It's the Open Web Application Security Project. Personally, I think the second two works in the acronym give it away :)
Certainly IIS itself can use cryptography (e.g. for SSL/TLS) but it relies on the Windows infrastructure for this. Everything else is really down to the web application itself. There are some things in IIS that can be used to mitigate flaws in the application (e.g. by using Request Filtering module and the URL Authorization module) - but they're like using a firewall to protect a vulnerable server - the vulnerability's still there and might be exploitable in some other way. Cheers Ken From: Webster [mailto:[email protected]] Sent: Friday, 14 September 2012 12:46 AM To: NT System Admin Issues Subject: Re: IIS 7.5 and OWASP Thanks Z, appreciate the info. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: <Ziots>, Edward <[email protected]<mailto:[email protected]>> Subject: RE: IIS 7.5 and OWASP Carl, WebServers per-se do have security controls to limit the effects of the OWASP top 10 but do not full protect against them. To test these you really should be using a web application scanner like Cenzic, IBM APPSCAN, HP WebInspect, etc etc to root out these issues. (Make the developers fix the code is the best choice) Its because some of these are insecure coding issues, not webserver configuration issues. (A6, A7, A8, A9, A10 can be mitigated with correct configuration of SSL/TLS along with using request-filtering policy and hardened configurations. ) You can use Request Filtering in IIS 7.0 and IIS 7.5 much like Urlscan 3.1 and earlier to do a "poor-mans" WAF functionality, which will reduce the attack surface, but does not fix the underlying code issues which are addresses in A1-A5. See Below: http://www.iis.net/configreference/system.webserver/security/requestfiltering See below: https://www.owasp.org/?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet * A1: Injection (See) https://www.owasp.org/index.php/Top_10_2010-A1-Injection * A2: Cross-Site Scripting (XSS) (see) https://www.owasp.org/index.php/Top_10_2010-A2-Cross-Site_Scripting_(XSS) * A3: Broken Authentication and Session Management (See) https://www.owasp.org/index.php/Top_10_2010-A3-Broken_Authentication_and_Session_Management * A4: Insecure Direct Object References (See) https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References * A5: Cross-Site Request Forgery (CSRF) (See) https://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forgery * A6: Security Misconfiguration (See) https://www.owasp.org/index.php/Top_10_2010-A6-Security_Misconfiguration * A7: Insecure Cryptographic Storage (See) https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage * A8: Failure to Restrict URL Access (See) https://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access * A9: Insufficient Transport Layer Protection (See) https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection * A10: Unvalidated Redirects and Forwards (See) https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards After you review these links, I think you will see a trend, that business impact and threat vectors are going to drive your efforts in showing that your IIS configurations are sufficiently hardened and locked down and that you have additional testing and controls surrounding the stability of web-application code that will run on said servers. As a note: If you are getting COTS ( commercial off the shelf) software from a vendor, you could have more problems getting the top 10 fixed, than you would have if you developed internally. Most are going to WAF's to provide protection from top 10, but even WAF's can be bypassed. Its like trying to put a hard shell around a soft gooey egg, pound on it hard enough you can bypass the preventative/detective control. https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls https://github.com/ironbee/waf-research HTH, if you need more information hit me offline. EZ Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: Webster [mailto:[email protected]] Subject: IIS 7.5 and OWASP I am on a project where I have to document four Citrix products to meet extreme regulatory qualification guidelines. One of the products is Web Interface running on Server 2008 R2, which means IIS 7.5. The customer's security team says I have to show that IIS 7.5 has measures to protect against the OWASP Top-10 list. Since I had no idea what OWASP is, I had to Bing it. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The Top-10 are: * A1: Injection * A2: Cross-Site Scripting (XSS) * A3: Broken Authentication and Session Management * A4: Insecure Direct Object References * A5: Cross-Site Request Forgery (CSRF) * A6: Security Misconfiguration * A7: Insecure Cryptographic Storage * A8: Failure to Restrict URL Access * A9: Insufficient Transport Layer Protection * A10: Unvalidated Redirects and Forwards As someone who can't spell IIS much less OWASP, how do I find out if/how IIS 7.5 prevents/rejects/protects against these 10 items? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
