How to secure web applications with OWASP
Santosh Satam
Head-Technical Services MIEL
No noble thing can be done without risks.
                                   Michel De Montaigne




                 © 20...
Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation ma...
Agenda
 Introduction   to Application
  Security
 OWASP Projects

 Way Forward




                           © 2009 MI...
You have been appointed as Head of Application Security
Your first task is to define roadmap for application security ..

...
You started digging into maze of applications ..




                 © 2009 MIEL eSecurity Pvt Ltd
                      ...
COTS (Commercial Off the shelf) Applications
     In-house Developed Applications
              Legacy Systems
       Inte...
Even after two weeks you are still struggling …




                 © 2009 MIEL eSecurity Pvt Ltd
                       ...
Stakeholders in Application Security
                           Top
                        Management
             Audito...
OWASP will help you !!




     © 2009 MIEL eSecurity Pvt Ltd
              Confidential
                                 ...
What is OWASP ?

OWASP – Open Web Application Security Project

Open group focused on understanding and improving the
secu...
Who is using OWASP ?




                       © 2009 MIEL e-Security Pvt. Ltd
                                Confidenti...
SDLC is King




Requirements   Design   Development                     Testing   Deployment




                        ...
OWASP – Guides throughout SDLC




                    © 2009 MIEL eSecurity Pvt Ltd
                             Confiden...
Requirements Phase
                                                                  OWASP METHODS
 Identify Security Req...
Requirements Phase – Define Security Requirement

           Business Requirements                                   Secur...
Requirements Phase – Car Security Mis-use Case


                  Drive                      Threatens
                  ...
Requirements Phase – Identify Attack Surface




                      © 2009 MIEL eSecurity Pvt Ltd
                     ...
Requirements Phase – Identify Deployment Scenarios

 Infrastructure Security
 Scalability
Secure Communication
 Compli...
Design Phase
                                                        OWASP METHODS
 Security Principles                  ...
Design Phase – Security Principles




                       © 2009 MIEL eSecurity Pvt Ltd
                              ...
Design Phase – Threat Modeling

 Identify Assets
 Decompose Application
 Identify Threats and Vulnerabilities
 Documen...
Design Phase – OWASP ESAPI




                    © 2009 MIEL eSecurity Pvt Ltd
                             Confidential...
Development Phase
                                                             OWASP METHODS
 Input Validations          ...
Testing Phase
                                                        OWASP METHODS
 Manual Inspection                   ...
OWASP Top 10

    A1 – Cross Site                                  A6 – Information Leakage
    Scripting (XSS)         ...
Code Review
•   Code review helps to find vulnerabilities that may not be
    discoverable in a black-box/zero-knowledge t...
OWASP – LiveCD Tools
1 OWASP WebScarab    14 OWASP WSFuzzer
2 OWASP WebGoat      15 Metasploit 3
3 OWASP CAL9000      16 w...
Deployment Phase
                                                        OWASP METHODS
 System Hardening                 ...
Summary

                                Implement Application Security
                                 Practices in the...
Take a Systemic Approach




                     © 2009 MIEL eSecurity Pvt Ltd
                              Confidential...
Useful Links

Description                                     URL
Open Web Application Security Project (OWASP) http://www...
Application Security - Certifications
•    CSSLP - Certified Secure Software Lifecycle Professional
     http://www.isc2.o...
OWASP Application Security – Forthcoming Conference




                     © 2009 MIEL eSecurity Pvt Ltd
               ...
Discussion

                                Santosh Satam
                                Head – Technical Services
      ...
Upcoming SlideShare
Loading in …5
×

how to secure web applications with owasp - isaca sep 2009 - for distribution

2,196 views
2,101 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,196
On SlideShare
0
From Embeds
0
Number of Embeds
126
Actions
Shares
0
Downloads
1
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

