Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp Proactive Controls for Web developer


Published on

Simplified version of OWASP top 10 - 2016, proactive controls to prevent web applications attacks

Published in: Internet
  • Be the first to comment

Owasp Proactive Controls for Web developer

  1. 1. OWASP Proactive Controls Simplified Sameer Paradia
  2. 2. What is it?  OWASP Top 10 Proactive Controls 2016  10 Critical Security Areas That Web Developers Must Be Aware Of  _Controls  The deck tries to simplify and put in concluding way the approach by OSASP explained in above link
  3. 3. Summary of Controls 1. Verify for Security Early and Often 2. Parameterize Queries 3. Encode Data 4. Validate All Inputs 5. Implement Identity and Authentication Controls 6. Implement Appropriate Access Controls 7. Protect Data 8. Implement Logging and Intrusion Detection 9. Leverage Security Frameworks and Libraries 10. Error and Exception Handling
  4. 4. 1) Verify for Security Early and Often Problem statement • Security testing is not made part of SDLC/ Agile. • It is carried out by other than development team and dev team tries to fix them without putting much thought from coding and programming point of view. • Security must be integral part of SDLC/ Agile development Vulnerability / Attacks • All OWASP top 10 Control explained • Include security while writing testing stories and tasks. Include the Proactive Controls in stubs and drivers • Security testing stories should be defined such that the lowest child story can be implemented and accepted in a single iteration; testing a Proactive Control must be lightweight • Consider OWASP ASVS as a guide to define security requirements and testing • Convert scanning output into reusable Proactive Controls to avoid entire classes of problems
  5. 5. 2) Parameterize Queries Problem statement • The web application can even be used to run dangerous OS commands against the OS hosting the database. • The main concern with SQL injection is the fact, that the SQL query and its parameters are contained in one query string. Vulnerability / Attacks • A1 – Injection attacks • Mobile: Weak server side controls Control explained • Untrusted input should be prevented from being interpreted as part of a SQL command • Use ‘Query Parameterization’ • SQL statements are sent to and parsed by the database server separately from any parameters • Use defense in depth with use of technologies such as automated static analysis and proper database management system configuration • Configure database engines to only support parameterized queries
  6. 6. 3) Encode Data Problem statement • Web forms written to accept inputs from untrusted sources / users • Attacker tricks users into executing malicious script that was not originally built into the website • Manipulation of user response • XSS attacks execute in the user's browser • Same risk remains in mobile based applications as well Vulnerability / Attacks • A1 – Injection attacks • Cross site scripting attacks • Mobile: Client side injection Control explained • Encoding is translating special characters into some equivalent form that is no longer dangerous in the target interpreter • Manipulating user generated content: ensure that data is filtered and/or encoded when presenting it in the Web View • Loading content from an external source: apps that need to display untrusted content inside a Web View should use a dedicated server/host to render and escape HTML/Javascript content in a safe way. This prevents access to local system contents by malicious JavaScript code.
  7. 7. 4) Validate All Inputs Problem statement • All the data directly entered by users should be treated as untrusted. • An application should check that this data is both syntactically and semantically valid (in that order) before using it in any way • Additionally, the most secure applications treat all variables as untrusted and provide security controls regardless of source Vulnerability / Attacks • A1 – Injection attacks • Cross site scripting attacks • Invalidated redirects and forwards • Mobile: Client side injection • Security decisions via untrusted inputs Control explained • Use two general approaches to performing input syntax validation white listing preferred over black listing • Regular expressions offer a way to check whether data matches a specific pattern this is a great way to implement whitelist validation. • The security of the application should be enforced where that input is used, e.g., if input is used to build an HTML response, then the appropriate HTML encoding should be performed to prevent XSS attacks. Also, if input is used to build a SQL statement, Query Parameterization should be used.
  8. 8. 5) Implement Identity and Authentication Controls Problem statement • Session management has to be secured in application flow to maintain the state of entity interacting with server • Only authorized users must be accessing the resources after enough authentication Vulnerability / Attacks • Broken authentication and session management • Poor Authorization and Authentication Control explained • Use Multi Factor Authentication • For Mobile Application: Token Based Authentication. avoid storing/persisting authentication credentials locally on the device. Instead, perform initial authentication using the username and password supplied by the user, and then generate a shortlived access token which can be used to authenticate a client request without sending the user's credentials. • Implement Secure Password Storage using cryptography controls • Implement Secure Password Recovery Mechanism • Session: Generation and Expiration: On any successful authentication and reauthentication the software should generate a new session and session id. • Mandatory to set expiration timeouts for every session, after a specified period of inactivity. • Reauthentication for Sensitive Features
  9. 9. 6) Implement Access Controls Problem statement • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control Vulnerability / Attacks • Insecure direct object reference • Missing function level access controls • Poor authorization and authentication Control explained • Force All Requests to go Through Access Control Checks • Deny by Default • Principle of Least Privilege: each user or system component should be allocated the minimum privilege required to perform an action for the minimum amount of time • Avoid Hard Coded Access Control Checks: enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible • Code to the Activity: Consider checking if the user has access to that feature in code, as opposed to checking what role the user is in code • Server side Trusted Data Should Drive Access Control. Policy data such as a user's role or an access control rule should never be part of the request
  10. 10. 7) Protect Data Problem statement • Access Control is one of the main areas of application security design that must be heavily thought through up front, especially when addressing requirements like multitenancy and horizontal (data specific) access control Vulnerability / Attacks • Sensitive data exposure • Mobile: Insecure data storage Control explained • Classify and Encrypt Data at rest. Develop your own crypto algorithm & key size should be optly chosen • Encrypt Data in Transit. TLS is by far the most common and widely supported model used by web applications for encryption in transit • Implement Protection in Transit • Mobile Application: Secure Local Storage. Avoid storing the sensitive data & authentication credentials, access token, etc. on local device
  11. 11. 8) Implement Logging and Intrusion Detection Problem statement • Logging is used in BIA, Monitoring, Forensics, compliance and intrusion detection • It must be designed properly from early SDLC stage Vulnerability / Attacks • All OWASP top 10 • Mobile: Unintended data leakage Control explained • Ensure proper level of logging • Follow a common logging approach within the system and across systems where possible to make correlation easy • Make sure to always log the timestamp and identifying information like the source IP and userid, but be careful not to log private or confidential data or opt out data or secrets • Design proper positioning of IDS sensors and management
  12. 12. 9) Leverage Security Frameworks and Libraries Problem statement • Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Vulnerability / Attacks • All OWASP top 10 particularly those based on syntactically incorrect input Control explained • When possible, the emphasis should be on using the existing secure features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of forcing yet another library on them • Not all the frameworks are completely secured hence it is important to build in additional security where possible, updating frequently and verifying them for security early and often like any other software you depend upon
  13. 13. 10) Errors and exceptions handling Problem statement • Implementing correct error and exception handling isn't exciting, but like input data validation, it is an important part of defensive coding, critical to making a system reliable as well as secure. • Mistakes in error handling can lead to different kinds of security vulnerabilities Vulnerability / Attacks • All OWASP top 10 Control explained • It’s recommended to manage exceptions in a centralized manner to avoid duplicated try/catch blocks in the code, and to ensure that all unexpected behaviors are correctly handled inside the application. • Ensure that error messages displayed to users do not leak critical data, but are still verbose enough to explain the issue to the user. • Ensure that exceptions are logged in a way that gives enough information for Q/A, forensics or incident response teams to understand the problem.
  14. 14. Sameer Paradia (CGEIT, CISM, CISSP) ( Practicing IT Security Services and Outsourcing for past 24+ years Photo acknowledgment: