How to produce more secure web apps

1. Presented to BT Fresca development Teams
Date 14/11/13
By Damilola Longe
How to produce more secure
web apps

2. We are secure, so what is the problem?
or are we?

3. What do we really know?
What is XSS?
“

4. Why SDL?
• Compliance regulations – PCI, Data Protection
and Privacy
• Better IT security strategy – continuous security
(BaU) and security as a shared responsibility
• Functionality versus Security – balancing act

5. What is the core security problem
facing web applications?

6. Answer
A huge variety of attacks against web applications
involve submitting input, crafted to cause behaviour
that was not intended by the application’s
designers. Applications must handle user input in
a safe manner
Users can submit arbitrary input – untrusted
data

7. Handling User input
• Blacklist validation
• Whitelist validation
• Safe re-encoding
https://www.owasp.org/index.php/Category:
OWASP_Enterprise_Security_API
• Semantics checks
• Boundary Validation and defence in-depth

8. Handling Attackers
• Error handling
• Maintaining audit logs
• alerting administrators
• reacting to attacks

9. Problem Areas
• XSS 94% - enables an attacker to target other users of the application, potentially
gaining access to their data, or carry out other attacks against them
• CSRF 92% - allows a malicious web site visited by a victim user to interact with the
application to perform actions that the user did not intend
• Information leakage 78% - application divulging sensitive information that is of use to
an attacker
• Broken access controls 71% - app fails properly protect access to its data and
functionality, potentially enabling an attacker to view other uses data
• Broken authentication 62% - defects within the applications login mechanism which
may enable an attacker to guess weak passwords, launch a brute-force attack, or
bypass the login
• SQL injection 32% - enables an attacker to submit input to interfere with the
applications interactions with back-end database

10. Web Application Security Consortium (WASC)

11. So what can we do?

12. Training
• increase Security awareness
• local sessions
• online webinars/conferences
• developer courses
• self study

13. Secure development lifecycle process
• Application development policy
• Coding standards
• Project Management - SoW

14. Requirements gathering Phase
• Security requirements
• Security risk assessment
• Privacy risk assessment
• Risk-level acceptance

15. Design Phase
• Attack surface analysis
• Threat modelling

16. Development Phase
• Adhering to development guidelines
• Integrating secure coding practices into
development
• Peer/code review, advice
• Most critical phase

17. Security Testing/validation Phase

18. Change control
• Human Error
• Software bugs
• Implementation Errors
• Changes to systems

19. Best practices, resources..
Open Web Application Security Project (OWASP)
• https://www.owasp.org/index.php/Top_10_2013-
Top_10
• https://www.owasp.org/index.php/Cheat_Sheets
Training resource
• http://securitycompass.com/computer-based-
training/free-owasp-top-10/