how to secure web applications with owasp - isaca sep 2009 - for distribution

  1. 1. How to secure web applications with OWASP Santosh Satam Head-Technical Services MIEL
  2. 2. No noble thing can be done without risks. Michel De Montaigne © 2009 MIEL eSecurity Pvt Ltd Confidential 2
  3. 3. Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation may not be based on historical information or facts and may be “forward looking statements” and may be subject to risks and uncertainties that could cause actual results to differ materially and adversely from those that may be projected by such forward looking statements. MIEL makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the user by the direct or indirect use of this Presentation. MIEL may alter, modify or otherwise change in any manner the content hereof, without obligation to notify any person of such revision or changes. All company and product names are trademarks of the respective companies with which they are associated. COPYRIGHT © 2009 MIEL e-Security Pvt. Ltd. All rights reserved. Softcopy Name : MIEL – OWASP Presentation – ISACA Sep 2009 Published Date : Sep 2009 Author : Santosh Satam © 2009 MIEL eSecurity Pvt Ltd Confidential 3
  4. 4. Agenda  Introduction to Application Security  OWASP Projects  Way Forward © 2009 MIEL e-Security Pvt. Ltd Confidential 4
  5. 5. You have been appointed as Head of Application Security Your first task is to define roadmap for application security .. © 2009 MIEL e-Security Pvt. Ltd Confidential 5
  6. 6. You started digging into maze of applications .. © 2009 MIEL eSecurity Pvt Ltd Confidential 6
  7. 7. COTS (Commercial Off the shelf) Applications In-house Developed Applications Legacy Systems Interface to External Systems Support Applications Open Source Applications Application Hosted in Cloud (SaaS) © 2009 MIEL eSecurity Pvt Ltd Confidential 7
  8. 8. Even after two weeks you are still struggling … © 2009 MIEL eSecurity Pvt Ltd Confidential 8
  9. 9. Stakeholders in Application Security Top Management Auditors BU Heads IT/Network Admin Quality Assurances Project Managers Architects Developers © 2009 MIEL eSecurity Pvt Ltd Confidential 9
  10. 10. OWASP will help you !! © 2009 MIEL eSecurity Pvt Ltd Confidential 10
  11. 11. What is OWASP ? OWASP – Open Web Application Security Project Open group focused on understanding and improving the security of web applications and web services! © 2009 MIEL e-Security Pvt. Ltd Confidential 11
  12. 12. Who is using OWASP ? © 2009 MIEL e-Security Pvt. Ltd Confidential 12
  13. 13. SDLC is King Requirements Design Development Testing Deployment © 2009 MIEL eSecurity Pvt Ltd Confidential 13
  14. 14. OWASP – Guides throughout SDLC © 2009 MIEL eSecurity Pvt Ltd Confidential 14
  15. 15. Requirements Phase OWASP METHODS  Identify Security Requirement AND TOOLS  Identify Mis-use cases Free Tools  Identify Attack Surface  Identify Deployment Scenarios * WebGoat Training Tool Projects * Web AppSec Guide © 2009 MIEL eSecurity Pvt Ltd Confidential 15
  16. 16. Requirements Phase – Define Security Requirement Business Requirements Security Requirement The application stores credit card data Strong encryption should be that must be protected. used to protect the sensitive customer data. The application transmits sensitive user Communication channels must be information over the un-trusted network encrypted. The application must be available 24x7 Mitigate denial of service attack The application takes user input and uses SQL injection should be SQL mitigated by Input Validations © 2009 MIEL eSecurity Pvt Ltd Confidential 16
  17. 17. Requirements Phase – Car Security Mis-use Case Drive Threatens Steal the Car the Car Mitigates Lock Threatens the Car Short the Ignition Lock the Mitigates Transmission © 2009 MIEL eSecurity Pvt Ltd Confidential 17
  18. 18. Requirements Phase – Identify Attack Surface © 2009 MIEL eSecurity Pvt Ltd Confidential 18
  19. 19. Requirements Phase – Identify Deployment Scenarios  Infrastructure Security  Scalability Secure Communication  Compliance © 2009 MIEL eSecurity Pvt Ltd Confidential 19
