WebAppSec @ Ibuildings in 2014
Upcoming SlideShare
Loading in...5
×
 

WebAppSec @ Ibuildings in 2014

on

  • 914 views

Internal workshop in 2014 on improving Web Application Security.

Internal workshop in 2014 on improving Web Application Security.
Talks about the OWASP Top 10, a Secure Software Development Lifecycle and OWASP ASVS

Statistics

Views

Total Views
914
Views on SlideShare
912
Embed Views
2

Actions

Likes
0
Downloads
10
Comments
0

2 Embeds 2

https://twitter.com 1
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WebAppSec @ Ibuildings in 2014 WebAppSec @ Ibuildings in 2014 Presentation Transcript

    • Web Application Security 2014 @ Ibuildings Boy Baukema 29th January 2014, Vlissingen Wednesday, February 5, 14
    • Fear Uncertainty and Doubt (FUD) Adobe / Apple / Drupal.org / Evernote / LinkedIn Facebook / NYT / PHP.net Java 0-days SSL BREACH High Profile customers targets: ‣ AbuseHub ‣ MijnDomein ‣ RTLNieuws Windows XP EOL in April ’14 Wednesday, February 5, 14 2
    • What to do? ‣ OWASP Top 10 2013 ‣ Status (Secure) Software Development Lifecycle ‣ OWASP ASVS 2013 ‣ OWASP ASVS Bingo! 3 Wednesday, February 5, 14
    • Security is a cross-cutting concern 'Thuisrouter directeur ook interessant voor hackers' 4 Wednesday, February 5, 14
    • OWASP Top 10 (2013) time! 5 Wednesday, February 5, 14
    • A1-Injection ‣ SQL Injection ‣ HTML Injection ‣ XML Injection • XML External Entities (XXE) ‣ JavaScript Injection ‣ CSS Injection 6 Wednesday, February 5, 14
    • A2-Broken Authentication and Session Management ‣ Session Fixation ‣ Missing Session Timeout ‣ Login over HTTP ‣ Unprotected Password Reset 7 Wednesday, February 5, 14
    • HTTP Strict Transport Security Strict-Transport-Security: ‣ max-age=60000; ‣ includeSubDomains 8 Wednesday, February 5, 14
    • A3-Cross-Site Scripting (XSS) ‣ Stored ‣ Reflected ‣ DOM based See Injection. 9 Wednesday, February 5, 14
    • Content-Security-Policy Content-Security-Policy(-Report-Only): ‣ default-src 'none'; ‣ script-src https://cdn.mybank.net; ‣ style-src https://cdn.mybank.net; ‣ img-src https://cdn.mybank.net; ‣ connect-src https://api.mybank.com; ‣ frame-src 'self' ‣ report-uri /my_amazing_csp_report_parser; IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+ http://caniuse.com/contentsecuritypolicy Wednesday, February 5, 14 10
    • A4-Insecure Direct Object References 11 Wednesday, February 5, 14
    • A5-Security Misconfiguration ‣ Out of date PHP version (PHP<5.3, <5.4 after July) ‣ admin/admin ‣ Stack traces ‣ php.ini • max_execution_time= 0 • session.cookie_httponly = Off • session.cookie_secure = Off • allow_url_fopen = On • See: PhpSecInfo 12 Wednesday, February 5, 14
    • A6-Sensitive Data Exposure ‣ Unsalted passwords ‣ Unencrypted Credit Cards ‣ Passwords / Session tokens over HTTP 13 Wednesday, February 5, 14
    • A7-Missing Function Level Access Control 14 Wednesday, February 5, 14
    • A8-Cross-Site Request Forgery (CSRF) 15 Wednesday, February 5, 14
    • A9-Using Components with Known Vulnerabilities 16 Wednesday, February 5, 14
    • A10-Unvalidated Redirects and Forwards 17 Wednesday, February 5, 14
    • BONUS: Clickjacking 18 Wednesday, February 5, 14
    • X-Frame-Options DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. IE8+,Chrome 4+, FF 3.6+ Safari 4+ Wednesday, February 5, 14 19
    • SSDLC Secure Software Development LifeCycle 20 Wednesday, February 5, 14
    • Secure Software Development Life Cycle Source: http://pentestmag.com/security-and-the-software-development-life-cycle/ Wednesday, February 5, 14 21
    • Requirements / Functional Design Threat modeling Security Requirements 22 Wednesday, February 5, 14
    • Architecture & Design / Technical Design ‣ Web App Review 23 Wednesday, February 5, 14
    • Development / Implementation ‣ Secure Coding Practices ‣ Whitebox Testing 24 Wednesday, February 5, 14
    • Development: Secure Coding Guidelines ‣ Use only POST for credentials ‣ Notify users when a password reset occurs ‣ Re-authenticate users prior to performing critical operations ‣ Logout functionality should be available from all pages protected by authorization ‣ Generate a new session identifier on any reauthentication ‣ Logging controls should support both success and failure of specified security events Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf 25 Wednesday, February 5, 14
    • Development: (360) Code Reviews 26 Wednesday, February 5, 14
    • Testing ‣ Greybox testing 27 Wednesday, February 5, 14
    • Deployment ‣ Greybox security testing by third party 28 Wednesday, February 5, 14
    • Maintenance / SLA ‣ Black box quarterly ‣ Grey box annually ‣ Monitoring ‣ Security Patches 29 Wednesday, February 5, 14
    • Training ‣ Basic WebAppSec training ‣ Secure Coding training ‣ QA & Testing training 30 Wednesday, February 5, 14
    • OWASP ASVS 2013 31 Wednesday, February 5, 14
    • Security Checklist 32 Wednesday, February 5, 14
    • Leveling up Requirements: 164 136 47 33 Wednesday, February 5, 14
    • Scope 34 Wednesday, February 5, 14
    • Requirements V1. Authentication V8. Communication Security V2. Session Management V9. HTTP Security V3. Access Control V10. Malicious Controls V4. Input Validation V11. Business Logic V5. Cryptography (at Rest) V12. Files and Resources V6. Error Handling and Logging V13. Mobile V7. Data Protection 35 Wednesday, February 5, 14
    • An example 36 Wednesday, February 5, 14
    • Annotated ASVS 2013 37 Wednesday, February 5, 14
    • An AASVS Requirement has... ‣ Short Title ‣ Long Title ‣ Verification PASS ‣ Verification FAIL ‣ Verification Help ‣ [Verification Help for PHP] ‣ [Verification Help for Drupal] ‣ [Verification Help for Symfony 2] ‣ Related Resources 38 Wednesday, February 5, 14
    • Security Audit Template ‣ Introduction • Target Of Verification • Scope • Confidentiality ‣ Document History, TOC ‣ Conclusions ‣ V1 - V13 ‣ Appendix A: Source Code analysis ‣ Appendix B: Third Party libraries 39 Wednesday, February 5, 14
    • Risk Rating Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Wednesday, February 5, 14 40
    • OWASP ASVS 2013 and the SSDLC 41 Wednesday, February 5, 14
    • FAQ ‣ So we must be fully ASVS compliant? ‣ ...? 42 Wednesday, February 5, 14
    • ASVS BINGO! 43 Wednesday, February 5, 14
    • BINGO! 44 Wednesday, February 5, 14
    • Prizes 45 Wednesday, February 5, 14
    • Bootcamp 46 Wednesday, February 5, 14
    • Verify it 47 Wednesday, February 5, 14
    • Your Script for today 100 Fork the Template to your personal space. 220 Pop the ‘TODO’ stack of Requirements 221 If no Requirement, GOTO 350 230 Assign the Requirement (mark with your name). 231 Verify Requirement. 232 Report the results. 240 Push Requirement in the ‘DONE’ stack 241 GOTO 220 350 Review the DONE stack. Wednesday, February 5, 14 48