SlideShare a Scribd company logo
1 of 62
Download to read offline
OWASP TOP 10 PROACTIVE CONTROLS
2016
ABOUT ME
PHILIPPE GAMACHE
HI I’M PHILIPPE
I’m a Developer Evangelist for kuzzle.io.
Long-time internet developer, author,
screen caster, podcaster and speaker. I’m
specializes in PHP, Symfony, Kuzzle,
security, code quality, performance, real
time and geolocation.
• Sécurité PHP 5 et MySQL 5
• OWASP Montreal
• PHP Quebec
• Table Top Game Developer
• Pen & Paper RPG Writer
PURPOSE OF THE PRESENTATION
• OWASP Top 10 Proactive Controls 2016
• 10 critical security areas that web developers must be aware
• https://www.owasp.org/index.php/OWASP_Proactive_Controls
• OWASP Top 10
• 10 Most Critical Web Application Security Risks
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
WHY WE ARE TALKING ABOUT THIS?
OPEN WEB APPLICATION SECURITY PROJECT
• It is a 501c3 not-for-profit and also registered in Europe as a worldwide
charitable organization.
• Focused on improving the security of software.
• Mission is to make application security visible, so that people and
organizations can make informed decisions about true application
security risks.
• Everyone is welcome to participate in OWASP and all materials are
available under free and open software licenses.
CORE MISSION
OPEN WEB APPLICATION SECURITY PROJECT
• A1 — Injection
• Injection flaws, such as SQL, OS, XXE, and LDAP injection occurs when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
• A2 — Broken Authentication and Session Management
• Application functions related to authentication and session management
are often implemented incorrectly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other implementation
flaws to assume other users’ identities (temporarily or permanently).
TOP 10 APPLICATION SECURITY RISKS - 2017
OPEN WEB APPLICATION SECURITY PROJECT
• A3 — Cross-Site Scripting (XSS)
• XSS flaws occur whenever an application includes untrusted data in a new
web page without proper validation or escaping, or updates an existing web
page with user supplied data using a browser API that can create JavaScript.
XSS allows attackers to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to malicious sites.
• A4 — Broken Access Control
• Restrictions on what authenticated users are allowed to do are not properly
enforced. Attackers can exploit these flaws to access unauthorized
functionality and/or data, such as access other users’ accounts, view sensitive
files, modify other users’ data, change access rights, etc.
TOP 10 APPLICATION SECURITY RISKS - 2017
OPEN WEB APPLICATION SECURITY PROJECT
• A5 — Security Misconfiguration
• Good security requires having a secure configuration defined and deployed for
the application, frameworks, application server, web server, database server,
platform, etc. Secure settings should be defined, implemented, and maintained,
as defaults are often insecure. Additionally, software should be kept up to date.
• A6 — Sensitive Data Exposure
• Many web applications and APIs do not properly protect sensitive data, such as
financial, healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit,
as well as special precautions when exchanged with the browser.
TOP 10 APPLICATION SECURITY RISKS - 2017
OPEN WEB APPLICATION SECURITY PROJECT
• A7 — Insufficient Attack Protection
• The majority of applications and APIs lack the basic ability to detect, prevent, and
respond to both manual and automated attacks. Attack protection goes far beyond
basic input validation and involves automatically detecting, logging, responding,
and even blocking exploit attempts. Application owners also need to be able to
deploy patches quickly to protect against attacks.
• A8 — Cross-Site Request Forgery (CSRF)
• A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. Such an attack allows
the attacker to force a victim’s browser to generate requests the vulnerable
application thinks are legitimate requests from the victim.
TOP 10 APPLICATION SECURITY RISKS - 2017
OPEN WEB APPLICATION SECURITY PROJECT
• A9 — Using Components with Known Vulnerabilities
• Components, such as libraries, frameworks, and other software modules, run
with the same privileges as the application. If a vulnerable component is
exploited, such an attack can facilitate serious data loss or server takeover.
Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.
• A10 — Underprotected APIs
• Modern applications often involve rich client applications and APIs, such as
JavaScript in the browser and mobile apps, that connect to an API of some
kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often
unprotected and contains numerous vulnerabilities.
TOP 10 APPLICATION SECURITY RISKS - 2017
VERIFY FOR SECURITY EARLY AND OFTEN
• Security testing is not made part of Software Development Life Cycle/
Agile.
• Carried out by others than the development team.
• Development team tries to fix them without putting much thought from
coding and programming point of view.
PROBLEM STATEMENT
VERIFY FOR SECURITY EARLY AND OFTEN
• Security must be integral part of SDLC/Agile.
• Include security while writing testing stories and tasks.
• Include the Proactive Controls in stubs and drivers.
• Security testing stories should be defined such that the lowest child story can be
implemented and accepted in a single iteration.
• Testing a Proactive Control must be lightweight.
• Consider OWASP Application Security Verification Standard (ASVS) as a guide to define
security requirements and testing.
• Convert scanning output into reusable Proactive Controls to avoid entire classes of
problems.
CONTROL EXPLAINED
VERIFY FOR SECURITY EARLY AND OFTEN
• https://www.owasp.org/index.php/OWASP_Testing_Project
• https://www.owasp.org/index.php/
Category:OWASP_Application_Security_Verification_Standard_Project
• http://devops.com/2015/04/06/automated-security-testing-
continuous-delivery-pipeline/
• https://www.continuumsecurity.net/bdd-security/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• https://www.owasp.org/index.php/OWASP_OWTF
RESSOURCES
VERIFY FOR SECURITY EARLY AND OFTEN
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
PARAMETERIZE QUERIES
• Web application can be used to run dangerous OS commands;
• Against the OS hosting the database.
• SQL query and its parameters are contained in one query string.
PROBLEM STATEMENT
PARAMETERIZE QUERIES
• Untrusted input should be prevented from being interpreted as part of
an SQL command:
• Use “Query Parameterization”;
• SQL statements are sent to and parsed by the database server
separately from any parameters.
CONTROL EXPLAINED
PARAMETERIZE QUERIES
QUERY PARAMETERIZATION
$dbh =
new PDO("pgsql:host={$host};port={$port};dbname={$db};user={$user};password={$pass}");
$stmt = $dbh->prepare("update users set email=:new_email where id=:user_id");
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
PARAMETERIZE QUERIES
• Use defense in depth;
• Use automated static analysis;
• Use proper database management system configuration.
• Configure database engines to only support parameterized queries.
CONTROL EXPLAINED
PARAMETERIZE QUERIES
• https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
• https://www.owasp.org/index.php/
SQL_Injection_Prevention_Cheat_Sheet
• https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-
_Quick_Reference_Guide
RESSOURCES
PARAMETERIZE QUERIES
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
ENCODE DATA
PROBLEM STATEMENT
• Web forms written to accept inputs from untrusted sources/users.
• Attacker tricks users into executing malicious script that was not
originally built into the website.
• Manipulation of user response.
• XSS attacks execute in the user’s browser.
• Same risk remains in mobile based applications as well.
ENCODE DATA
CONTROL EXPLAINED
• Encoding is translating special characters into some equivalent form that is no
longer dangerous in the target interpreter.
• Manipulating user generated content:
• Ensure that data is filtered;
• Ensure that data is encoded.
• Loading content from an external source:
• Apps that need to display untrusted content inside a Web View should use a
dedicated server/host to render and escape HTML/Javascript content in a safe
way. Prevents access to local system contents by malicious JavaScript code.
ENCODE DATA
• http://twig.sensiolabs.org/doc/filters/escape.html
• https://docs.zendframework.com/zend-escaper/theory-of-operation/
• https://laravel.com/docs/5.4/blade
• http://boldersecurity.github.io/encoder-comparison-reference/
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• https://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
RESSOURCES
ENCODE DATA
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
VALIDATE ALL INPUTS
PROBLEM STATEMENT
• All the data directly entered by users should be treated as untrusted.
• An application should check that this data is both syntactically and
semantically valid (in that order) before using it in any way.
• The most secure applications treat all variables as untrusted and provide
security controls regardless of the source.
VALIDATE ALL INPUTS
CONTROL EXPLAINED
• Use two general approaches to performing input syntax validation white
listing preferred over black listing.
• Regular expressions offer a way to check whether data matches a specific
pattern this is a great way to implement whitelist validation.
• The security of the application should be enforced where that input is used:
• If input is used to build an HTML response, then the appropriate HTML
encoding should be performed to prevent XSS attacks.
• If input is used to build a SQL statement, Query Parameterization should
be used.
VALIDATE ALL INPUTS
FILE UPLOAD
• Generic Upload Verification:
• Check filename;
• Check file size;
• Ensure decompressed size of file < maximum size;
• Ensure that an uploaded archive matches the type expected (zip, rar);
• Ensure structured uploads such as an add-on follow proper standard;
• And maybe check with an anti-virus.
VALIDATE ALL INPUTS
FILE UPLOAD
• Image Upload Verification:
• Enforce proper image size limits;
• Use image rewriting libraries;
• Set the extension of the stored image to be a valid image extension;
• Ensure the detected content type of the image is safe.
VALIDATE ALL INPUTS
FILE UPLOAD
• If you can, check files on separate server.
• Beware of "special" files:
• "crossdomain.xml", "clientaccesspolicy.xml", "index.php", "config.yml",
".htaccess", "faveicon.ico", "composer.json"…
• Upload Storage:
• Use only trusted filenames + separate domain.
VALIDATE ALL INPUTS
VALIDATION AND SANITIZATION
<?php
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {
echo "This sanitized email address is considered valid.n";
}
VALIDATE ALL INPUTS
RESSOURCES
• http://htmlpurifier.org/
• http://www.bioinformatics.org/phplabware/internal_utilities/
htmLawed/
• https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_Input_Validation
VALIDATE ALL INPUTS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
PROBLEM STATEMENT
• Session management has to be secured in application flow to maintain
the state of entity interacting with the server.
• Only authorized users must be accessing the resources after enough
authentication.
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED
• Do not limit the type of characters or length of user password within
reason;
• Limiting passwords to protect against injection is doomed to failure.
• Use proper encoder and other defenses described instead.
• Be wary of systems that allow unlimited password sizes.
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED
• Use Multi-Factor Authentication.
• Implement Secure Password Storage using cryptography controls.
• Implement Secure Password Recovery Mechanism.
• Session: Generation and Expiration: On any successful authentication and
reauthentication the software should generate a new session and session id.
• Mandatory to set expiration timeouts for every session, after a specified
period of inactivity.
• Reauthentication for Sensitive Features.
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
PASSWORD ENCODING
<?php
$cost = 15;
// From PHP 5.5 to 7.1 PASSWORD_DEFAULT to using the bcrypt algorithm
$password_hash = password_hash("secret_password", PASSWORD_DEFAULT, ["cost" => $cost] );
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED - MOBILE APPLICATION OR API
• Token Based Authentication.
• Avoid storing/persisting authentication credentials locally on the device.
• Perform initial authentication using the username and password supplied
by the user, and then generate a short-lived access token which can be
used to authenticate a client's request without sending the user’s
credentials.
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
RESSOURCES
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
• https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
• https://www.owasp.org/index.php/
Choosing_and_Using_Security_Questions_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_authentication
IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
IMPLEMENT APPROPRIATE ACCESS CONTROLS
PROBLEM STATEMENT
• Access Control is one of the main areas of application security design that must be
heavily thought through up front, especially when addressing requirements like
multitenancy and horizontal (data specific) access control.
• Hard-coded role checks in application code:
• Lack of centralized access control logic;
• Untrusted data driving access control decisions;
• Access control that is "open by default";
• Lack of addressing horizontal access control in a standardized way (if at all);
• Access control logic that needs to be manually added to every endpoint in code;
• Access Control that is “sticky” per session;
• Access Control that requires per-user policy.
IMPLEMENT APPROPRIATE ACCESS CONTROLS
CONTROL EXPLAINED
• Force All Requests to go Through Access Control Checks.
• Deny by Default.
• Principle of Least Privilege: each user or system component should be allocated the
minimum privilege required to perform an action for the minimum amount of time.
• Avoid Hard Coded Access Control Checks: enforcement layer (checks in code) and your
access control decision-making process (the access control "engine") should be separated
when possible.
