Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Gunnar Peterson
CTO, Arctec Group
gunnar@arctecgroup.net
OWASP
AppSec
DC
October 2005 Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free
Documentation License.
Identity risks
Anti-Phishing Working Group July report of
14,135 phishing reports excerpt
Number of brands hijacked by phishing campaigns in July: 71
Number of brands comprising the top 80% of phishing campaigns in July:
6
Country hosting the most phishing websites in July: United States
Contain some form of target name in URL: 46 %
No hostname just IP address: 41 %
Percentage of sites not using port 80: 9 %
Average time online for site: 5.9 days
Longest time online for site: 30 days
Key finding: study found 174 unique applications for password stealing,
and 918 unique password stealing malicious URLs
Foundations of Identity
Subjects
Claims
Claims about subjects are evaluated to negotiate access
Codified on Identityblog.com
Why do we need laws to deal with identity?
Identity Lifecycle
Generation
Representation
Consumption Usage
Transformation
Identity architectural concerns
Access control
Regulatory and legal
Privacy
Personalization
Domain attributes
Provisioning
Audit and reporting
Identity mapping services
Concerns can conflict and cascade OWASP AppSec DC 2005 8
Architecting Identity
Risk examples
Promiscuous identity - Identity information leakage across domains
Disclosure of personal information
Overall vulnerabilities in weak identity implementations: custom coded
identity layers and functions, username and password, password recovery
Phishing
User knowledge
Offline combination of personal information - data mining
Lack of full lifecycle protection of identity information
Lack of consistent usage of identity in distributed systems - inherent
tradeoffs in using proxies, impersonation, delegation, etc.
Weaknesses in identity cascade across system - developers are instructed
not to write their own crypto algorithms, but home grown identity system
“protect” the crypto functionality
Alice Alice
Bob Charlie
Thin
Client Bob Charlie DB Impersonation
Web App Server
Server Server
Alice
Thin
Client Bob Charlie DB Delegation
Web App Server
Server Server
Alice
Alice Alice
Goals
Abstract back end systems, similar to how a
data access layer works in n tier systems
Use strong identity standards for
interoperability across domains
Service oriented focus: decouple identity from
systems
Functions
Access control
Naming services
Checkpoint services
Common descriptor format
Consistent interface, api, and data exchange
format for accessing and updating identity data
OWASP Guide
Build Security In DHS Portal
https://buildsecurityin.us-cert.gov/portal/article/bestpractices/assembly_integration_and_evolution/Iden
Blogosphere
Identityblog identityblog.com
Id Corner idcorner.org
Open Group
Jericho Forum focused on deperimeterization
http://www.opengroup.org/jerichoforum
Security Design Patterns:
http://www.opengroup.org/bookstore/catalog/g031.htm