  20. 20. Design Phase OWASP METHODS  Security Principles AND TOOLS  Threat Modeling Free Tools * WebGoat Training Tool Projects * Enterprise Security API (ESAPI) * AntiSamy (Java Project) * AntiSamy (.Net Project) © 2009 MIEL eSecurity Pvt Ltd Confidential 20
  21. 21. Design Phase – Security Principles © 2009 MIEL eSecurity Pvt Ltd Confidential 21
  22. 22. Design Phase – Threat Modeling  Identify Assets  Decompose Application  Identify Threats and Vulnerabilities  Document Threats  Rate Threats Mitigate Threats © 2009 MIEL eSecurity Pvt Ltd Confidential 22
  23. 23. Design Phase – OWASP ESAPI © 2009 MIEL eSecurity Pvt Ltd Confidential 23
  24. 24. Development Phase OWASP METHODS  Input Validations AND TOOLS Output Handling Free Tools Session Handling  Error Handling * WebScarab Proxy  Configuration Management * ASP.NET Analyzers  Cryptography Projects  Secure Code Review * Web AppSec Guide * Code Review Project * AppSec Metrics © 2009 MIEL eSecurity Pvt Ltd Confidential 24
  25. 25. Testing Phase OWASP METHODS  Manual Inspection AND TOOLS  Threat Modeling Free Tools  Code Review  Penetration Testing * LiveCD Projects * OWASP Top 10 * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 25
  26. 26. OWASP Top 10  A1 – Cross Site  A6 – Information Leakage Scripting (XSS) and Improper Error Handling  A2 – Injection Flaws  A7 – Broken Authentication and Session Management  A3 – Insecure Remote  A8 – Insecure Cryptographic File Include Storage  A4 – Insecure Direct  A9 – Insecure Object Reference Communications  A5 – Cross Site Request  A10 – Failure to Restrict URL Forgery (CSRF) Access © 2009 MIEL e-Security Pvt. Ltd Confidential 26
  27. 27. Code Review • Code review helps to find vulnerabilities that may not be discoverable in a black-box/zero-knowledge testing scenario. • It covers following areas: Syntactical Business Infrastructure logic © 2009 MIEL eSecurity Pvt Ltd Confidential 27
  28. 28. OWASP – LiveCD Tools 1 OWASP WebScarab 14 OWASP WSFuzzer 2 OWASP WebGoat 15 Metasploit 3 3 OWASP CAL9000 16 w3af & GTK GUI for w3af 4 OWASP JBroFuzz 17 Netcats collection 5 Paros Proxy 18 OWASP Wapiti 6 nmap & Zenmap 19 Nikto 7 Wireshark 20 Fierce Domain Scaner 8 tcpdump 21 Maltego CE 9 Firefox 3 22 Httprint 10 Burp Suite 23 SQLBrute 11 Grenedel-Scan 24 Spike Proxy 12 OWASP DirBuster 25 Rat Proxy 13 OWASP SQLiX © 2009 MIEL eSecurity Pvt Ltd Confidential 28
  29. 29. Deployment Phase OWASP METHODS  System Hardening AND TOOLS Power on Sequence Free Tools  Secure Transmission  Database Security * LiveCD Projects * Web AppSec Guide * Testing Project © 2009 MIEL eSecurity Pvt Ltd Confidential 29
  30. 30. Summary  Implement Application Security Practices in the Development Process  Conduct Awareness Program on Application Security  Conduct Code Reviews  Test, Test and Test each and “Prevention is always better than every application before it is put Cure” to Production © 2009 MIEL e-Security Pvt. Ltd Confidential 30
  31. 31. Take a Systemic Approach © 2009 MIEL eSecurity Pvt Ltd Confidential 31
  32. 32. Useful Links Description URL Open Web Application Security Project (OWASP) http://www.owasp.org SANS http://www.sans.org CERT http://www.cert.org ISACA http://www.isaca.org Security Focus http://www.securityfocus.com Microsoft Security http://microsoft.com/security/ IBM http://www- 106.ibm.com/developerworks/linux/library/ The Web Application Security Consortium (WASC) http://www.webappsec.org/ The Web Hacking Incidents Database http://www.webappsec.org/projects/whid/ © 2009 MIEL eSecurity Pvt Ltd Confidential 32
  33. 33. Application Security - Certifications • CSSLP - Certified Secure Software Lifecycle Professional http://www.isc2.org/csslp/ • CSSLP CBK • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance and Disposal © 2009 MIEL eSecurity Pvt Ltd Confidential 33
  34. 34. OWASP Application Security – Forthcoming Conference © 2009 MIEL eSecurity Pvt Ltd Confidential
  35. 35. Discussion Santosh Satam Head – Technical Services CISA | CISM | CISSP | CSSLP MIEL e-Security Pvt. Ltd. E-mail: ssatam@mielesecurity.com © 2009 MIEL e-Security Pvt. Ltd Confidential 35

×