Entreprise Security API - ConFoo 2011
Upcoming SlideShare
Loading in...5
×
 

Entreprise Security API - ConFoo 2011

on

  • 1,391 views

OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and ...

OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.

Statistics

Views

Total Views
1,391
Views on SlideShare
1,390
Embed Views
1

Actions

Likes
1
Downloads
32
Comments
0

1 Embed 1

http://paper.li 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Entreprise Security API - ConFoo 2011 Entreprise Security API - ConFoo 2011 Presentation Transcript

  • Enteprise Security API ESAPIThursday, 2011-03-10
  • Thursday, 2011-03-10
  • OWASP The Open Web Application ProjectThursday, 2011-03-10
  • Thursday, 2011-03-10
  • I answer questionThursday, 2011-03-10
  • The problemsThursday, 2011-03-10
  • The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access ControlThursday, 2011-03-10
  • The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and RandomnessThursday, 2011-03-10
  • OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and ForwardsThursday, 2011-03-10
  • And over 300 others security problems typesThursday, 2011-03-10
  • Vulnerabilities and Security Controls Ignored Misused Broken MissingThursday, 2011-03-10
  • Why Input Validation Is Hard?Thursday, 2011-03-10
  • <Thursday, 2011-03-10
  • Percent (url) Encoding • %3c • %3CThursday, 2011-03-10
  • HTML Entity Encoding • &#60 • &#60; • &#060 • &#060; • &#0060 • &#0060; • &#00060 • &#00060; • &#000060 • &#000060; • &#0000060 • &#0000060;Thursday, 2011-03-10
  • HTML Entity Encoding • &#x3c • &#x3c; • &#x03c • &#x03c; • &#x003c • &#x003c; • &#x0003c • &#x0003c; • &#x00003c • &#x00003c; • &#x000003c • &#x000003c;Thursday, 2011-03-10
  • HTML Entity Encoding • &#X3c • &#X3c; • &#X03c • &#X03c; • &#X003c • &#X003c; • &#X0003c • &#X0003c; • &#X00003c • &#X00003c; • &#X000003c • &#X000003c;Thursday, 2011-03-10
  • HTML Entity Encoding • &#x3C • &#x3C; • &#x03C • &#x03C; • &#x003C • &#x003C; • &#x0003C • &#x0003C; • &#x00003C • &#x00003C; • &#x000003C • &#x000003C;Thursday, 2011-03-10
  • HTML Entity Encoding • &#X3C • &#X3C; • &#X03C • &#X03C; • &#X003C • &#X003C; • &#X0003C • &#X0003C; • &#X00003C • &#X00003C; • &#X000003C • &#X000003C;Thursday, 2011-03-10
  • HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT;Thursday, 2011-03-10
  • JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003cThursday, 2011-03-10
  • CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003CThursday, 2011-03-10
  • UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bcThursday, 2011-03-10
  • 1,677,721,600,000,000 ways to encode <script>Thursday, 2011-03-10
  • The Solutions?Thursday, 2011-03-10
  • What is Enterprise Security API?Thursday, 2011-03-10
  • ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  • ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  • ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  • Overview of the Architectural ImpactThursday, 2011-03-10
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?>Thursday, 2011-03-10
  • Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName()Thursday, 2011-03-10
  • Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine()Thursday, 2011-03-10
  • Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPathThursday, 2011-03-10
  • Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring EncryptionThursday, 2011-03-10
  • Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •TimestampThursday, 2011-03-10
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationExceptionThursday, 2011-03-10
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController ForwardsThursday, 2011-03-10
  • Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0Thursday, 2011-03-10
  • AdoptersThursday, 2011-03-10
  • Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-devThursday, 2011-03-10
  • Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferencesThursday, 2011-03-10
  • Thursday, 2011-03-10