The OWASP – What Is and How to Use It, Research Paper Example

Introduction

OWASP refers to the Open Web Security Project ( www.owasp.org).  The company was established as a non-profit organization with an aim of improving the security around application software. The concept was pointed towards making security a more visible concept to the general public; as such increasing their level of awareness on the subject and enabling them to make more informed decisions on security applications. The service is marketed on an open domain basis such that anyone is freely allowed to participate and materials are made available under a software license. (OWASP)

OWASP Project

OWASP essentially provides a structured framework that you can use when building your application software. This is mainly an additional process step that integrates the important security procedures when developing and building software applications, particularly those that are intended for use on wide area networks and the World Wide Web.

When integrating OWASP into your systems development lifecycle (SDLC) you are creating an additional roadmap and resource requirement for the security aspect of the software build process. The OWASP team leader ( often the project manager) will create the vision and define the tasks that are required in order to put the security resources in place.  These are essentially built into three  categories:

• Protect – The documents and toolsets that are geared towards the security aspect of systems design and any potential implementation faults;
• Detect – These embrace the documents and toolsets that are used in the location of system design errors and flaws;
• Lifecycle – These are the documents and toolsets that are integrated into the system lifecycle construction process.

Benefits To The Organization

With the alarming increase in security issues with web application software, the issues of security have never been more important. In historical terms, the vulnerability of systems was more focused upon the network or operating system. Analysts were more focused upon penetration testing tools and automated security tools covering this area. The latest trend is to merge this thought process with web application security. This provides a more holistic and inclusive approach towards resolution of the problem. OWASP produce a regular updated top ten list of application security vulnerabilities and provide help via a web application security committee called OASIS. (Raina).

Cyber Crime – A Real Threat

Internet Crime and particularly illegal entry into other computer systems i.e. hacking is deemed to be a Federal Offence in the USA and falls under the investigative jurisdiction of the Federal Bureau of Investigation (FBI).  Criminal computer hacking has been legally defined as any person who willingly and knowingly commits an act of cyber terrorism, credit card fraud, malicious vandalism, identity theft or other cyber-crime by hacking into a Corporate or Government system.  Such criminal acts are treated very seriously in the USA and will be subject to harsh penalties.  Such intrusions are capable of creating a tremendous amount of malicious damage. They may potentially threaten national security, may cause serious service disruptions e.g. hospitals, emergency services etc.  May create economic and financial instability by intrusions to Banks or large Corporate Offices.

One such example is that of David Smith a computer hacker launched the Melissa Virus in March of 1999. The virus that he placed into the internet spread to over 1.2 million computers causing an estimated $80 million in financial damages to businesses. Smith was convicted of computer hacking and the courts sentenced him to 40 years in prison.  He was release some 20 months later after agreeing to work with the FBI in their fight against cyber-crime. (Criminal Law Lawyer)

Garry McKinnon in the UK has been found guilty of hacking into 96 US Military and Defence systems and could face up to 70 years imprisonment. He is currently awaiting extradition from the UK.  In general terms’ hacking is a form of cyber terrorism and as such is a criminal act. There is no legal justification for this and even those individuals that attempt this for an intellectual challenge are breaking the law.  It is not only a gross invasion of privacy but a complete act of irresponsibility that potentially can unleash very serious and grave consequences for the public.

Building An Is Security Strategy

In the adoption of the WASP framework the following items would need to be taken into consideration in the strategic planning process:

Information Technology has become the life-blood of virtually every organization. Most large business operations contain  Data Centre’s of expensive computer and communication systems (hardware) and important client information and programs (software). Together they provide the central back-bone of the organization and as such any threat to these systems can be extremely disruptive and costly to the business.  Security Managers are responsible for the overarching strategy that provides coverage of these important assets.  The duties can be classified into the following sub headings:

• Protection of the Assets : Includes recording of assets, insurance coverage of assets, secure environment of assets, and back-up of assets;
• Disaster Recovery: Disaster Recovery Plan ( emergency plan), Business Continuity Plan, security of secondary site;
• System Security : Access to the systems,  Password protection,  control of authorized users ( restrictions), security of information ( data vaults, secure back-up site);
• Corporate Security policy: Ensuring that corporate security policy measures are carried out and enforced.

IT Security services normally are structured into three separate categories:

• Management Services: Management of the computer risks and security of information technology in the firm. The function works closely with the IT Executive of the Bank and Head of Internal Audit. The objective to ensure that all corporate security policies are properly carried out and fully implemented.
• Operational Services: These are more focused upon the human interface and the controls that are the responsibility of people.  Automated control functions are also examined. It is the man/machine interface and the security controls of same.
• Technical Services: Focuses on the in depth security controls within the overall Information Technology and computer systems of the banks. Ensuring there are no loop holes or potential breaches in security.  (Kovacich)

Vulnerability over systems communications

There is a considerable threat imposed upon the interception of communications particularly that associated with electronic media.  One of the more common threats relates to that of e-mail. The threat here is two-fold: (i) the interception of messages and communication by hackers and others who are intent on theft of intellectual copyright or business confidential information (ii) incoming messages from the outside that may have attachments and carry harmful viruses that can penetrate the Banks firewall and impose serious damage to the computer network.  The first of these represents a criminal offence and is punishable under the law.  The second may be harmless or careless use of communications that have not been checked with anti-virus software.  The policies here become a little more complex but certain precautions can be taken.

The first is for the system not to accept any external e-mails that contain attachments. In addition those that contain any graphics or graphic files which are often used to harbour Trojans.  Only allow access to the network to those that have security clearance and are deemed to be authorised users of the system. Restrict external file attachments to addresses outside of the system (prevention of data transfer or theft).  The job of the Security Manager has been made much harder in recent years because of items like USB Pen Drives that have high storage capacity.  They can be plugged into virtually any USB port in the system and quickly download data.  Providing the person can gain access they will have the ability to download confidential information files. (White, G.B.  1996)

The ability to conceal such devices imposes a considerable security threat to firms. This has been further compounded by wireless networks and the ability of portable computer devices like notebooks and laptops to interface with much larger systems.  Most of the threats come from inside and that is to say employees that have access to certain information.  Where they have passwords, encryption keys etc. They can readily lay claim to important information and data files.   This can easily be copied and then sold to other interested parties.  This type of theft can be difficult to track down and costly to prove. (Whitman, M.E. 2009

Threats imposed on wireless networks

Before addressing the types of security measures in place over wireless networks, it is necessary to have some understanding of the threats imposed.  These vary from eavesdropping to that of physical intrusion and penetration of your system. Both can be potentially damaging but as a minimum a gross invasion of your privacy.  Threats may be as simples as:

Rogue Wireless Area Networks:  This is where someone may introduce an additional router to your network and thereby gain access to the wider network.  This is essentially a hardware intrusion.  Software applications like Network Magic will detect and report such intrusions to the network administrator.

Spoofing Internal Communications:  This is a direct attack and intervention from outside computers wishing to gain access to your system.  They simulate internal domains and essentially look harmless on the network maps. (Gregory)

Conclusions

It is important to recognise the Management and User responsibilities within the governance of the system. Policy guidelines will be provided and it is expected both staff and management will adhere to their use. Further, there are certain limitations imposed upon the system security  in terms of overall protection. No system is completely safe from attack but the objective is to minimise the risk and incorporate extensive mitigation measures. There is a need to remain vigilant at all times and report improper use of the system to the Security Manager.  The Security will continue to be monitored for points of vulnerability and areas where ongoing improvements may be made

Works Cited

Criminal Law Lawyer. Computer Hacking. 2011. 17 11 2011 <http://www.criminal-law-lawyer-source.com/terms/computer-hacking.html>.

GW, Gregory B and White. Computer Systems and Network Security. Austin, Texas: CRC Press, 1996.

Kovacich, G. The Information Systems Security Officers Guide. Burlington MA: Elsevier, 2003.

OWASP. Category:OWASP Project. 2011. 17 11 2011 <https://www.owasp.org/index.php/Category:OWASP_Project>.

Raina, Kapil. Trends in Web Application Security. 2 11 2010. 17 11 2011 <http://www.symantec.com/connect/articles/trends-web-application-security>.