SlideShare a Scribd company logo

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems. The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.

1 of 62
Download to read offline
OWASP TOP 10 PROACTIVE CONTROLS
2016
ABOUT ME
PHILIPPE GAMACHE
HI I’M PHILIPPE
I’m a Developer Evangelist for kuzzle.io.
Long-time internet developer, author,
screen caster, podcaster and speaker. I’m
specializes in PHP, Symfony, Kuzzle,
security, code quality, performance, real
time and geolocation.
• Sécurité PHP 5 et MySQL 5
• OWASP Montreal
• PHP Quebec
• Table Top Game Developer
• Pen & Paper RPG Writer
PURPOSE OF THE PRESENTATION
• OWASP Top 10 Proactive Controls 2016
• 10 critical security areas that web developers must be aware
• https://www.owasp.org/index.php/OWASP_Proactive_Controls
• OWASP Top 10
• 10 Most Critical Web Application Security Risks
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
WHY WE ARE TALKING ABOUT THIS?
OPEN WEB APPLICATION SECURITY PROJECT
• It is a 501c3 not-for-profit and also registered in Europe as a worldwide
charitable organization.
• Focused on improving the security of software.
• Mission is to make application security visible, so that people and
organizations can make informed decisions about true application
security risks.
• Everyone is welcome to participate in OWASP and all materials are
available under free and open software licenses.
CORE MISSION
OPEN WEB APPLICATION SECURITY PROJECT
• A1 — Injection
• Injection flaws, such as SQL, OS, XXE, and LDAP injection occurs when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
• A2 — Broken Authentication and Session Management
• Application functions related to authentication and session management
are often implemented incorrectly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other implementation
flaws to assume other users’ identities (temporarily or permanently).
TOP 10 APPLICATION SECURITY RISKS - 2017
OPEN WEB APPLICATION SECURITY PROJECT
• A3 — Cross-Site Scripting (XSS)
• XSS flaws occur whenever an application includes untrusted data in a new
web page without proper validation or escaping, or updates an existing web
page with user supplied data using a browser API that can create JavaScript.
XSS allows attackers to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to malicious sites.
• A4 — Broken Access Control
• Restrictions on what authenticated users are allowed to do are not properly
enforced. Attackers can exploit these flaws to access unauthorized
functionality and/or data, such as access other users’ accounts, view sensitive
files, modify other users’ data, change access rights, etc.
TOP 10 APPLICATION SECURITY RISKS - 2017

Recommended

Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 

More Related Content

What's hot

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React AppsZachary Klein
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 

What's hot (20)

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 

Similar to OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017

Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksAmazon Web Services
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Scott Sims
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Similar to OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 (20)

Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajan
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

More from Philippe Gamache

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continuePhilippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
 

More from Philippe Gamache (16)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Recently uploaded

Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...2toLead Limited
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsPremsankar Chakkingal
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfinfogdgmi
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Cprime
 
Low Latency at Extreme Scale: Proven Practices & Pitfalls
Low Latency at Extreme Scale: Proven Practices & PitfallsLow Latency at Extreme Scale: Proven Practices & Pitfalls
Low Latency at Extreme Scale: Proven Practices & PitfallsScyllaDB
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionNeo4j
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
SKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesSKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesNeo4j
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarThousandEyes
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024BookNet Canada
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfIES VE
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...DianaGray10
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientKari Kakkonen
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfRodneyThomas28
 

Recently uploaded (20)

Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
 
AI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the ClassroomsAI for Educators - Integrating AI in the Classrooms
AI for Educators - Integrating AI in the Classrooms
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdf
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
 
Low Latency at Extreme Scale: Proven Practices & Pitfalls
Low Latency at Extreme Scale: Proven Practices & PitfallsLow Latency at Extreme Scale: Proven Practices & Pitfalls
Low Latency at Extreme Scale: Proven Practices & Pitfalls
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ion
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
SKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologiesSKY Paradigms, change and cake: the steep curve of introducing new technologies
SKY Paradigms, change and cake: the steep curve of introducing new technologies
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes Webinar
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdf
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
 
