Friday, December 18, 2009

Best Security Improvements in 2009?

Taking a cue from Jeremiah's list of new 2009 hacking techniques I thought I'd start a list of best improvements in security in 2009.

So far I haven't come up with many substantial improvements, but I do have a starter list in no particular.
[Updated list based on Jeremiah's recommendations]
  1. IE8 removed CSS expressions support
  2. Rails now does output escaping by default?
  3. The new STS header.
  4. Firefox checks for updates to plugins
  5. Mozilla Content Security Policy (CSP)
  6. Microsoft IE8 X-Frame-Options anti-framing header

Your recommendations welcomed.

5 comments:

Jeremiah Grossman said...

my contribution, in no particular order..

Mozilla catches half of Firefox users running insecure Flash
http://www.channelregister.co.uk/2009/09/17/firefox_users_with_vulnerable_flash/

Mozilla Content Security Policy proposal
https://wiki.mozilla.org/Security/CSP

XSS (Cross Site Scripting) Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

SQL Injection Prevention Cheat Sheet
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

OpenSAMM - Software Assurance Maturity Model
http://www.opensamm.org/

BS-IMM - Building Security In Maturity Model
http://www.bsi-mm.com/

Anti-Clickjacking w/ IE8, NoScript and Safari 4.0
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

SQL Injection Prevention Cheat Sheet
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ESAPI Web Application Firewall
http://i8jesus.com/?p=96

Web Protection Library
http://blogs.msdn.com/securitytools/archive/2009/10/17/web-protection-library-ctp-release-coming-soon.aspx

Andy Steingruebl said...

All good ones I think, though I think I want more things that are directly deployable/usable rather than just guides for how to do the right thing.

I updated the list accordingly. I think Microsoft did have some nice improvements in their app frameworks, but I'm not the expert there hopefully someone else will chime-in.

I would also like to add Windows-7, but I don't use it and don't know enough to say whether it really moves the bar upwards. Gut says yes, but would like someone else to give their say.

Anonymous said...

IMO, One of the changes affecting the most users in a *positive* way are those added to IE 8 (http://en.wikipedia.org/wiki/Internet_Explorer) released in March 09.

Most notably:

- DEP enabled by default (http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx).

- malware Url filtering, on top of the existing phishing Url filtering

http://securitymario.spaces.live.com/default.aspx

naats said...

I have used IE8,Mozilla fire fox,Google chrome,Operand etc and i think they are all good as their own place.Just keep your mind flexible when you use it.Thanks.......

MustLive said...

Andy

I have wrote to WASC Mailing List regarding your list of best security improvements of 2009.

From my side I'll add the next (evolutional) security improvements in 2009:

* Release of new versions of Mozilla Firefox, Internet Explorer, Opera, Chrome and other browsers with fixing of vulnerabilities. During the year the security of browsers had improved, but there were still a lot of holes, which need to be fixed, and all the time new ones appeared.
* Release of new versions of Perl (including mod_perl) with fixing of vulnerabilities.
* Release of new versions of PHP 5.x with fixing of vulnerabilities (besides releases of PHP versions from 5.2.8 till 5.2.12, also PHP 5.3 and PHP 5.3.1 have released).
* Release of new versions of Python, Ruby and other interpreters with fixing of vulnerabilities.
* Release of new versions of Apache, IIS and other web servers with fixing of vulnerabilities.

Not mentioning about fixing of holes, which did owners of sites and web developers during the year (this happens constantly). And also fixes in different plugins for browsers (Flash and others) and in desktop versions of these applications. There are only the most global security improvements in the list.