• Code to the Activity: Consider checking if the user has access to that feature in code, as
opposed checking what role the user is in code.
• Server side Trusted Data Should Drive Access Control. Policy data such as a user’s role or an
access control rule should never be part of the request.
IMPLEMENT APPROPRIATE ACCESS CONTROLS
CODE TO THE ACTIVITY
<?php
// Instead of hard-coding role check all throughout your code base
if ($user->hasRole("ADMIN")) || ($user->hasRole("MANAGER")) {
deleteAccount();
}
// Consider the following instead
if ($user->hasAccess("DELETE_ACCOUNT")) {
deleteAccount();
}
IMPLEMENT APPROPRIATE ACCESS CONTROLS
RESSOURCES
• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_Authorization
IMPLEMENT APPROPRIATE ACCESS CONTROLS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
PROTECT DATA
PROBLEM STATEMENT
• Access Control is one of the main areas of application security design
that must be heavily thought through up front, especially when
addressing requirements like multitenancy and horizontal (data specific)
access control.
PROTECT DATA
CONTROL EXPLAINED
• Classify and Encrypt Data at rest.
• Develop your own crypto algorithm & key size should be optly chosen.
PROTECT DATA
CONTROL EXPLAINED
• Encrypt Data in Transit. TLS is by far the most common and widely
supported model used by web applications for encryption in transit:
• Confidentiality: Spy cannot view your data;
• Integrity: Spy cannot change your data
• Authenticity: Server you are visiting is the right one.
• Implement Protection in Transit.
PROTECT DATA
RESSOURCES
• https://www.owasp.org/index.php/
Transport_Layer_Protection_Cheat_Sheet
• https://www.ssllabs.com/projects/best-practices/
• http://www.youtube.com/watch?v=zEV3HOuM_Vw
• https://whispersystems.org/blog/asynchronous-security/
• http://certificate-transparency.org
PROTECT DATA
RESSOURCES
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
• https://www.gitbook.com/book/jedisct1/libsodium/details
• https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
• https://www.owasp.org/index.php/Testing_for_Weak_SSL/
TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-
CRYPST-001)
PROTECT DATA
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
IMPLEMENT LOGGING AND INTRUSION DETECTION
PROBLEM STATEMENT
• Logging is used in BIA, Monitoring, Forensics, compliance and intrusion
detection.
• It must be designed properly from early SDLC stage.
IMPLEMENT LOGGING AND INTRUSION DETECTION
CONTROL EXPLAINED
• Ensure proper level of logging
• Follow a common logging approach within the system and across systems
where possible to make correlation easy
• Make sure to always log the timestamp and identifying information like
the source IP and userid, but be careful not to log private or confidential
data or opt out data or secrets
• Design proper positioning of IDS sensors and management.
IMPLEMENT LOGGING AND INTRUSION DETECTION
RESSOURCES
• https://www.owasp.org/index.php/Logging_Cheat_Sheet
• https://www.owasp.org/index.php/
Error_Handling,_Auditing_and_Logging
• https://www.owasp.org/index.php/Reviewing_Code_for_Logging_Issues
• https://www.owasp.org/index.php/OWASP_AppSensor_Project
IMPLEMENT LOGGING AND INTRUSION DETECTION
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
PROBLEM STATEMENT
• Starting from scratch when it comes to developing security controls for
every web application, web service or mobile application leads to wasted
time and massive security holes.
LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
CONTROL EXPLAINED
• When possible, the emphasis should be on using the existing secure
features of frameworks rather than importing third party libraries. It is
preferable to have developers take advantage of what they’re already
using instead of forcing yet another library on them.
• Not all the frameworks are completely secured hence it is important to
build in additional security where possible, updating frequently and
verifying them for security early and often like any other software you
depend upon.
LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
RESSOURCES
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• https://code.google.com/archive/p/mustache-security/
• https://docs.angularjs.org/guide/security
LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
ERROR AND EXCEPTION HANDLING
PROBLEM STATEMENT
• Implementing correct errors and exceptions handling isn’t exciting, but
like input data validation, it is an important part of defensive coding,
critical to making a system reliable as well as secure.
• Mistakes in error handling can lead to different kinds of security
vulnerabilities.
