-Coded Password  
  This is up to the developer, but there are tools such as clearance (a password utility) that can work with this.
   * CWE-732: Insecure Permission Assignment for Critical Resource  
   * CWE-259: Hard-Coded Password
  Use the clearance tool
   * CWE-732: Insecure Permission Assignment for Critical Resource
  Tarantula
   * CWE-330: Use of Insufficiently Random Values  
   * CWE-330: Use of Insufficiently Random Values  
  _______ (Does Ruby have a good default random number generator?)
   * CWE-250: Execution with Unnecessary Privileges  
   * CWE-250: Execution with Unnecessary Privileges  
  _______
   * CWE-602: Client-Side Enforcement of Server-Side Security  
   * CWE-602: Client-Side Enforcement of Server-Side Security  
 
  _______


References: ______ (properly structure resources)
References: ______ (properly structure resources)
Line 60: Line 85:
* CSC 517
* CSC 517
* http://www.sans.org/top25errors/#s4 - Lists top 25 errors by category
* http://www.sans.org/top25errors/#s4 - Lists top 25 errors by category
* _____ Add links for plugins

Revision as of 00:07, 18 September 2009

+++ Remove these lines between the +++ when done, this is to keep us on track: _________ Note: the blanks are indications of where more work needs to be done () indicates things we need to consider / work on

Wiki topic: Today’s web developers must absolutely consider application security as they develop and deploy web applications. At the start of this year, several organizations jointly released a list of “the 25 Most Dangerous Programming Errors and How to Fix Them.” Show how the design of Ruby and Rails helps mitigate these common errors. How do Ruby and Rails compare to other Web frameworks in defending against these problems? +++ 


    Security errors are a major problem in today's applications.  Ruby on Rails has many features that automatically prevent security holes.  There are additional tools and plugins for Ruby and Rails that can reduce the risks.

Built in features that can enhance security:

  • Largely automated design
  • Virtual machine (lack of direct access to OS commands)
  • duck typing ______ (this can be a good or bad thing)
  • Test case tools such as Test unit built in to Aptana's ruby plug-in for Eclipse
  • Protection? ______ command

Tools and plugins: (Is this outside the scope, revisit later, lets get the basics down first) _______

  • Cucumber - Outside in test: (elaborate, add link) ________
  • Tarantula - A web site that tests applications for common vulnerabilities (add link) _____
  • R-spec - Another testing unit built in with eclipse which provides documentation capabilities
  • Clearance - A gem used to perform user login with hashed passwords

Common security errors and their mitigations: ____ (Should we summarize the list later? This may be copying too much from the site http://www.sans.org/top25errors/#s4. Perhaps we don't need to show the mitigation of each error, just how certain features mitigate certain errors. Perhaps we could make a table)

CATEGORY: Insecure Interaction Between Components 

 * CWE-20: Improper Input Validation 
   duck typing? 
   Ruby and Rails: Test case tools
   Rails: Tarantula
 * CWE-116: Improper Encoding or Escaping of Output
   Same as above 
 * CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
   Automated handling of SQL databases
 * CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') 
   Tarantula
 * CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
   Virtual machine: Ruby and Rails are command line interpreted and do not depend on the OS implementation.  This helps prevent this error as well as preventing other errors.
 * CWE-319: Cleartext Transmission of Sensitive Information 
 * CWE-352: Cross-Site Request Forgery (CSRF)
   Ruby has a feature called protection? _________ which is specifically designed to combat 
 * CWE-362: Race Condition
   Ruby and Rails has testing tools (test unit / R-spec)
 * CWE-209: Error Message Information Leak 
   _______

CATEGORY: Risky Resource Management 

 * CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
   _______
 * CWE-642: External Control of Critical State Data
   _______ 
 * CWE-73: External Control of File Name or Path
   _______
 * CWE-426: Untrusted Search Path 
   _______
 * CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
   Ruby allows this, but only if the developer writes the program to allow it.  If such functionality is provided in an application, it should be tested extensively.  Another mitigation is that Ruby is run in a virtual machine.  This somewhat limits the damage that could be done (e.g. someone should not be able to format your C: drive (erase everything) from a remote site through a ruby application.  There is still significant risk in allowing users to add their own code, and this functionality should be used sparingly, and tested thoroughly.
 * CWE-494: Download of Code Without Integrity Check
 _______ No mitigation?
 * CWE-404: Improper Resource Shutdown or Release
 _______ Garbage collection?
 * CWE-665: Improper Initialization
 Test unit / R-spec, Tarantula 
 * CWE-682: Incorrect Calculation 
 Test unit / R-spec

CATEGORY: Porous Defenses 

 * CWE-327: Use of a Broken or Risky Cryptographic Algorithm
 This is up to the developer, but there are tools such as clearance (a password utility) that can work with this.
 * CWE-259: Hard-Coded Password
 Use the clearance tool
 * CWE-732: Insecure Permission Assignment for Critical Resource
 Tarantula
 * CWE-330: Use of Insufficiently Random Values 
 _______ (Does Ruby have a good default random number generator?)
 * CWE-250: Execution with Unnecessary Privileges 
 _______
 * CWE-602: Client-Side Enforcement of Server-Side Security 
 _______

References: ______ (properly structure resources)

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2009/wiki1b_8_va&oldid=19721"