SlideShare a Scribd company logo

Owasp Indy Q2 2012 Cheat Sheet Overview

Download as PPTX, PDF
O
owaspindy

The document provides an overview of the OWASP Cheat Sheet Series, which aims to collect useful information about web application security in one place. It lists several active and draft cheat sheet topics, including authentication, input validation, SQL injection, session management, and secure coding. One sample cheat sheet discussed in more detail is about transport layer protection, covering benefits, requirements, rules, and testing of TLS/SSL. The logging cheat sheet section discusses logging purposes, event sources, where and what events to log, what not to log, and testing considerations.

Technology
1 of 21
OWASP Cheat Sheet Series Overview
About Me Brian Boswell | Technical Lead/ISM @ Apparatus, CISSP
• OWASP Cheat Sheet Series – Created to provide a collection of great information with regards to web application security in one location
Active Cheat Sheets • Current Active Cheat Sheet Topics – Authentication – Logging – Cross-Site Request Forgery – Application Security Arch – Transport Layer Protection – XSS Prevention – Input Validation – Cryptographic Storage – Forgot Password – DOM based XSS – SQL Injection Prevention – Session Management – HTML5 – Web Service
Draft Cheat Sheets • Draft Cheat Sheet Topics – Access – Secure Coding – REST Security – Threat Modeling – Abridged XSS – Clickjacking – PHP Security – Virtual Patching – Password Storage – Secure SDLC
Transport Layer Protection
Transport Layer Protection • Benefits – Provide protection against eavesdroppers and tampering of data while in transit – Validation of the server or services being communicated with – Additional factor of authentication with client side certificates • Requirements – PKI and CRL or OSCP availability
Transport Layer Protection • Rules – Use TLS for login/authentication Pages – Use TLS regardless of the network – Do not allow for both TLS and non-TLS to be mixed in with the page content – Keep sensitive information out of URLs https://example.com/mysecrets/passreset?newpas s=test
Transport Layer Protection • Rules – Provide support for only strong Ciphers – Disable SSLv2 • Apache SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH :+MEDIUM
Transport Layer Protection • Rules – Provide support for only strong Ciphers – Disable SSLv2 • Windows To disable weak ciphers, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry keys: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsDES 56/56 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC2 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 56/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsNULL To disable the SSLv2, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProto colsSSL2.0Server
Transport Layer Protection • Testing SSLv2 or Weak Ciphers openssl s_client -connect 10.1.1.1:443 -no_tls1 -no_ssl3 openssl s_client -connect 10.1.1.1:443 -cipher DES-CBC-SHA
Transport Layer Protection • Additional Uses – Client-side certificates – Protect other backend connections
Logging
Logging • Purpose – Help provide guidance on building logging into applications – Normal Firewall, Web Server, Database, etc logs may not be enough or contain enough information
Logging • Event Sources – Client software – Firewalls – NIDS/HIDS – Databases
Logging • Where are events recorded? – File system – Database – Local database used by the application
Logging • What events should we be logging? – Authentication attempts – Authorization failures – Modifications to privileges – System startup and shutdown events – Input validation failures
Logging • What attributes should we be logging? – Data and time – Application identifier – Event severity – User name or identity
Logging • What activities should we not be logging? – Session identification values – Personal Identifiable Information – Passwords – Database connection strings
Logging • Testing – Ensure permissions are set appropriately – Test for log injection possibilities Apr 26 15:09:05 fry sshd[19119]: User root from 10.0.0.1 not allowed because not listed in AllowUsers ssh “root from 10.0.15.1 not allowed because not listed in AllowUsers”@10.0.15.1
References OWASP Cheat Sheet Site https://www.owasp.org/index.php/Cheat_Sheets Guide To Computer Security Log Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Log Injection Attack and Defence http://www.stratsec.net/getattachment/ab1067fa-9da7-427f-809d- ddb6d69991a1/stratsec---Grzelak---Log-Injection-Attack-and-Defence.pdf

Recommended

Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
Alert Logic
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for Hadoop
Cloudera, Inc.
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 

Recommended

Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
Alert Logic
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
State of the Web
State of the WebState of the Web
State of the Web
CASCouncil
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
Hai Dinh Tuan
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for Hadoop
Cloudera, Inc.
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
Toni de la Fuente
 
Hydra
HydraHydra
Hydra
penetration Tester
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction
Alexander Alten
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent Encryption
Uma Maheswara Rao Gangumalla
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
Micah Hoffman
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Stenio Ferreira
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
Marc Cluet
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projects
OwaspCzech
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
owaspindy
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
Tiffany Hamburg Hamburg
 