AI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficientAI improves software testing to be more fault tolerant, focused and efficient
AI improves software testing to be more fault tolerant, focused and efficient
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdf
 

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017

  • 1. OWASP TOP 10 PROACTIVE CONTROLS 2016
  • 2. ABOUT ME PHILIPPE GAMACHE HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
  • 3. PURPOSE OF THE PRESENTATION • OWASP Top 10 Proactive Controls 2016 • 10 critical security areas that web developers must be aware • https://www.owasp.org/index.php/OWASP_Proactive_Controls • OWASP Top 10 • 10 Most Critical Web Application Security Risks • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project WHY WE ARE TALKING ABOUT THIS?
  • 4. OPEN WEB APPLICATION SECURITY PROJECT • It is a 501c3 not-for-profit and also registered in Europe as a worldwide charitable organization. • Focused on improving the security of software. • Mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. • Everyone is welcome to participate in OWASP and all materials are available under free and open software licenses. CORE MISSION
  • 5. OPEN WEB APPLICATION SECURITY PROJECT • A1 — Injection • Injection flaws, such as SQL, OS, XXE, and LDAP injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. • A2 — Broken Authentication and Session Management • Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). TOP 10 APPLICATION SECURITY RISKS - 2017
  • 6. OPEN WEB APPLICATION SECURITY PROJECT • A3 — Cross-Site Scripting (XSS) • XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • A4 — Broken Access Control • Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 7. OPEN WEB APPLICATION SECURITY PROJECT • A5 — Security Misconfiguration • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. • A6 — Sensitive Data Exposure • Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 8. OPEN WEB APPLICATION SECURITY PROJECT • A7 — Insufficient Attack Protection • The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks. • A8 — Cross-Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 9. OPEN WEB APPLICATION SECURITY PROJECT • A9 — Using Components with Known Vulnerabilities • Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. • A10 — Underprotected APIs • Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contains numerous vulnerabilities. TOP 10 APPLICATION SECURITY RISKS - 2017
  • 10. VERIFY FOR SECURITY EARLY AND OFTEN • Security testing is not made part of Software Development Life Cycle/ Agile. • Carried out by others than the development team. • Development team tries to fix them without putting much thought from coding and programming point of view. PROBLEM STATEMENT
  • 11. VERIFY FOR SECURITY EARLY AND OFTEN • Security must be integral part of SDLC/Agile. • Include security while writing testing stories and tasks. • Include the Proactive Controls in stubs and drivers. • Security testing stories should be defined such that the lowest child story can be implemented and accepted in a single iteration. • Testing a Proactive Control must be lightweight. • Consider OWASP Application Security Verification Standard (ASVS) as a guide to define security requirements and testing. • Convert scanning output into reusable Proactive Controls to avoid entire classes of problems. CONTROL EXPLAINED
  • 12. VERIFY FOR SECURITY EARLY AND OFTEN • https://www.owasp.org/index.php/OWASP_Testing_Project • https://www.owasp.org/index.php/ Category:OWASP_Application_Security_Verification_Standard_Project • http://devops.com/2015/04/06/automated-security-testing- continuous-delivery-pipeline/ • https://www.continuumsecurity.net/bdd-security/ • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • https://www.owasp.org/index.php/OWASP_OWTF RESSOURCES
  • 13. VERIFY FOR SECURITY EARLY AND OFTEN OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 14. PARAMETERIZE QUERIES • Web application can be used to run dangerous OS commands; • Against the OS hosting the database. • SQL query and its parameters are contained in one query string. PROBLEM STATEMENT
  • 15. PARAMETERIZE QUERIES • Untrusted input should be prevented from being interpreted as part of an SQL command: • Use “Query Parameterization”; • SQL statements are sent to and parsed by the database server separately from any parameters. CONTROL EXPLAINED
  • 16. PARAMETERIZE QUERIES QUERY PARAMETERIZATION $dbh = new PDO("pgsql:host={$host};port={$port};dbname={$db};user={$user};password={$pass}"); $stmt = $dbh->prepare("update users set email=:new_email where id=:user_id"); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 17. PARAMETERIZE QUERIES • Use defense in depth; • Use automated static analysis; • Use proper database management system configuration. • Configure database engines to only support parameterized queries. CONTROL EXPLAINED
  • 18. PARAMETERIZE QUERIES • https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_- _Quick_Reference_Guide RESSOURCES
  • 19. PARAMETERIZE QUERIES OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 20. ENCODE DATA PROBLEM STATEMENT • Web forms written to accept inputs from untrusted sources/users. • Attacker tricks users into executing malicious script that was not originally built into the website. • Manipulation of user response. • XSS attacks execute in the user’s browser. • Same risk remains in mobile based applications as well.
  • 21. ENCODE DATA CONTROL EXPLAINED • Encoding is translating special characters into some equivalent form that is no longer dangerous in the target interpreter. • Manipulating user generated content: • Ensure that data is filtered; • Ensure that data is encoded. • Loading content from an external source: • Apps that need to display untrusted content inside a Web View should use a dedicated server/host to render and escape HTML/Javascript content in a safe way. Prevents access to local system contents by malicious JavaScript code.
  • 22. ENCODE DATA • http://twig.sensiolabs.org/doc/filters/escape.html • https://docs.zendframework.com/zend-escaper/theory-of-operation/ • https://laravel.com/docs/5.4/blade • http://boldersecurity.github.io/encoder-comparison-reference/ • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet RESSOURCES
  • 23. ENCODE DATA OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 24. VALIDATE ALL INPUTS PROBLEM STATEMENT • All the data directly entered by users should be treated as untrusted. • An application should check that this data is both syntactically and semantically valid (in that order) before using it in any way. • The most secure applications treat all variables as untrusted and provide security controls regardless of the source.
  • 25. VALIDATE ALL INPUTS CONTROL EXPLAINED • Use two general approaches to performing input syntax validation white listing preferred over black listing. • Regular expressions offer a way to check whether data matches a specific pattern this is a great way to implement whitelist validation. • The security of the application should be enforced where that input is used: • If input is used to build an HTML response, then the appropriate HTML encoding should be performed to prevent XSS attacks. • If input is used to build a SQL statement, Query Parameterization should be used.
  • 26. VALIDATE ALL INPUTS FILE UPLOAD • Generic Upload Verification: • Check filename; • Check file size; • Ensure decompressed size of file < maximum size; • Ensure that an uploaded archive matches the type expected (zip, rar); • Ensure structured uploads such as an add-on follow proper standard; • And maybe check with an anti-virus.
  • 27. VALIDATE ALL INPUTS FILE UPLOAD • Image Upload Verification: • Enforce proper image size limits; • Use image rewriting libraries; • Set the extension of the stored image to be a valid image extension; • Ensure the detected content type of the image is safe.
  • 28. VALIDATE ALL INPUTS FILE UPLOAD • If you can, check files on separate server. • Beware of "special" files: • "crossdomain.xml", "clientaccesspolicy.xml", "index.php", "config.yml", ".htaccess", "faveicon.ico", "composer.json"… • Upload Storage: • Use only trusted filenames + separate domain.
  • 29. VALIDATE ALL INPUTS VALIDATION AND SANITIZATION <?php $sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL); if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) { echo "This sanitized email address is considered valid.n"; }
  • 30. VALIDATE ALL INPUTS RESSOURCES • http://htmlpurifier.org/ • http://www.bioinformatics.org/phplabware/internal_utilities/ htmLawed/ • https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Input_Validation
  • 31. VALIDATE ALL INPUTS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities
  • 32. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS PROBLEM STATEMENT • Session management has to be secured in application flow to maintain the state of entity interacting with the server. • Only authorized users must be accessing the resources after enough authentication.
  • 33. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED • Do not limit the type of characters or length of user password within reason; • Limiting passwords to protect against injection is doomed to failure. • Use proper encoder and other defenses described instead. • Be wary of systems that allow unlimited password sizes.
  • 34. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED • Use Multi-Factor Authentication. • Implement Secure Password Storage using cryptography controls. • Implement Secure Password Recovery Mechanism. • Session: Generation and Expiration: On any successful authentication and reauthentication the software should generate a new session and session id. • Mandatory to set expiration timeouts for every session, after a specified period of inactivity. • Reauthentication for Sensitive Features.
  • 35. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS PASSWORD ENCODING <?php $cost = 15; // From PHP 5.5 to 7.1 PASSWORD_DEFAULT to using the bcrypt algorithm $password_hash = password_hash("secret_password", PASSWORD_DEFAULT, ["cost" => $cost] );
  • 36. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS CONTROL EXPLAINED - MOBILE APPLICATION OR API • Token Based Authentication. • Avoid storing/persisting authentication credentials locally on the device. • Perform initial authentication using the username and password supplied by the user, and then generate a short-lived access token which can be used to authenticate a client's request without sending the user’s credentials.
  • 37. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS RESSOURCES • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • https://www.owasp.org/index.php/ Choosing_and_Using_Security_Questions_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_authentication
  • 38. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 39. IMPLEMENT APPROPRIATE ACCESS CONTROLS PROBLEM STATEMENT • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control. • Hard-coded role checks in application code: • Lack of centralized access control logic; • Untrusted data driving access control decisions; • Access control that is "open by default"; • Lack of addressing horizontal access control in a standardized way (if at all); • Access control logic that needs to be manually added to every endpoint in code; • Access Control that is “sticky” per session; • Access Control that requires per-user policy.
  • 40. IMPLEMENT APPROPRIATE ACCESS CONTROLS CONTROL EXPLAINED • Force All Requests to go Through Access Control Checks. • Deny by Default. • Principle of Least Privilege: each user or system component should be allocated the minimum privilege required to perform an action for the minimum amount of time. • Avoid Hard Coded Access Control Checks: enforcement layer (checks in code) and your access control decision-making process (the access control "engine") should be separated when possible. • Code to the Activity: Consider checking if the user has access to that feature in code, as opposed checking what role the user is in code. • Server side Trusted Data Should Drive Access Control. Policy data such as a user’s role or an access control rule should never be part of the request.
  • 41. IMPLEMENT APPROPRIATE ACCESS CONTROLS CODE TO THE ACTIVITY <?php // Instead of hard-coding role check all throughout your code base if ($user->hasRole("ADMIN")) || ($user->hasRole("MANAGER")) { deleteAccount(); } // Consider the following instead if ($user->hasAccess("DELETE_ACCOUNT")) { deleteAccount(); }
  • 42. IMPLEMENT APPROPRIATE ACCESS CONTROLS RESSOURCES • https://www.owasp.org/index.php/Access_Control_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Authorization
  • 43. IMPLEMENT APPROPRIATE ACCESS CONTROLS OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 44. PROTECT DATA PROBLEM STATEMENT • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control.
  • 45. PROTECT DATA CONTROL EXPLAINED • Classify and Encrypt Data at rest. • Develop your own crypto algorithm & key size should be optly chosen.
  • 46. PROTECT DATA CONTROL EXPLAINED • Encrypt Data in Transit. TLS is by far the most common and widely supported model used by web applications for encryption in transit: • Confidentiality: Spy cannot view your data; • Integrity: Spy cannot change your data • Authenticity: Server you are visiting is the right one. • Implement Protection in Transit.
  • 47. PROTECT DATA RESSOURCES • https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet • https://www.ssllabs.com/projects/best-practices/ • http://www.youtube.com/watch?v=zEV3HOuM_Vw • https://whispersystems.org/blog/asynchronous-security/ • http://certificate-transparency.org
  • 48. PROTECT DATA RESSOURCES • https://www.owasp.org/index.php/Pinning_Cheat_Sheet • https://www.gitbook.com/book/jedisct1/libsodium/details • https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Testing_for_Weak_SSL/ TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG- CRYPST-001)
  • 49. PROTECT DATA OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 50. IMPLEMENT LOGGING AND INTRUSION DETECTION PROBLEM STATEMENT • Logging is used in BIA, Monitoring, Forensics, compliance and intrusion detection. • It must be designed properly from early SDLC stage.
  • 51. IMPLEMENT LOGGING AND INTRUSION DETECTION CONTROL EXPLAINED • Ensure proper level of logging • Follow a common logging approach within the system and across systems where possible to make correlation easy • Make sure to always log the timestamp and identifying information like the source IP and userid, but be careful not to log private or confidential data or opt out data or secrets • Design proper positioning of IDS sensors and management.
  • 52. IMPLEMENT LOGGING AND INTRUSION DETECTION RESSOURCES • https://www.owasp.org/index.php/Logging_Cheat_Sheet • https://www.owasp.org/index.php/ Error_Handling,_Auditing_and_Logging • https://www.owasp.org/index.php/Reviewing_Code_for_Logging_Issues • https://www.owasp.org/index.php/OWASP_AppSensor_Project
  • 53. IMPLEMENT LOGGING AND INTRUSION DETECTION OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 54. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES PROBLEM STATEMENT • Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes.
  • 55. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES CONTROL EXPLAINED • When possible, the emphasis should be on using the existing secure features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they’re already using instead of forcing yet another library on them. • Not all the frameworks are completely secured hence it is important to build in additional security where possible, updating frequently and verifying them for security early and often like any other software you depend upon.
  • 56. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES RESSOURCES • https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet • https://code.google.com/archive/p/mustache-security/ • https://docs.angularjs.org/guide/security
  • 57. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 58. ERROR AND EXCEPTION HANDLING PROBLEM STATEMENT • Implementing correct errors and exceptions handling isn’t exciting, but like input data validation, it is an important part of defensive coding, critical to making a system reliable as well as secure. • Mistakes in error handling can lead to different kinds of security vulnerabilities.
  • 59. ERROR AND EXCEPTION HANDLING CONTROL EXPLAINED • Manage exceptions in a centralized manner to avoid duplicating try/catch blocks in the code, and to ensure that all unexpected behaviors are correctly handled inside the application. • Ensure that error messages displayed to users do not leak critical data, but are still verbose enough to explain the issue to the user. • Ensure that exceptions are logged in a way that gives enough information for Q/A, forensics or incident response teams to understand the problem.
  • 60. ERROR AND EXCEPTION HANDLING RESSOURCES • https://www.owasp.org/index.php/Error_Handling • https://www.owasp.org/index.php/Testing_for_Error_Handling • https://www.owasp.org/index.php/Improper_Error_Handling
  • 61. ERROR AND EXCEPTION HANDLING OWASP TOP 10 VULNERABILITY/ATTACKS A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Broken Access Control A5 - Security Misconfiguration A6 - Sensitive Data Exposure A10 - Underprotected APIs A7 - Insufficient Attack Protection A8 — Cross-Site Request Forgery (CSRF) A1A9 - Using Components with Known Vulnerabilities
  • 62. ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Browser Serving Your Web Application Security 2014-2017 Philippe Gamache GAMACHE, Philippe. “Browser Serving Your Web Application Security” NorthEast PHP Conference. August 10, 2017. Conference presentation. pgamache@kuzzle.io @philoupedia philippegamache joind.in/talk/b137b Please visit us at: