Setting up a secure development life cycle with OWASP - seba deleersnyder
•Download as PPTX, PDF•
7 likes•10,914 views
Using the OWASP Software Assurance Maturity Model (OpenSAMM) as a framework, this talk covers the major application security controls of a secure development lifecycle program as provided by OWASP. Featured OWASP open source material include: OWASP guidelines and tools such as ESAPI, ZAProxy, as well as educational resources.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (10)
Similar to Setting up a secure development life cycle with OWASP - seba deleersnyder
Similar to Setting up a secure development life cycle with OWASP - seba deleersnyder (20)
More from Sebastien Deleersnyder
More from Sebastien Deleersnyder (6)
Recently uploaded
Recently uploaded (20)
Setting up a secure development life cycle with OWASP - seba deleersnyder
- 1. BrightTALK Application Security summit The OWASP Foundation 14-Nov-2012 http://www.owasp.org Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member 1
- 2. Seba Deleersnyder? Based in Belgium 5 years developer experience / 12 years information security experience AppSec consultant, specialised in secure development lifecycle projects Belgian OWASP chapter founder OWASP board member www.owasp.org Co-organizer www.BruCON.org 2
- 3. OWASP World OWASP is a worldwide free and Everyone is free to participate in open community focused on OWASP and all of our materials improving the security of are available under a free and application software. open software license. Our mission is to make The OWASP Foundation is a application security visible so 501c3 not-for-profit charitable that people and organizations organization that ensures the can make informed decisions ongoing availability and support about application security risks. for our work. 3
- 4. The web application security challenge Your security “perimeter” has huge holes at the application layer Application Layer Legacy Systems Human Resrcs Web Services Directories Databases Billing Custom Developed Application Code APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks 4
- 5. D B T P SAMM “Build in” software assurance proactive reactive security coding guidelines security testing vulnerability requirements / code reviews dynamic test scanning - threat modeling static test tools tools WAF Design Build Test Production Secure Development Lifecycle (SAMM) 5 5
- 6. Software development lifecycle (SDLC) Waterfall Agile 6
- 7. D B T P SAMM We need a Maturity Model An organization‟s Changes must behavior be iterative while changes slowly working toward over time long-term goals There is no A solution must single recipe that enable risk- based choices works for all tailored to the organizations organization Guidance related A solution must to security provide enough activities must be details for non- prescriptive security-people Overall, must be OWASP simple, well- Software Assurance defined, and Maturity Model measurable (SAMM) https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 7
- 8. D B T P SAMM SAMM Security Practices • From each of the Business Functions, 3 Security Practices are defined • The Security Practices cover all areas relevant to software security assurance • Each one is a „silo‟ for improvement 8
- 9. D B T P SAMM Three successive Objectives under each Practice 9
- 10. D B T P SAMM Education & Guidance Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb Resources: • OWASP Top 10 • OWASP Education • WebGoat https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/Category:OWASP_Education_Project https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project 10
- 11. D B T P SAMM Secure Coding Practices Quick Reference Guide • Technology agnostic coding practices • What to do, not how to do it • Compact, but comprehensive checklist format • Focuses on secure coding requirements, rather then on vulnerabilities and exploits • Includes a cross referenced glossary to get developers and security folks talking the same language https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide 11
- 12. D B T P SAMM Code Review SDL Integration: • Multiple reviews defined as deliverables in your SDLC • Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases Resources: • OWASP Code Review Guide https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project 12
- 13. D B T P SAMM OWASP Cheat Sheets https://www.owasp.org/index.php/Cheat_Sheets 13
- 14. D B T P SAMM Code review tooling Code review tools: • OWASP LAPSE (Security scanner for Java EE Applications) • MS FxCop / CAT.NET (Code Analysis Tool for .NET) • Agnitio (open source Manual source code review support tool) https://www.owasp.org/index.php/OWASP_LAPSE_Project http://www.microsoft.com/security/sdl/discover/implementation.aspx http://agnitiotool.sourceforge.net/ 14
- 15. D B T P SAMM Security Testing SDL Integration: • Integrate dynamic security testing as part of you test cycles • Derive test cases from the security requirements that apply • Check business logic soundness as well as common vulnerabilities • Review results with stakeholders prior to release Resources: • OWASP ASVS • OWASP Testing Guide https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/OWASP_Testing_Project 15
- 16. D B T P SAMM Security Testing Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually Features: • Intercepting proxy • Automated scanner • Passive scanner • Brute force scanner • Spider • Fuzzer • Port scanner • Dynamic SSL Certificates • API • Beanshell integration https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 16
- 17. D B T P SAMM Web Application Firewalls Malicious web traffic Legitimate web traffic Port 80 Web Web client Network Web Application (browser) Firewall Server Firewall ModSecurity: Worlds No 1 open source Web Application Firewall www.modsecurity.org • HTTP Traffic Logging • Real-Time Monitoring and Attack Detection • Attack Prevention and Just-in-time Patching • Flexible Rule Engine • Embedded Deployment (Apache, IIS7 and Nginx) • Network-Based Deployment (reverse proxy) OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project 17
- 18. D B T P SAMM The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector AccessController Authenticator HTTPUtilities Randomizer Encryptor Validator Encoder Logger User Existing Enterprise Security Services/Libraries https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 18
- 19. D B T P SAMM Validation, Encoding, and Injection Global Validate Any Interpreter Specific Validate Canonicalize Sanitize Web Service Any Encoding Controller Database Mainframe User Business Data Functions Layer Etc… User Interface File System Set Character Set Canonicalize Encode For HTML Validate Example and working code snippets to perform input validation and output encoding 19
- 20. 150+ OWASP Projects PROTECT Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide DETECT Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project LIFE CYCLE SAMM, WebGoat, Legal Project 20
- 21. D B T P SAMM Get started Step 1: Step 2: define Step 3: define questionnaire your maturity phased as-is goal roadmap 21
- 22. Get involved • Use and donate back! • Attend OWASP chapter meetings and conferences • Support OWASP become personal/company member https://www.owasp.org/index.php/Membership 22
- 23. Q&A 23
- 24. Contact • @sebadele • seba@owasp.org • seba@deleersnyder.eu • www.linkedin.com/in/sebadele 24
Editor's Notes
- REMEMBER… OWASP IS JUST PEOPLEAppSec is about not about tools or technology… it’s about people. OWASP is about community.______________
- http://www.clerkendweller.com/2012/7/31/Integrating-Security-with-Agile-Software-Development
- Define building blocks for an assurance programDelineate all functions within an organization that could be improved over timeDefine how building blocks should be combinedMake creating change in iterations a no-brainerDefine details for each building block clearlyClarify the security-relevant parts in a widely applicable way (for any org doing software development)
- Three successive Objectives under each Practice define how it can be improved over timeThis establishes a notion of a Level at which an organization fulfills a given PracticeThe three Levels for a Practice generally correspond to:(0: Implicit starting point with the Practice unfulfilled)1: Initial understanding and ad hoc provision of the Practice2: Increase efficiency and/or effectiveness of the Practice3: Comprehensive mastery of the Practice at scale
- The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.The focus is on secure coding requirements, rather then on vulnerabilities and exploits. It includes an introduction to Software Security Principles and a glossary of key terms.It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.
- LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment,FxCop: An application that analyzes managed code assemblies for conformance to the Microsoft .NET Framework Design GuidelinesIn addition to security checks, FxCop analyzes assemblies for areas of improvement in design, localization, and performanceCAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application's source code where those issues were found. The following rules are currently support by this version of the tool. - Cross Site Scripting - SQL Injection - Process Command Injection - File Canonicalization - Exception Information - LDAP Injection - XPATH Injection - Redirection to User Controlled SiteWhile MS has not released the new version, the good news is you can still use the old Add-in for CAT.NET 1.1.1.9 in Visual Studio 2010.http://sourceforge.net/projects/agnitiotool/A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.
- ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway. The cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. This API is designed to automatically take care of many aspects of application security, making these issues invisible to the developers. ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
- The attacker can send data in any encoding. And the interpreters downstream from your application may decide to handle any encoding.CanonicalizeInput could be in any character setDouble-encodingMultiple encoding schemesDouble-encoding with multiple encoding schemesValidationSimple to configure for positive rulesImpossible to do perfectly, since you need special charactersGetSafeValueRich content – strip out bad stuff and continueDifficult – need to fully parse HTMLCanonicalize and Validate from databaseWatch out mass SQL injection?EncodeForHTMLNot perfect since browsers allow encoded characters to execute (particularly in attributes)Have to avoid double-encodingSetCharacterSetBrowser will try to guess the encoding
- Stable quality projects are generally the level of quality of professional tools or documents.PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set ProjectDocumentation: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference GuideDETECT - These are tools and documents that can be used to find security-related design and implementation flaws.LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).