アプリケーションセキュリティ検査・検証の標準化
Application Security Verification Standard Project
speaker: Riotaro OKADA (@okdt) at OWASP Night 18th (2015/7/29), Tokyo, Japan
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
15. “Detailed
Verifica(on
Requirements”
13項目の検査要件詳細
• V2.
Authen(ca(on
• V3.
Session
Management
• V4.
Access
Control
• V5.
Malicious
Input
Handling
• V7.
Cryptography
at
Rest
• V8.
Error
Handling
and
Logging
• V9.
Data
Protec(on
• V10.
Communica(ons
• V11.
HTTP
• V13.
Malicious
Controls
• V15.
Business
Logic
• V16.
File
and
Resource
• V17.
Mobile
The
numbering
scheme
has
been
kept
consistent
with
the
previous
version
of
ASVS
to
help
with
individuals
wishing
to
transi(on
from
one
to
the
other.
大項目 V(数字)
ASVSのバージョン間で同一。
16. Detailed
Verifica(on
Required
V3.0
preview
• V1.
Architecture,
design
and
threat
modelling
(v1.0(2009)のものを復活)
• V2.
Authen(ca(on
• V3.
Session
management
• V4.
Access
control
• V5.
Malicious
input
handling
• V7.
Cryptography
at
rest
• V8.
Error
handling
and
logging
• V9.
Data
protec(on
• V10.
Communica(ons
• V11.
HTTP
security
configura(on
• V13.
Malicious
controls
• V15.
Business
logic
• V16.
File
and
resources
• V17.
Mobile
• V18.
Web
services
(NEW
for
3.0)
• V19.
Configura(on
(NEW
for
3.0)
• V20.
Client
side
Security
(NEW
for
3.0)
24. ASVS
and
YOU
まずは
V2.0(2014)をゲット!
• マネージャ(経営層)にアプローチ
– リスクとアプリケーションセキュリティへの理解
• 自分のスタートレベルを決める
– L
1がおすすめ
• 開発中のソフトウェアにあてはめてみる
– 最初はめっちゃ大変。でもひとつずつ
• 責任者を任命
– 開発チームの中でこの適用を検討するスタッフをアサインする
• やってみる
25. ASVS
and
YOU
Security
Principle を学ぶ
• それぞれの層で徹底的に防衛 Defense
in
Depth.
• ポジティブセキュリティモデル
Posi(ve
Security
Model
• 安全に失敗しろ Fail
Securely
• 最小権限の原則 Least
Privilege
• Avoid
“Security
by
Obscurity”
• …を信じない Do
not
trust
the
…
hAps://www.owasp.org/index.php/Category:Principle
26. ASVS
and
YOU
• V3.0
(July
2015)
preview!
– 大量のDeprecated
– 3つの新Verifica(on
Topic
• V18.
Web
services
• V19.
Configura(on
• V20.
Client
side
Security
– リファレンスも追加
• Proac(ve
Control
• Mobile
Top
10
• PCI
DSS
3.0
27. OWASP
Project
-‐
Flagship
• Tools
[Reviewed
September
2014]
– OWASP
Zed
AAack
Proxy
– OWASP
Web
Tes(ng
Environment
Project
– OWASP
OWTF
– OWASP
Dependency
Check
• Code
[Reviewed
November
2014]
– OWASP
ModSecurity
Core
Rule
Set
Project
– OWASP
CSRFGuard
Project
– OWASP
AppSensor
Project
• Documenta(on[Reviewed
February
2015]
in
progress
– OWASP
Applica(on
Security
Verifica(on
Standard
Project
– OWASP
Sorware
Assurance
Maturity
Model
(SAMM)
– OWASP
AppSensor
Project
– OWASP
Top
Ten
Project
– OWASP
Tes(ng
Guide
Project