SlideShare a Scribd company logo
Enteprise Security
                              API
                              ESAPI




Thursday, 2011-03-10
Thursday, 2011-03-10
OWASP
                       The Open Web Application Project




Thursday, 2011-03-10
Thursday, 2011-03-10
I answer question

Thursday, 2011-03-10
The problems



Thursday, 2011-03-10
The problems

                  • Input Validation and Output Encoding
                  • Authentication and Identity
                  • URL Access Control
                  • Business Function Access Control
                  • Data Layer Access Control


Thursday, 2011-03-10
The problems

                  • Presentation Layer Access Control
                  • Errors, Logging, and Intrusion
                       Detection

                  • Encryption, Hashing, and
                       Randomness



Thursday, 2011-03-10
OWASP TOP 10
                                             A2 – Cross-Site Scripting
                       A1 – Injection
                                                      (XSS)

                A3 – Broken Authentication       A4 – Insecure Direct
                 and Session Management           Object References

                 A5 – Cross-Site Request         A6 – Security
                    Forgery (CSRF)              Misconfiguration

                      A7 – Insecure          A8 - Failure to Restrict
                  Cryptographic Storage            URL Access

             A9 - Insufficient Transport        A10 – Unvalidated
                  Layer Protection           Redirects and Forwards



Thursday, 2011-03-10
And over 300
                       others security
                       problems types


Thursday, 2011-03-10
Vulnerabilities and
                        Security Controls
                              Ignored   Misused




                          Broken              Missing




Thursday, 2011-03-10
Why Input Validation
                     Is Hard?



Thursday, 2011-03-10
<
Thursday, 2011-03-10
Percent (url) Encoding



                  • %3c
                  • %3C




Thursday, 2011-03-10
HTML Entity Encoding

                  • &#60        • &#60;
                  • &#060       • &#060;
                  • &#0060      • &#0060;
                  • &#00060     • &#00060;
                  • &#000060    • &#000060;
                  • &#0000060   • &#0000060;

Thursday, 2011-03-10
HTML Entity Encoding
                  • &#x3c        • &#x3c;
                  • &#x03c       • &#x03c;
                  • &#x003c      • &#x003c;
                  • &#x0003c     • &#x0003c;
                  • &#x00003c    • &#x00003c;
                  • &#x000003c   • &#x000003c;

Thursday, 2011-03-10
HTML Entity Encoding
                  • &#X3c        • &#X3c;
                  • &#X03c       • &#X03c;
                  • &#X003c      • &#X003c;
                  • &#X0003c     • &#X0003c;
                  • &#X00003c    • &#X00003c;
                  • &#X000003c   • &#X000003c;

Thursday, 2011-03-10
HTML Entity Encoding
                  • &#x3C        • &#x3C;
                  • &#x03C       • &#x03C;
                  • &#x003C      • &#x003C;
                  • &#x0003C     • &#x0003C;
                  • &#x00003C    • &#x00003C;
                  • &#x000003C   • &#x000003C;

Thursday, 2011-03-10
HTML Entity Encoding
                  • &#X3C        • &#X3C;
                  • &#X03C       • &#X03C;
                  • &#X003C      • &#X003C;
                  • &#X0003C     • &#X0003C;
                  • &#X00003C    • &#X00003C;
                  • &#X000003C   • &#X000003C;

Thursday, 2011-03-10
HTML Entity Encoding

                  • &lt       • &lt;
                  • &lT       • &lT;
                  • &Lt       • &Lt;
                  • &LT       • &LT;




Thursday, 2011-03-10
JavaScript Escape
                  • <          • x3C
                  • x3c        • X3C
                  • X3c        • u003C
                  • u003c      • U003C
                  • U003c



Thursday, 2011-03-10
CSS Escape
                  • 3c            • 3C
                  • 03c           • 03C
                  • 003c          • 003C
                  • 0003c         • 0003C
                  • 00003c        • 00003C



Thursday, 2011-03-10
UTF-7 vs UTF-8

                  • +ADw-
                  • %c0%bc
                  • %e0%80%bc
                  • %f0%80%80%bc
                  • %f8%80%80%80%bc
                  • %fc%80%80%80%80%bc

Thursday, 2011-03-10
1,677,721,600,000,000
                       ways to encode <script>




Thursday, 2011-03-10
The Solutions?



