Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Top 10 Web Vulnerabilities from DCC 04/14


Published on

OWASP Top 10 Web Vulnerabilities from DCC 04/14

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OWASP Top 10 Web Vulnerabilities from DCC 04/14

  1. 1. OWASP Top 10 Web Vulnerabilities Desert Code Camp - April 2014
  2. 2. About Me Chris Holwerda! Architect and developer for 15+ years in the financial, money codes, and credit card processing industry. MasterCard Enforcing PCI Compliance (Payment Card Industry) blog: twitter: @cholwerda email: SpeakerRate: !
  3. 3. Security In General • Security is HARD • There is no silver bullet • Hackers will always have the upper hand • Have an “everyone” is a hacker mentality • Objective is to minimize risk and losses if breached
  4. 4. What is OWASP? • Open Web Application Security Project • Mission: To make software security visible so that organizations worldwide can make informed decision about true software security risks • Open for anyone • You can sign up to receive OWASP information updates • You can attend meetings. They have chapters in a most of the major cities, including Phoenix. • Website has a lot of resources with examples in multiple programming languages
  5. 5. Show OWASP website
  6. 6. OWASP Top 10 for 2013 • A1 – Injection • A2 – Broken Authentication & Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Un-validated Redirects and Forwards
  7. 7. A1 - Injection • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Be careful with concatenations using any exposed values • For SQL, use parameterized SQL queries • Remember, it’s not just SQL • Command line switch concatenations • Other objects/apps that take parameters
  8. 8. A2 - Broken Authentication and Session Management • Make sure encryption of user’s password is “solid”. • Make sure change/recover password process is “solid” • Never email password – only allow reset • Reset only using email address – do not confirm validity of address! • One way hash preferred • Don’t expose session Ids in the URL • Security questions - don’t let user’s create their own • Make sure authentication cookies are created/expired/timed out as expected • Use Https • XSS vulnerabilities can lead to sessions being stolen
  9. 9. A3 - Cross Site Scripting (XSS) • Escape all untrusted data • Validate all input. • Use white listing (valid chars) over black listing (invalid chars) • Mark all cookies as HttpOnly and Secure • Use trusted anti-sanitation libraries
  10. 10. A4 - Insecure Direct Object References • Authorize the user for every request, verify access to the item requested • Use per user or session indirect object references • Ie: Map grid row with a row Id that maps back to the actual key in stored in session
  11. 11. A5 - Security Misconfiguration • Repeatable deployment process – preferably automated – that is locked down • Process for updating software and patches • Run scans and audits for detecting
  12. 12. A6 - Sensitive Data Exposure • Encrypt/hash all sensitive data at rest and in transit • Use standard algorithms and strong key/salt • Ensure passwords are stored with algorithm specifically designed for password protection • Disable autocomplete on forms and disable caching for pages that contain sensitive data
  13. 13. A7 - Missing Function Level Access Control • Have an easy to use common consistent authorization module • Deny all access by default • Implement checks in business layer • Ie: link on website hidden, but user could still enter in URL and gain access = BAD • Back to -> authorize every request
  14. 14. A8 - Cross Site Request Forgery (CSRF) • Include unpredictable token in each request – at a minimum, unique per user session • Preferred is by using a hidden field vs. added to URL • There are some tools in .NET to use • Re-authenticate user or prove they are a user (ie: use a captcha)
  15. 15. A9 - Using Components with known vulnerabilities • Have a process in place to update component • Monitor the security of the components • Govern component use • Add security wrappers around component
  16. 16. A10 - Unvalidated Redirects and Forwards • Avoid using redirects and forwards • Don’t involve user parameters in calculating destination • If destination parameters cannot be avoided • Validate value and that the user is authorized • Use mapping values instead of actual value
  17. 17. Questions?
  18. 18. Resources ! OWASP: Pluralsight: Owasp Top 10 course Troy Hunt Blog: !