More Related Content

What's hot

Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
wolfSSL
 

What's hot (20)

Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
Hydra
HydraHydra
Hydra
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent Encryption
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projects
 

Viewers also liked

Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
owaspindy
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
Intro C# Book
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
Markus Tacker
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
Sam Newman
 

Viewers also liked (20)

Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
 
Composting
CompostingComposting
Composting
 
Effective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetEffective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat Sheet
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
 

Similar to Owasp Indy Q2 2012 Cheat Sheet Overview

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
Amazon Web Services
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 

Similar to Owasp Indy Q2 2012 Cheat Sheet Overview (20)

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSecuring Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark Applications
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWS
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 

Recently uploaded

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

Owasp Indy Q2 2012 Cheat Sheet Overview

  • 1. OWASP Cheat Sheet Series Overview
  • 2. About Me Brian Boswell | Technical Lead/ISM @ Apparatus, CISSP
  • 3. • OWASP Cheat Sheet Series – Created to provide a collection of great information with regards to web application security in one location
  • 4. Active Cheat Sheets • Current Active Cheat Sheet Topics – Authentication – Logging – Cross-Site Request Forgery – Application Security Arch – Transport Layer Protection – XSS Prevention – Input Validation – Cryptographic Storage – Forgot Password – DOM based XSS – SQL Injection Prevention – Session Management – HTML5 – Web Service
  • 5. Draft Cheat Sheets • Draft Cheat Sheet Topics – Access – Secure Coding – REST Security – Threat Modeling – Abridged XSS – Clickjacking – PHP Security – Virtual Patching – Password Storage – Secure SDLC
  • 7. Transport Layer Protection • Benefits – Provide protection against eavesdroppers and tampering of data while in transit – Validation of the server or services being communicated with – Additional factor of authentication with client side certificates • Requirements – PKI and CRL or OSCP availability
  • 8. Transport Layer Protection • Rules – Use TLS for login/authentication Pages – Use TLS regardless of the network – Do not allow for both TLS and non-TLS to be mixed in with the page content – Keep sensitive information out of URLs https://example.com/mysecrets/passreset?newpas s=test
  • 9. Transport Layer Protection • Rules – Provide support for only strong Ciphers – Disable SSLv2 • Apache SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH :+MEDIUM
  • 10. Transport Layer Protection • Rules – Provide support for only strong Ciphers – Disable SSLv2 • Windows To disable weak ciphers, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry keys: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsDES 56/56 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC2 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 40/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsRC4 56/128 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphe rsNULL To disable the SSLv2, a new DWORD needs to be created with a value name of Enabled and a value of 00000000 under the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProto colsSSL2.0Server
  • 11. Transport Layer Protection • Testing SSLv2 or Weak Ciphers openssl s_client -connect 10.1.1.1:443 -no_tls1 -no_ssl3 openssl s_client -connect 10.1.1.1:443 -cipher DES-CBC-SHA
  • 12. Transport Layer Protection • Additional Uses – Client-side certificates – Protect other backend connections
  • 14. Logging • Purpose – Help provide guidance on building logging into applications – Normal Firewall, Web Server, Database, etc logs may not be enough or contain enough information
  • 15. Logging • Event Sources – Client software – Firewalls – NIDS/HIDS – Databases
  • 16. Logging • Where are events recorded? – File system – Database – Local database used by the application
  • 17. Logging • What events should we be logging? – Authentication attempts – Authorization failures – Modifications to privileges – System startup and shutdown events – Input validation failures
  • 18. Logging • What attributes should we be logging? – Data and time – Application identifier – Event severity – User name or identity
  • 19. Logging • What activities should we not be logging? – Session identification values – Personal Identifiable Information – Passwords – Database connection strings
  • 20. Logging • Testing – Ensure permissions are set appropriately – Test for log injection possibilities Apr 26 15:09:05 fry sshd[19119]: User root from 10.0.0.1 not allowed because not listed in AllowUsers ssh “root from 10.0.15.1 not allowed because not listed in AllowUsers”@10.0.15.1
  • 21. References OWASP Cheat Sheet Site https://www.owasp.org/index.php/Cheat_Sheets Guide To Computer Security Log Management http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Log Injection Attack and Defence http://www.stratsec.net/getattachment/ab1067fa-9da7-427f-809d- ddb6d69991a1/stratsec---Grzelak---Log-Injection-Attack-and-Defence.pdf