Thursday, 2011-03-10
What is Enterprise
                        Security API?



Thursday, 2011-03-10
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Thursday, 2011-03-10
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Thursday, 2011-03-10
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Thursday, 2011-03-10
Overview of the
                       Architectural Impact




Thursday, 2011-03-10
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                                            Entreprise Security API




                        Exception Handling
                                isAuthorizedForURL()
                                isAuthorizedForFile()
                                isAuthorizedForData()




                             Logger
                                isAuthorizedForService()
                                isAuthorizedForFunction()




                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Entreprise Security API

                                                                                  <?php echo $ESAPI




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                   ->validator()




                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                   ->getValidInput(




                                                                                                                                              Randomizer
       Authenticator




                                                                                            HTTPUtilities
                                                                                      String $context,




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
                                                                                      String $input,
                       User




                                                                                      String type,
                                                                                      int $maxLength,
                                                                                      boolean allowNull,
                                                                                      ValidationErrorList
                                                                                          $errorList);
                                                                                  ?>



Thursday, 2011-03-10
Entreprise Security API

                                                                                  assertIsValidHttpRequest()
                    interface




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                  assertIsValidHttpRequest




                                                                                                                                                           Exception Handling
                 ValidationRule




                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                      ParameterSet()




                                                                                                                                              Randomizer
       Authenticator




                                                                                            HTTPUtilities
                                                                                  assertIsValidFileUpload()




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




             abstract
        BaseValidationRule
                                                                                  getValidDate()
                                                                                  getValidDouble()
                                                                                  getValidDirectoryPath()
                                                                                  getValidDouble()
                  CreditCard                                                      getValidFileContent()
                 ValidationRule
                                                                                  getValidFileName()



Thursday, 2011-03-10
Entreprise Security API

                                                                                  isValidCreditCard()
                    interface




                                                                                                                                                                                                             SecurityConfiguration
                                                                                  isValidDataFromBrowse()
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling
                 ValidationRule




                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                  isValidDirectoryPath()
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                  isValidFileContent()




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder
                                                                                  isValidFileName()




                                                                                                                                                                                Logger
                       User




             abstract                                                             isValidHTTPRequest()
        BaseValidationRule
                                                                                  isValidListItem()
                                                                                  isValidRedirectLocation()
                                                                                  isValidSafeHTML()
                  CreditCard                                                      isValidPrintable()
                 ValidationRule
                                                                                  safeReadLine()



Thursday, 2011-03-10
Entreprise Security API

      encodeForCSS                                                                            <?php echo $ESAPI




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
      encodeForDN                                                                              ->encoder()




                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
                              AccessController

      encodeForHTML                                                                            ->encodeForHTML($name)
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
      encodeForLDAP                                                                           ?>




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
      encodeForSQL
                       User




      encodeForURL                                                                             encodeForJavaScript
      encodeForXML                                                                             encodeForHTMLAttribute
      encodeForXPath                                                                           encodeForVBScript
                                                                                               encodeForXMLAttribute
                                                                                               encodeForXPath



Thursday, 2011-03-10
Entreprise Security API

        •Add Safe Header                                                                                    •isSecureChannel




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                                            •Safe Request Logging




                                                                                                                                                           Exception Handling
        •No Cache Headers




                                                                                                                                                                                         IntrusionDetector
                              AccessController


        •Set Content Type                                                                                   •Safe File Uploads
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
        •Add Safe Cookie
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




        •Kill Cookie                                                                                        •sendSafeForward
        •Change SessionID                                                                                   •sendSafeRedirect
        •CSRF Tokens
                                                                                                            •Encrypt State in Cookie
                                                                                                            •Hidden Field Encryption
                                                                                                            •Querystring Encryption


Thursday, 2011-03-10
Entreprise Security API

                                                                                                                        •Integrity Seals




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling
                                                                                                                        •Strong GUID




                                                                                                                                                                                         IntrusionDetector
                              AccessController
       Authenticator




                                                                                                                        •Random Tokens

                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
         <?php $encrypted =                                                                                             •Encryption
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




          $ESAPI->encryptor()
            ->encrypt($text)
                                                                                                                        •Digital Signatures
         ?>                                                                                                             •Salted Hash
                                                                                                                        •Safe Config Details
                                                                                                                        •Timestamp


Thursday, 2011-03-10
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Entreprise Security API


               •AccessControlException




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
               •AuthenticationException
                              AccessController
       Authenticator




                                                                                            HTTPUtilities
               •AvailabilityException




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder
               •EncodingException




                                                                                                                                                                                Logger
                       User




               •EncryptionException
               •ExecutorException
               •IntegrityException
               •IntrusionException
               •ValidationException


Thursday, 2011-03-10
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Thursday, 2011-03-10
                                User
                         AccessController
                       AccessReferenceMap

                           •Responses
                            •Logout User
                            Validator
                            •Log Intrusion
                            •Disable Account
                             Encoder
                          HTTPUtilities
                           •Configurable Thresholds



                            Encryptor
                       EncryptedProperties
                           Randomizer
                                                     Entreprise Security API




                        Exception Handling
                              Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Thursday, 2011-03-10
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
OWASP TOP 10                             ESAPI
                A1: Injection                                                 Encoder

                A2: Cross Site Scripting (XSS)                      Encoder, Validator
                A3: Broken Authentication and
                                                     Authenticator, User, HTTPUtilities
                Session Management
                A4: Insecure Direct Object                       AccessReferenceMap,
                Reference                                            AccessController
                A5: Cross Site Request Forgery
                                                                   User (CSRF Token)
                (CSRF)
                A6: Security Misconfiguration                    SecurityConfiguration
                A7: Insecure Cryptographic
                                                                            Encryptor
                Storage
                A8: Failure to Restrict URL Access                    AccessController
                A9: Insufficient Transport Layer                         HTTPUtilities
                Protection                                   (Secure Cookie, Channel)
                A10: Unvalidated Redirects and
                                                                      AccessController
                Forwards



Thursday, 2011-03-10
Objective -C



               Authentication     2.0   1.4   1.4   1.4
                       Identity   2.0   1.4   1.4   1.4
               Access Control     2.0   1.4   1.4   1.4   1.4
              Input Validation    2.0   1.4   1.4   1.4   1.4   1.4   2.0
              Output Escaping     2.0   1.4   1.4   1.4         1.4   2.0
             Canonicalization     2.0   1.4   1.4   1.4         1.4   2.0
                  Encryption      2.0   1.4   1.4   1.4   1.4
            Random Numbers        2.0   1.4   1.4   1.4   1.4
          Exception Handling      2.0   1.4   1.4   1.4   1.4   1.4   2.0
                       Logging    2.0   1.4   1.4   1.4   1.4   1.4   2.0
           Intrusion Detection    2.0   1.4   1.4   1.4
        Security Configuration 2.0       1.4   1.4   1.4   1.4   1.4   2.0
                        WAF       2.0



Thursday, 2011-03-10
Adopters




Thursday, 2011-03-10
Additional Resources
             • OWASP Home Page
                             http://www.owasp.org
             • ESAPI Project Page
                             http://www.esapi.org
             • ESAPI-Users Mailing List
                       https://lists.owasp.org/mailman/
                             listinfo/esapi-users
             • ESAPI-Dev Mailing List
                       https://lists.owasp.org/mailman/
                              listinfo/esapi-dev


Thursday, 2011-03-10
Questions ?
                       • philippe@ph-il.ca
                       • http://www.ph-il.ca
                       • @SecureSymfony
                       • http://www.ph-il.ca/en/
                         conferences

                       • http://www.ph-il.ca/fr/
                         conferences




Thursday, 2011-03-10
Thursday, 2011-03-10

More Related Content

Similar to Entreprise Security API - ConFoo 2011

Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
Philippe Gamache
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
High-Tech Bridge SA (HTBridge)
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
Olivier Dony
 
B-sides Las Vegas - social network security
B-sides Las Vegas - social network securityB-sides Las Vegas - social network security
B-sides Las Vegas - social network security
Damon Cortesi
 
How I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHow I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTree
Hajime Morrita
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
Marko Elezović
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
IE10 PP4 update for W3C HTML5 KIG
IE10 PP4 update for W3C HTML5 KIGIE10 PP4 update for W3C HTML5 KIG
IE10 PP4 update for W3C HTML5 KIG
Reagan Hwang
 
PyCon 2011 Scaling Disqus
PyCon 2011 Scaling DisqusPyCon 2011 Scaling Disqus
PyCon 2011 Scaling Disqus
zeeg
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
JavaOne 2011 - Going Mobile With Java Based Technologies Today
JavaOne 2011 - Going Mobile With Java Based Technologies TodayJavaOne 2011 - Going Mobile With Java Based Technologies Today
JavaOne 2011 - Going Mobile With Java Based Technologies Today
Wesley Hales
 
Commercialization of OpenStack Object Storage
Commercialization of OpenStack Object StorageCommercialization of OpenStack Object Storage
Commercialization of OpenStack Object Storage
Joe Arnold
 
LA RubyConf 2009 Waves And Resource-Oriented Architecture
LA RubyConf 2009 Waves And Resource-Oriented ArchitectureLA RubyConf 2009 Waves And Resource-Oriented Architecture
LA RubyConf 2009 Waves And Resource-Oriented Architecture
Dan Yoder
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 
Using S1000D and SCORM to Integrate Documentation and Training
Using S1000D and SCORM to Integrate Documentation and TrainingUsing S1000D and SCORM to Integrate Documentation and Training
Using S1000D and SCORM to Integrate Documentation and Training
Scott Abel
 
Sharded By Business Line: Migrating to a Core Database using MongoDB and Solr
Sharded By Business Line: Migrating to a Core Database using MongoDB and SolrSharded By Business Line: Migrating to a Core Database using MongoDB and Solr
Sharded By Business Line: Migrating to a Core Database using MongoDB and Solr
MongoDB
 
Mongo la search platform - january 2013
Mongo la   search platform - january 2013Mongo la   search platform - january 2013
Mongo la search platform - january 2013
MongoDB
 
Innovate and Integrate – Modernising API Security
Innovate and Integrate – Modernising API SecurityInnovate and Integrate – Modernising API Security
Innovate and Integrate – Modernising API Security
Forum Systems
 

Similar to Entreprise Security API - ConFoo 2011 (20)

Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
 
B-sides Las Vegas - social network security
B-sides Las Vegas - social network securityB-sides Las Vegas - social network security
B-sides Las Vegas - social network security
 
How I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHow I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTree
 
Man in the Middle Attack on Banks
Man in the Middle Attack on BanksMan in the Middle Attack on Banks
Man in the Middle Attack on Banks
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
 
IE10 PP4 update for W3C HTML5 KIG
IE10 PP4 update for W3C HTML5 KIGIE10 PP4 update for W3C HTML5 KIG
IE10 PP4 update for W3C HTML5 KIG
 
PyCon 2011 Scaling Disqus
PyCon 2011 Scaling DisqusPyCon 2011 Scaling Disqus
PyCon 2011 Scaling Disqus
 
Confidence web
Confidence webConfidence web
Confidence web
 
JavaOne 2011 - Going Mobile With Java Based Technologies Today
JavaOne 2011 - Going Mobile With Java Based Technologies TodayJavaOne 2011 - Going Mobile With Java Based Technologies Today
JavaOne 2011 - Going Mobile With Java Based Technologies Today
 
Commercialization of OpenStack Object Storage
Commercialization of OpenStack Object StorageCommercialization of OpenStack Object Storage
Commercialization of OpenStack Object Storage
 
LA RubyConf 2009 Waves And Resource-Oriented Architecture
LA RubyConf 2009 Waves And Resource-Oriented ArchitectureLA RubyConf 2009 Waves And Resource-Oriented Architecture
LA RubyConf 2009 Waves And Resource-Oriented Architecture
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
Using S1000D and SCORM to Integrate Documentation and Training
Using S1000D and SCORM to Integrate Documentation and TrainingUsing S1000D and SCORM to Integrate Documentation and Training
Using S1000D and SCORM to Integrate Documentation and Training
 
Sharded By Business Line: Migrating to a Core Database using MongoDB and Solr
Sharded By Business Line: Migrating to a Core Database using MongoDB and SolrSharded By Business Line: Migrating to a Core Database using MongoDB and Solr
Sharded By Business Line: Migrating to a Core Database using MongoDB and Solr
 
Mongo la search platform - january 2013
Mongo la   search platform - january 2013Mongo la   search platform - january 2013
Mongo la search platform - january 2013
 
Innovate and Integrate – Modernising API Security
Innovate and Integrate – Modernising API SecurityInnovate and Integrate – Modernising API Security
Innovate and Integrate – Modernising API Security
 

More from Philippe Gamache

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
Philippe Gamache
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
Philippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
Philippe Gamache
 

More from Philippe Gamache (17)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Recently uploaded

GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 

Recently uploaded (20)

GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 

Entreprise Security API - ConFoo 2011

  • 1. Enteprise Security API ESAPI Thursday, 2011-03-10
  • 3. OWASP The Open Web Application Project Thursday, 2011-03-10
  • 7. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control Thursday, 2011-03-10
  • 8. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Thursday, 2011-03-10
  • 9. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and Forwards Thursday, 2011-03-10
  • 10. And over 300 others security problems types Thursday, 2011-03-10
  • 11. Vulnerabilities and Security Controls Ignored Misused Broken Missing Thursday, 2011-03-10
  • 12. Why Input Validation Is Hard? Thursday, 2011-03-10
  • 14. Percent (url) Encoding • %3c • %3C Thursday, 2011-03-10
  • 15. HTML Entity Encoding • &#60 • &#60; • &#060 • &#060; • &#0060 • &#0060; • &#00060 • &#00060; • &#000060 • &#000060; • &#0000060 • &#0000060; Thursday, 2011-03-10
  • 16. HTML Entity Encoding • &#x3c • &#x3c; • &#x03c • &#x03c; • &#x003c • &#x003c; • &#x0003c • &#x0003c; • &#x00003c • &#x00003c; • &#x000003c • &#x000003c; Thursday, 2011-03-10
  • 17. HTML Entity Encoding • &#X3c • &#X3c; • &#X03c • &#X03c; • &#X003c • &#X003c; • &#X0003c • &#X0003c; • &#X00003c • &#X00003c; • &#X000003c • &#X000003c; Thursday, 2011-03-10
  • 18. HTML Entity Encoding • &#x3C • &#x3C; • &#x03C • &#x03C; • &#x003C • &#x003C; • &#x0003C • &#x0003C; • &#x00003C • &#x00003C; • &#x000003C • &#x000003C; Thursday, 2011-03-10
  • 19. HTML Entity Encoding • &#X3C • &#X3C; • &#X03C • &#X03C; • &#X003C • &#X003C; • &#X0003C • &#X0003C; • &#X00003C • &#X00003C; • &#X000003C • &#X000003C; Thursday, 2011-03-10
  • 20. HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT; Thursday, 2011-03-10
  • 21. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003c Thursday, 2011-03-10
  • 22. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003C Thursday, 2011-03-10
  • 23. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bc Thursday, 2011-03-10
  • 24. 1,677,721,600,000,000 ways to encode <script> Thursday, 2011-03-10
  • 26. What is Enterprise Security API? Thursday, 2011-03-10
  • 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
  • 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
  • 29. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
  • 30. Overview of the Architectural Impact Thursday, 2011-03-10
  • 31. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 32. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  • 33. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 34. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?> Thursday, 2011-03-10
  • 35. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName() Thursday, 2011-03-10
  • 36. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine() Thursday, 2011-03-10
  • 37. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPath Thursday, 2011-03-10
  • 38. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring Encryption Thursday, 2011-03-10
  • 39. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •Timestamp Thursday, 2011-03-10
  • 40. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 41. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 42. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationException Thursday, 2011-03-10
  • 43. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 44. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 45. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 46. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController Forwards Thursday, 2011-03-10
  • 47. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0 Thursday, 2011-03-10
  • 49. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-dev Thursday, 2011-03-10
  • 50. Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferences Thursday, 2011-03-10