ERROR AND EXCEPTION HANDLING
CONTROL EXPLAINED
• Manage exceptions in a centralized manner to avoid duplicating try/catch
blocks in the code, and to ensure that all unexpected behaviors are
correctly handled inside the application.
• Ensure that error messages displayed to users do not leak critical data,
but are still verbose enough to explain the issue to the user.
• Ensure that exceptions are logged in a way that gives enough
information for Q/A, forensics or incident response teams to understand
the problem.
ERROR AND EXCEPTION HANDLING
RESSOURCES
• https://www.owasp.org/index.php/Error_Handling
• https://www.owasp.org/index.php/Testing_for_Error_Handling
• https://www.owasp.org/index.php/Improper_Error_Handling
ERROR AND EXCEPTION HANDLING
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
ANY QUESTIONS?
THANK YOU!
If you want to talk more,
feel free to contact me.
http://kuzzle.io
This presentation was created using Keynote. The text
is set in Oswald and Ubuntu. The source code is set in
Ubuntu Mono. The iconography is provided by Keynote,
kuzzle.io and Font Awesome.
Unless otherwise noted, all photographs are used by
permission under a Creative Commons license. Please
refer to the Photo Credits slide for more information.
Copyright ©
This work is licensed under Creative Commons
Attribution-ShareAlike 4.0 International. For uses not
covered under this license, please contact the author.
hello@kuzzle.io
@kuzzleio
Kuzzle
kuzzleio
http://kuzzle.io
Browser Serving Your Web Application Security
2014-2017 Philippe Gamache
GAMACHE, Philippe. “Browser Serving Your Web
Application Security” NorthEast PHP Conference.
August 10, 2017. Conference presentation.
pgamache@kuzzle.io
@philoupedia
philippegamache
https://joind.in/talk/d9ad5
Please visit us at:

More Related Content

What's hot

OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 

What's hot (20)

Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
 WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
From the Frontline of RASP Adoption
From the Frontline of RASP AdoptionFrom the Frontline of RASP Adoption
From the Frontline of RASP Adoption
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
t r
t rt r
t r
 

Similar to OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017

owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 

Similar to OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017 (20)

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajan
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

More from Philippe Gamache

Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
Philippe Gamache
 

More from Philippe Gamache (18)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 

OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017

  • 1. OWASP TOP 10 PROACTIVE CONTROLS 2016
  • 2. ABOUT ME PHILIPPE GAMACHE HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
  • 3. PURPOSE OF THE PRESENTATION • OWASP Top 10 Proactive Controls 2016 • 10 critical security areas that web developers must be aware • https://www.owasp.org/index.php/OWASP_Proactive_Controls • OWASP Top 10 • 10 Most Critical Web Application Security Risks • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project WHY WE ARE TALKING ABOUT THIS?
  • 4. OPEN WEB APPLICATION SECURITY PROJECT • It is a 501c3 not-for-profit and also registered in Europe as a worldwide charitable organization. • Focused on improving the security of software. • Mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. • Everyone is welcome to participate in OWASP and all materials are available under free and open software licenses. CORE MISSION
  • 5. OPEN WEB APPLICATION SECURITY PROJECT • A1 — Injection • Injection flaws, such as SQL, OS, XXE, and LDAP injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • A2 — Broken Authentication and Session Management • Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). TOP 10 APPLICATION SECURITY RISKS - 2017
  • 6. OPEN WEB APPLICATION SECURITY PROJECT • A3 — Cross-Site Scripting (XSS) • XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • A4 — Broken Access Control • Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 7. OPEN WEB APPLICATION SECURITY PROJECT • A5 — Security Misconfiguration • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. • A6 — Sensitive Data Exposure • Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 8. OPEN WEB APPLICATION SECURITY PROJECT • A7 — Insufficient Attack Protection • The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks. • A8 — Cross-Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 9. OPEN WEB APPLICATION SECURITY PROJECT • A9 — Using Components with Known Vulnerabilities • Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. • A10 — Underprotected APIs • Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contains numerous vulnerabilities. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 10. VERIFY FOR SECURITY EARLY AND OFTEN • Security testing is not made part of Software Development Life Cycle/ Agile. • Carried out by others than the development team. • Development team tries to fix them without putting much thought from coding and programming point of view. PROBLEM STATEMENT
