A three-for-one of short talks on Web Application Security.
First, are you secure? What is secure anyway? How can you be sure? Wouldn't it be nice if there was some kind of checklist you could show when someone asks you these questions? Fortunately several security specialists at the Open Web Application Security Project (OWASP) thought so too and created just such a list, called Application Security Verification Standard (ASVS). We'll look at what it is and how you can use it.
Next we will discuss the Dutch Meldplicht Datalekken that came into effect on the first of January this year and what it means for you as a software developer.
Finally we'll wrap up with a quick overview of the OWASP Top 10 and less obvious vulnerabilities that might be lurking in your codebases.
https://www.meetup.com/Code-by-the-sea/events/234264535/
7. Level 1 Level 2 Level 3
1.1 X X X
1.2 X X
2.1 X X X
2.2 X
8.
9. ā¢ Finance and Insurance
ā¢ Manufacturing, professional, transportation,
technology, utilities, infrastructure, and defense
ā¢ Healthcare
ā¢ Retail, food, hospitality
10. V2.16
Verify that credentials are transported
using a suitable encrypted link and that
all pages/functions that require a user to
enter credentials are done so using an
encrypted link.
Level 1
11. 2.26
Verify re-authentication, step up or
adaptive authentication, two factor
authentication, or transaction signing is
required before any application-speciļ¬c
sensitive operations are permitted as
per the risk proļ¬le of the application.
Level 2
12. 8.12
Verify that the logs are stored on
a different partition than the
application is running with proper
log rotation.
Level 3
20. Data leak notiļ¬cation
requirement
ā¢ A vulnerability !== a leak
ā¢ Leaks must be reported within 72 hours
ā¢ Failure to report may result in ļ¬ne up to EUR
820.000 āØ
(UPDATE: ā¬20.000.000 or 4% of worldwide
revenues)
21. Which data?
ā¢ Personal data:
ā¢ Credentials
ā¢ Financial
ā¢ Identifying (identity theft risk)
ā¢ Stigmatizing or sensitive āØ
(religion, sexual preference, etc.)
22. Examples data leak
ā¢ Logs
ā¢ Stolen laptop / USB stick
ā¢ rm -rvf / (without backup)
ā¢ Malware infection
ā¢ Printing users[0] on frontpage
23. Examples data leak
ā¢ Shoulder surļ¬ng in train while in customer backend
ā¢ Third party developer accessed customer data
ā¢ Data centre ļ¬re
ā¢ Mailing with CC instead of BCC
33. Redis
The Redis protocol has no concept of string
escaping, so injection is impossible under normal
circumstances using a normal client library. The
protocol uses preļ¬xed-length strings and is
completely binary safe.
35. A3 - XSS
ā¢ How do you encode plain text from JavaScript?
ā¢ Why do we even care about this with browser XSS
detection?
ā¢ How does Content-Security-Policy help?
39. A5 - Security Misconļ¬g
ā¢ Is any of your software out of date? This includes the OS, Web/App
Server, DBMS, applications, and all code libraries (see new A9).
ā¢ Are any unnecessary features enabled or installed (e.g., ports,
services, pages, accounts, privileges)?
ā¢ Are default accounts and their passwords still enabled and
unchanged?
ā¢ Does your error handling reveal stack traces or other overly
informative error messages to users?
ā¢ Are the security settings in your development frameworks (e.g.,
PHP.ini, Drupal, Symfony, etc) and libraries not set to secure
values?
40. A6 - Sensitive Data
Exposure
ā¢ Is any of this data stored in clear text long term, including
backups of this data?
ā¢ Is any of this data transmitted in clear text, internally or
externally? Internet trafļ¬c is especially dangerous.
ā¢ Are any old / weak cryptographic algorithms used?
ā¢ Are weak crypto keys generated, or is proper key
management or rotation missing?
ā¢ Are any browser security directives or headers missing
when sensitive data is provided by / sent to the browser?