  • 11. VERIFY FOR SECURITY EARLY AND OFTEN • Security must be integral part of SDLC/Agile. • Include security while writing testing stories and tasks. • Include the Proactive Controls in stubs and drivers. • Security testing stories should be defined such that the lowest child story can be implemented and accepted in a single iteration. • Testing a Proactive Control must be lightweight. • Consider OWASP Application Security Verification Standard (ASVS) as a guide to define security requirements and testing. • Convert scanning output into reusable Proactive Controls to avoid entire classes of problems. CONTROL EXPLAINED
  • 12. VERIFY FOR SECURITY EARLY AND OFTEN • https://www.owasp.org/index.php/OWASP_Testing_Project • https://www.owasp.org/index.php/ Category:OWASP_Application_Security_Verification_Standard_Project • http://devops.com/2015/04/06/automated-security-testing- continuous-delivery-pipeline/ • https://www.continuumsecurity.net/bdd-security/ • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • https://www.owasp.org/index.php/OWASP_OWTF RESSOURCES
  • 13. VERIFY FOR SECURITY EARLY AND OFTEN OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 14. PARAMETERIZE QUERIES • Web application can be used to run dangerous OS commands; • Against the OS hosting the database. • SQL query and its parameters are contained in one query string. PROBLEM STATEMENT
  • 15. PARAMETERIZE QUERIES • Untrusted input should be prevented from being interpreted as part of an SQL command: • Use “Query Parameterization”; • SQL statements are sent to and parsed by the database server separately from any parameters. CONTROL EXPLAINED
  • 16. PARAMETERIZE QUERIES QUERY PARAMETERIZATION $dbh = new PDO("pgsql:host={$host};port={$port};dbname={$db};user={$user};password={$pass}"); $stmt = $dbh->prepare("update users set email=:new_email where id=:user_id"); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 17. PARAMETERIZE QUERIES • Use defense in depth; • Use automated static analysis; • Use proper database management system configuration. • Configure database engines to only support parameterized queries. CONTROL EXPLAINED
  • 18. PARAMETERIZE QUERIES • https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_- _Quick_Reference_Guide RESSOURCES
  • 19. PARAMETERIZE QUERIES OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 20. ENCODE DATA PROBLEM STATEMENT • Web forms written to accept inputs from untrusted sources/users. • Attacker tricks users into executing malicious script that was not originally built into the website. • Manipulation of user response. • XSS attacks execute in the user’s browser. • Same risk remains in mobile based applications as well.
  • 21. ENCODE DATA CONTROL EXPLAINED • Encoding is translating special characters into some equivalent form that is no longer dangerous in the target interpreter. • Manipulating user generated content: • Ensure that data is filtered; • Ensure that data is encoded. • Loading content from an external source: • Apps that need to display untrusted content inside a Web View should use a dedicated server/host to render and escape HTML/Javascript content in a safe way. Prevents access to local system contents by malicious JavaScript code.
  • 22. ENCODE DATA • http://twig.sensiolabs.org/doc/filters/escape.html • https://docs.zendframework.com/zend-escaper/theory-of-operation/ • https://laravel.com/docs/5.4/blade • http://boldersecurity.github.io/encoder-comparison-reference/ • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet RESSOURCES
  • 23. ENCODE DATA OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 24. VALIDATE ALL INPUTS PROBLEM STATEMENT • All the data directly entered by users should be treated as untrusted. • An application should check that this data is both syntactically and semantically valid (in that order) before using it in any way. • The most secure applications treat all variables as untrusted and provide security controls regardless of the source.
  • 25. VALIDATE ALL INPUTS CONTROL EXPLAINED • Use two general approaches to performing input syntax validation white listing preferred over black listing. • Regular expressions offer a way to check whether data matches a specific pattern this is a great way to implement whitelist validation. • The security of the application should be enforced where that input is used: • If input is used to build an HTML response, then the appropriate HTML encoding should be performed to prevent XSS attacks. • If input is used to build a SQL statement, Query Parameterization should be used.
  • 26. VALIDATE ALL INPUTS FILE UPLOAD • Generic Upload Verification: • Check filename; • Check file size; • Ensure decompressed size of file < maximum size; • Ensure that an uploaded archive matches the type expected (zip, rar); • Ensure structured uploads such as an add-on follow proper standard; • And maybe check with an anti-virus.
  • 27. VALIDATE ALL INPUTS FILE UPLOAD • Image Upload Verification: • Enforce proper image size limits; • Use image rewriting libraries; • Set the extension of the stored image to be a valid image extension; • Ensure the detected content type of the image is safe.
  • 28. VALIDATE ALL INPUTS FILE UPLOAD • If you can, check files on separate server. • Beware of "special" files: • "crossdomain.xml", "clientaccesspolicy.xml", "index.php", "config.yml", ".htaccess", "faveicon.ico", "composer.json"… • Upload Storage: • Use only trusted filenames + separate domain.
  • 29. VALIDATE ALL INPUTS VALIDATION AND SANITIZATION <?php $sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL); if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) { echo "This sanitized email address is considered valid.n"; }
  • 30. VALIDATE ALL INPUTS RESSOURCES • http://htmlpurifier.org/ • http://www.bioinformatics.org/phplabware/internal_utilities/ htmLawed/ • https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Input_Validation
  • 31. VALIDATE ALL INPUTS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 32. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS PROBLEM STATEMENT • Session management has to be secured in application flow to maintain the state of entity interacting with the server. • Only authorized users must be accessing the resources after enough authentication.
  • 33. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED • Do not limit the type of characters or length of user password within reason; • Limiting passwords to protect against injection is doomed to failure. • Use proper encoder and other defenses described instead. • Be wary of systems that allow unlimited password sizes.
  • 34. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED • Use Multi-Factor Authentication. • Implement Secure Password Storage using cryptography controls. • Implement Secure Password Recovery Mechanism. • Session: Generation and Expiration: On any successful authentication and reauthentication the software should generate a new session and session id. • Mandatory to set expiration timeouts for every session, after a specified period of inactivity. • Reauthentication for Sensitive Features.
  • 35. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS PASSWORD ENCODING <?php $cost = 15; // From PHP 5.5 to 7.1 PASSWORD_DEFAULT to using the bcrypt algorithm $password_hash = password_hash("secret_password", PASSWORD_DEFAULT, ["cost" => $cost] );
  • 36. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED - MOBILE APPLICATION OR API • Token Based Authentication. • Avoid storing/persisting authentication credentials locally on the device. • Perform initial authentication using the username and password supplied by the user, and then generate a short-lived access token which can be used to authenticate a client's request without sending the user’s credentials.
  • 37. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS RESSOURCES • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • https://www.owasp.org/index.php/ Choosing_and_Using_Security_Questions_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_authentication
  • 38. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 39. IMPLEMENT APPROPRIATE ACCESS CONTROLS PROBLEM STATEMENT • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control. • Hard-coded role checks in application code: • Lack of centralized access control logic; • Untrusted data driving access control decisions; • Access control that is "open by default"; • Lack of addressing horizontal access control in a standardized way (if at all); • Access control logic that needs to be manually added to every endpoint in code; • Access Control that is “sticky” per session; • Access Control that requires per-user policy.
  • 40. IMPLEMENT APPROPRIATE ACCESS CONTROLS CONTROL EXPLAINED • Force All Requests to go Through Access Control Checks. • Deny by Default. • Principle of Least Privilege: each user or system component should be allocated the minimum privilege required to perform an action for the minimum amount of time. • Avoid Hard Coded Access Control Checks: enforcement layer (checks in code) and your access control decision-making process (the access control "engine") should be separated when possible. • Code to the Activity: Consider checking if the user has access to that feature in code, as opposed checking what role the user is in code. • Server side Trusted Data Should Drive Access Control. Policy data such as a user’s role or an access control rule should never be part of the request.
  • 41. IMPLEMENT APPROPRIATE ACCESS CONTROLS CODE TO THE ACTIVITY <?php // Instead of hard-coding role check all throughout your code base if ($user->hasRole("ADMIN")) || ($user->hasRole("MANAGER")) { deleteAccount(); } // Consider the following instead if ($user->hasAccess("DELETE_ACCOUNT")) { deleteAccount(); }
  • 42. IMPLEMENT APPROPRIATE ACCESS CONTROLS RESSOURCES • https://www.owasp.org/index.php/Access_Control_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Authorization
  • 43. IMPLEMENT APPROPRIATE ACCESS CONTROLS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 44. PROTECT DATA PROBLEM STATEMENT • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control.
  • 45. PROTECT DATA CONTROL EXPLAINED • Classify and Encrypt Data at rest. • Develop your own crypto algorithm & key size should be optly chosen.
  • 46. PROTECT DATA CONTROL EXPLAINED • Encrypt Data in Transit. TLS is by far the most common and widely supported model used by web applications for encryption in transit: • Confidentiality: Spy cannot view your data; • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one. • Implement Protection in Transit.
  • 47. PROTECT DATA RESSOURCES • https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet • https://www.ssllabs.com/projects/best-practices/ • http://www.youtube.com/watch?v=zEV3HOuM_Vw • https://whispersystems.org/blog/asynchronous-security/ • http://certificate-transparency.org
  • 48. PROTECT DATA RESSOURCES • https://www.owasp.org/index.php/Pinning_Cheat_Sheet • https://www.gitbook.com/book/jedisct1/libsodium/details • https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Weak_SSL/ TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG- CRYPST-001)
  • 49. PROTECT DATA OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 50. IMPLEMENT LOGGING AND INTRUSION DETECTION PROBLEM STATEMENT • Logging is used in BIA, Monitoring, Forensics, compliance and intrusion detection. • It must be designed properly from early SDLC stage.
  • 51. IMPLEMENT LOGGING AND INTRUSION DETECTION CONTROL EXPLAINED • Ensure proper level of logging • Follow a common logging approach within the system and across systems where possible to make correlation easy • Make sure to always log the timestamp and identifying information like the source IP and userid, but be careful not to log private or confidential data or opt out data or secrets • Design proper positioning of IDS sensors and management.
  • 52. IMPLEMENT LOGGING AND INTRUSION DETECTION RESSOURCES • https://www.owasp.org/index.php/Logging_Cheat_Sheet • https://www.owasp.org/index.php/ Error_Handling,_Auditing_and_Logging • https://www.owasp.org/index.php/Reviewing_Code_for_Logging_Issues • https://www.owasp.org/index.php/OWASP_AppSensor_Project
  • 53. IMPLEMENT LOGGING AND INTRUSION DETECTION OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 54. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES PROBLEM STATEMENT • Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes.
  • 55. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES CONTROL EXPLAINED • When possible, the emphasis should be on using the existing secure features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they’re already using instead of forcing yet another library on them. • Not all the frameworks are completely secured hence it is important to build in additional security where possible, updating frequently and verifying them for security early and often like any other software you depend upon.
  • 56. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES RESSOURCES • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • https://code.google.com/archive/p/mustache-security/ • https://docs.angularjs.org/guide/security
  • 57. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 58. ERROR AND EXCEPTION HANDLING PROBLEM STATEMENT • Implementing correct errors and exceptions handling isn’t exciting, but like input data validation, it is an important part of defensive coding, critical to making a system reliable as well as secure. • Mistakes in error handling can lead to different kinds of security vulnerabilities.
  • 59. ERROR AND EXCEPTION HANDLING CONTROL EXPLAINED • Manage exceptions in a centralized manner to avoid duplicating try/catch blocks in the code, and to ensure that all unexpected behaviors are correctly handled inside the application. • Ensure that error messages displayed to users do not leak critical data, but are still verbose enough to explain the issue to the user. • Ensure that exceptions are logged in a way that gives enough information for Q/A, forensics or incident response teams to understand the problem.
  • 60. ERROR AND EXCEPTION HANDLING RESSOURCES • https://www.owasp.org/index.php/Error_Handling • https://www.owasp.org/index.php/Testing_for_Error_Handling • https://www.owasp.org/index.php/Improper_Error_Handling
  • 61. ERROR AND EXCEPTION HANDLING OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 62. ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache https://joind.in/talk/d9ad5 Please visit us at: