SlideShare a Scribd company logo
1 of 53
Web application securitythe first steps towards a secure SDLC Antonio FontesOWASP Geneva Chapter Leader Confoo ConferenceMarch 11th 2010, Montreal, CA
(coward) disclaimer We haven’t found the solution, yet. Most methodologies are v.1.x and getting continuous improvements. You might need more than one point of view 2 Antonio Fontes / Confoo Conference, Montreal / 2010
Agenda - Context Sometheory Security expectations in software Identifyingthreats and theircountermeasures Cowardstrategy A case study Conclusion 3 Antonio Fontes / Confoo Conference, Montreal / 2010
About me Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader  >2010: Information Security Consultant  SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010
About you? Coders?  Testers? Managers? Ninjas?
First things first: THEORY 6 Antonio Fontes / Confoo Conference, Montreal / 2010
80-20 rule Also applies to information security SQL injections Authentication & session management OWASP Top 10 7 Antonio Fontes / Confoo Conference, Montreal / 2010 OWASP ASVS
what does “secure” mean? 8 Antonio Fontes / Confoo Conference, Montreal / 2010
Security & Privacy contract 1st assurance: CONFIDENTIALITY ”Data is protected from unauthorized access.” 2nd assurance: INTEGRITY ”Data is true and actual.” 3rd assurance: AVAILABILITY ”Legitimate requests get answers in legitimate time.” 4th assurance: TRACEABILITY ”You can reconstruct a trustworthy history of any user’s interactions with your application.” 9 Antonio Fontes / Confoo Conference, Montreal / 2010
Security & Privacy contract 5th assurance: PRIVACY ”Personal data is protected both from unauthorized access but also from unnecessary access.” 6th assurance: COMPLIANCE ”Data is collected, processed, accessed,stored, archived and destroyed in accordance with Law.” 7th assurance: REPUTATION ”Security incidents that might potentially occur won’t harm the organization’s reputation.” 10 Antonio Fontes / Confoo Conference, Montreal / 2010 These are what your boss understands! The 5 others are what you really need to solve ;)
the threat “Nobody wants to hack us.” 11 Antonio Fontes / Confoo Conference, Montreal / 2010
Who are your threat agents? Dumbguy Show-off guy « I killyou!» guy Organized crime But also… Competition Governments 12 Antonio Fontes / Confoo Conference, Montreal / 2010 Lower effort Higher  effort
Security features vs. secure features Checklists already solve common problems!
Secure features: STRIDE model SPOOFING -> authentication TAMPERING -> integrity REPUDIATION -> non-repudiation INFORMATION DISCLOSURE -> confidentiality DENIAL OF SERVICE -> availability ELEVATION OF PRIVILEGES -> authorization For each asset, ask yourself what nightmares you really don’t want to come true!
$$$$ issues 15 Antonio Fontes / Confoo Conference, Montreal / 2010
the bigpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...)  S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 16 Antonio Fontes / Confoo Conference, Montreal / 2010
How are big companies doing? PT1.1: External penetration testExternal penetration tests bring light to insecure applications and organizations, which need help. SFD1.1: Security features developmentsecurity features (auth, crypto, session, etc.) are centrally developed and reused. SE1.2: Secure deploymenthost and network security basics are in place CP1.3: Create a policyDefine a policy that satisfies regulatory & compliance requirements.  Source: BSI-mm (http://bsi-mm.com/) blabla Let’s think costs and risk reduction!
our own picture What is cheap? What is effective? 18 Antonio Fontes / Confoo Conference, Montreal / 2010
ourownpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...)  S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 19 Antonio Fontes / Confoo Conference, Montreal / 2010
S&P test You can do it (you, or automated security scanning tools) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will get a picture  That you can show your management That will serve as input into your bug tracking tool If you use a reference (OWASP Top 10?), you can even monitor progress 20 Antonio Fontes / Confoo Conference, Montreal / 2010
Threat analysis and modeling You can do it (if there is documentation, it’s better) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will issue recommendations That will help you and your colleagues build more secure code. That you will improve with time. 21 Antonio Fontes / Confoo Conference, Montreal / 2010
SUMMARY Security contract:  7 rules 5 security properties that lead to 2 security concerns Threat agents Low-cost SDLC injection phases 22 Antonio Fontes / Confoo Conference, Montreal / 2010
lazy strategy 23 Antonio Fontes / Confoo Conference, Montreal / 2010
lazy strategy Your goal: staying out of statistics (shame avoidance pattern) UK breach investigation report: 60% of web intrusions: SQL Injection* 30% of web intrusions: authentication* Web hacking incidents database: 19% : SQL Injection 11% : authentication attacks OWASP Top 10 web application security risks: Don’t get exposed to one of these attacks! *: 7Safe - UK Security breach investigations report 2010 24 Antonio Fontes / Confoo Conference, Montreal / 2010
lazy strategy (cont’d) Don’t be a hero (yet), use checklists! Start simple and short Generic  items (security features): reduce exposure to technical attacks OWASP Application Security Verification Standard MS Web applications threats and countermeasures security checklist Specific items (secure features): reduce exposure to attacks relating to your business Many checklists are already automated: Use an automatic security scanning tool!!! 25 Antonio Fontes / Confoo Conference, Montreal / 2010
lazy strategy (cont’d) Lazy threat modeling: List the use cases and identify the most valuable assets involved with them. Think about how the assets might be exposed if the use case goes wrong: STRIDE model Attack scenarios Identify countermeasures Apply these countermeasures 26 Antonio Fontes / Confoo Conference, Montreal / 2010
CASE STUDY the Twitter case (because it’s simple to understand, and solved) 27 Antonio Fontes / Confoo Conference, Montreal / 2010
Get fast and cheap results Quick start: automatic security scan!!! Runtime: 10 minutes (if you use a 9600 bps modem) It should reveal major holes… *: 7Safe - UK Security breach investigations report 2010 28 Antonio Fontes / Confoo Conference, Montreal / 2010
Reducing the heatmap
Major use cases 30 Antonio Fontes / Confoo Conference, Montreal / 2010
Valuable assets 31 Antonio Fontes / Confoo Conference, Montreal / 2010
Data-flows User Data stores: any need for encryption? Register SMS gateway Mobile numbers Requests Authenticate Accounts and credentials Factors: what credentials make a valid authentication? Can they be spoofed? Data transport in non-trust zone: any need for encryption? Set status Web Server Log & Audit consumes Trust boundary: what is the input validation strategy? uses Messages & lists View archive Data transport in semi-trust zone: any need for encryption? View user feed
Nightmares list (think “STRIDE”) 33 Antonio Fontes / Confoo Conference, Montreal / 2010
Countermeasures 34 Antonio Fontes / Confoo Conference, Montreal / 2010
Countermeasures 35 Antonio Fontes / Confoo Conference, Montreal / 2010
Countermeasures 36 Antonio Fontes / Confoo Conference, Montreal / 2010
CASE STUDY is this already useful? 37 Antonio Fontes / Confoo Conference, Montreal / 2010
April 2007 A security vulnerability was reported on April 7 2007 by NiteshDhanjani & Rujith.  The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account.  Niteshused fakemytext.com to spoof a text message. This vulnerability can only be used if the victim’s phone number is known.  Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery http://en.wikipedia.org/wiki/Twitter 38 Antonio Fontes / Confoo Conference, Montreal / 2010
2008 BrainShaler.com, 2008,  writes a blog entry where his Twitter account gets hacked by a friend.  After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password.  However, this did not seem to help.  His friend still had access because his friend was already authenticated.  Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out http://en.wikipedia.org/wiki/Twitter 39 Antonio Fontes / Confoo Conference, Montreal / 2010
January 2009 33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent.  The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack. We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools. http://en.wikipedia.org/wiki/Twitterhttp://blog.twitter.com/2009/01/monday-morning-madness.html 40 Antonio Fontes / Confoo Conference, Montreal / 2010
It seems to help… 41 Antonio Fontes / Confoo Conference, Montreal / 2010
what’s next? 42 Antonio Fontes / Confoo Conference, Montreal / 2010
#1: Clean up! Configure your bug tracking tool: Add a ‘security’ category Add a “critical, high, low” impact attribute Add a “design, implementation, configuration” source attribute Don’t forget to store the time required to fix the issue! At later time, this will help you get $$$! Start testing your web application: Automated if you don’t have time. OWASP Application Security Verification Standard is a good starthttp://www.owasp.org/index.php/ASVS Identify your worst nightmares Conduct lazy threat analysis and check if countermeasures are in place Fix all security issues you find: WARNING: Don’t find problems if you’re not ready to solve them! After this point, you will already be ahead of many others. 43 Antonio Fontes / Confoo Conference, Montreal / 2010
#2: Sharpen your skills! Understand technical attacks and countermeasures: Threat classification (WASC)http://projects.webappsec.org/Threat-Classification Top 10 Web application security risks (OWASP)http://www.owasp.org/index.php/Top_10 Learn and adhere to secure coding principles: Secure Development Principles Whitepaper (Security Ninja)http://www.securityninja.co.uk/wp-content/uploads/2009/09/secure_development_principles_final.pdf Learn threat modeling: Theat Modeling Web Applications (Microsoft)http://msdn.microsoft.com/en-us/library/ms978516.aspx Evangelize around you: Show and share with your teammates what you learned! 44 Antonio Fontes / Confoo Conference, Montreal / 2010
#3: Talk to management! Be ready to hit walls Otherwise, stay silent and just fix what you can. Compile your data C-levels understand “financial profit”, “compliance”, and “reputation exposure”: Tell them what is the current situation Look into your bug tracking tool: how much time was (or will be) involved into fixing the flaws you found? How much time would it take fixing them at design time? Get promoted (and ask for a raise, if you date) “Product Manager – Security & Privacy” 45 Antonio Fontes / Confoo Conference, Montreal / 2010
#4: Continue securingyourSDLC Choose your college: Security Development Lifecycle (Microsoft)http://blogs.msdn.com/sdl/ Open Software Assurance Maturity Model (OWASP)http://www.opensamm.org/ Building Security in Maturity Model (Cigital/Fortify)http://www.bsi-mm.com/ 46 Antonio Fontes / Confoo Conference, Montreal / 2010
Conclusion What’s the 1stmajor wall?  			Just start. 47 Antonio Fontes / Confoo Conference, Montreal / 2010
Conclusion What’s the 2ndmajor wall?  			Not applying those damn checklists. 48 Antonio Fontes / Confoo Conference, Montreal / 2010
Conclusion If you can “start” and “apply a checklist”… 			You’re almost done! ;) 49 Antonio Fontes / Confoo Conference, Montreal / 2010
questions…? 50 Antonio Fontes / Confoo Conference, Montreal / 2010
[object Object]
t:starbuck3000
slideshare: starbuck3000Thank you! 51 Antonio Fontes / Confoo Conference, Montreal / 2010

More Related Content

Viewers also liked

RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosIDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...CA API Management
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetPaul Brody
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityMarc Nader
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadBlockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadAnish Mohammed
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинИнструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинPositive Hack Days
 
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоОт простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоPositive Hack Days
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data CenterVMware
 
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...Positive Hack Days
 
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр КовалевПакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр КовалевPositive Hack Days
 

Viewers also liked (20)

RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, Atos
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to Cybersecurity
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_uploadBlockchain_ver0.5_MIT_security_and Privacy_am_final_upload
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир СелинИнструментарий для создания дистрибутивов продуктов | Владимир Селин
Инструментарий для создания дистрибутивов продуктов | Владимир Селин
 
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей ТимченкоОт простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data Center
 
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
SupplyLab - публикация, доставка, развёртывание, лицензирование | Александр П...
 
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр КовалевПакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев
Пакетный менеджер CrossPM: упрощаем сложные зависимости | Александр Ковалев
 

Similar to Web application security: how to start?

The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniquesAntonio Fontes
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
 
Security Issues of IoT with Fog
Security Issues of IoT with FogSecurity Issues of IoT with Fog
Security Issues of IoT with FogAchu Anna
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Entreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTEntreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTScaleway
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieAlessio Pennasilico
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of riskMichel de Goede
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Lietuvos kompiuterininkų sąjunga
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools
1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools
1Sem-MTech-Design For Verification Notes-Unit2-Verification ToolsDr. Shivananda Koteshwar
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin
 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersKaseya
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinAnton Chuvakin
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays
 
Broke Note Broken: An Effective Information Security Program With a $0 Budget
Broke Note Broken: An Effective Information Security Program With a $0 BudgetBroke Note Broken: An Effective Information Security Program With a $0 Budget
Broke Note Broken: An Effective Information Security Program With a $0 BudgetPaul Melson
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 

Similar to Web application security: how to start? (20)

Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
CompTIA Security+ Objectives
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
 
Security Issues of IoT with Fog
Security Issues of IoT with FogSecurity Issues of IoT with Fog
Security Issues of IoT with Fog
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Entreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoTEntreprises : découvrez les briques essentielles d’une solution IoT
Entreprises : découvrez les briques essentielles d’une solution IoT
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Mobile: the up and downside of risk
Mobile: the up and downside of riskMobile: the up and downside of risk
Mobile: the up and downside of risk
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
 
1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools
1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools
1Sem-MTech-Design For Verification Notes-Unit2-Verification Tools
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and Hackers
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton Chuvakin
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
 
Broke Note Broken: An Effective Information Security Program With a $0 Budget
Broke Note Broken: An Effective Information Security Program With a $0 BudgetBroke Note Broken: An Effective Information Security Program With a $0 Budget
Broke Note Broken: An Effective Information Security Program With a $0 Budget
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 

More from Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseAntonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalAntonio Fontes
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application webAntonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Antonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case studyAntonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat ModelingAntonio Fontes
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au pointAntonio Fontes
 

More from Antonio Fontes (13)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 

Recently uploaded

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 

Web application security: how to start?

  • 1. Web application securitythe first steps towards a secure SDLC Antonio FontesOWASP Geneva Chapter Leader Confoo ConferenceMarch 11th 2010, Montreal, CA
  • 2. (coward) disclaimer We haven’t found the solution, yet. Most methodologies are v.1.x and getting continuous improvements. You might need more than one point of view 2 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 3. Agenda - Context Sometheory Security expectations in software Identifyingthreats and theircountermeasures Cowardstrategy A case study Conclusion 3 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 4. About me Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 5. About you? Coders? Testers? Managers? Ninjas?
  • 6. First things first: THEORY 6 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 7. 80-20 rule Also applies to information security SQL injections Authentication & session management OWASP Top 10 7 Antonio Fontes / Confoo Conference, Montreal / 2010 OWASP ASVS
  • 8. what does “secure” mean? 8 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 9. Security & Privacy contract 1st assurance: CONFIDENTIALITY ”Data is protected from unauthorized access.” 2nd assurance: INTEGRITY ”Data is true and actual.” 3rd assurance: AVAILABILITY ”Legitimate requests get answers in legitimate time.” 4th assurance: TRACEABILITY ”You can reconstruct a trustworthy history of any user’s interactions with your application.” 9 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 10. Security & Privacy contract 5th assurance: PRIVACY ”Personal data is protected both from unauthorized access but also from unnecessary access.” 6th assurance: COMPLIANCE ”Data is collected, processed, accessed,stored, archived and destroyed in accordance with Law.” 7th assurance: REPUTATION ”Security incidents that might potentially occur won’t harm the organization’s reputation.” 10 Antonio Fontes / Confoo Conference, Montreal / 2010 These are what your boss understands! The 5 others are what you really need to solve ;)
  • 11. the threat “Nobody wants to hack us.” 11 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 12. Who are your threat agents? Dumbguy Show-off guy « I killyou!» guy Organized crime But also… Competition Governments 12 Antonio Fontes / Confoo Conference, Montreal / 2010 Lower effort Higher effort
  • 13. Security features vs. secure features Checklists already solve common problems!
  • 14. Secure features: STRIDE model SPOOFING -> authentication TAMPERING -> integrity REPUDIATION -> non-repudiation INFORMATION DISCLOSURE -> confidentiality DENIAL OF SERVICE -> availability ELEVATION OF PRIVILEGES -> authorization For each asset, ask yourself what nightmares you really don’t want to come true!
  • 15. $$$$ issues 15 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 16. the bigpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...) S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 16 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 17. How are big companies doing? PT1.1: External penetration testExternal penetration tests bring light to insecure applications and organizations, which need help. SFD1.1: Security features developmentsecurity features (auth, crypto, session, etc.) are centrally developed and reused. SE1.2: Secure deploymenthost and network security basics are in place CP1.3: Create a policyDefine a policy that satisfies regulatory & compliance requirements. Source: BSI-mm (http://bsi-mm.com/) blabla Let’s think costs and risk reduction!
  • 18. our own picture What is cheap? What is effective? 18 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 19. ourownpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...) S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 19 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 20. S&P test You can do it (you, or automated security scanning tools) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will get a picture That you can show your management That will serve as input into your bug tracking tool If you use a reference (OWASP Top 10?), you can even monitor progress 20 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 21. Threat analysis and modeling You can do it (if there is documentation, it’s better) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will issue recommendations That will help you and your colleagues build more secure code. That you will improve with time. 21 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 22. SUMMARY Security contract: 7 rules 5 security properties that lead to 2 security concerns Threat agents Low-cost SDLC injection phases 22 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 23. lazy strategy 23 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 24. lazy strategy Your goal: staying out of statistics (shame avoidance pattern) UK breach investigation report: 60% of web intrusions: SQL Injection* 30% of web intrusions: authentication* Web hacking incidents database: 19% : SQL Injection 11% : authentication attacks OWASP Top 10 web application security risks: Don’t get exposed to one of these attacks! *: 7Safe - UK Security breach investigations report 2010 24 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 25. lazy strategy (cont’d) Don’t be a hero (yet), use checklists! Start simple and short Generic items (security features): reduce exposure to technical attacks OWASP Application Security Verification Standard MS Web applications threats and countermeasures security checklist Specific items (secure features): reduce exposure to attacks relating to your business Many checklists are already automated: Use an automatic security scanning tool!!! 25 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 26. lazy strategy (cont’d) Lazy threat modeling: List the use cases and identify the most valuable assets involved with them. Think about how the assets might be exposed if the use case goes wrong: STRIDE model Attack scenarios Identify countermeasures Apply these countermeasures 26 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 27. CASE STUDY the Twitter case (because it’s simple to understand, and solved) 27 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 28. Get fast and cheap results Quick start: automatic security scan!!! Runtime: 10 minutes (if you use a 9600 bps modem) It should reveal major holes… *: 7Safe - UK Security breach investigations report 2010 28 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 30. Major use cases 30 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 31. Valuable assets 31 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 32. Data-flows User Data stores: any need for encryption? Register SMS gateway Mobile numbers Requests Authenticate Accounts and credentials Factors: what credentials make a valid authentication? Can they be spoofed? Data transport in non-trust zone: any need for encryption? Set status Web Server Log & Audit consumes Trust boundary: what is the input validation strategy? uses Messages & lists View archive Data transport in semi-trust zone: any need for encryption? View user feed
  • 33. Nightmares list (think “STRIDE”) 33 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 34. Countermeasures 34 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 35. Countermeasures 35 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 36. Countermeasures 36 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 37. CASE STUDY is this already useful? 37 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 38. April 2007 A security vulnerability was reported on April 7 2007 by NiteshDhanjani & Rujith. The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account. Niteshused fakemytext.com to spoof a text message. This vulnerability can only be used if the victim’s phone number is known. Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery http://en.wikipedia.org/wiki/Twitter 38 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 39. 2008 BrainShaler.com, 2008, writes a blog entry where his Twitter account gets hacked by a friend. After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password. However, this did not seem to help. His friend still had access because his friend was already authenticated. Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out http://en.wikipedia.org/wiki/Twitter 39 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 40. January 2009 33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent. The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack. We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools. http://en.wikipedia.org/wiki/Twitterhttp://blog.twitter.com/2009/01/monday-morning-madness.html 40 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 41. It seems to help… 41 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 42. what’s next? 42 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 43. #1: Clean up! Configure your bug tracking tool: Add a ‘security’ category Add a “critical, high, low” impact attribute Add a “design, implementation, configuration” source attribute Don’t forget to store the time required to fix the issue! At later time, this will help you get $$$! Start testing your web application: Automated if you don’t have time. OWASP Application Security Verification Standard is a good starthttp://www.owasp.org/index.php/ASVS Identify your worst nightmares Conduct lazy threat analysis and check if countermeasures are in place Fix all security issues you find: WARNING: Don’t find problems if you’re not ready to solve them! After this point, you will already be ahead of many others. 43 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 44. #2: Sharpen your skills! Understand technical attacks and countermeasures: Threat classification (WASC)http://projects.webappsec.org/Threat-Classification Top 10 Web application security risks (OWASP)http://www.owasp.org/index.php/Top_10 Learn and adhere to secure coding principles: Secure Development Principles Whitepaper (Security Ninja)http://www.securityninja.co.uk/wp-content/uploads/2009/09/secure_development_principles_final.pdf Learn threat modeling: Theat Modeling Web Applications (Microsoft)http://msdn.microsoft.com/en-us/library/ms978516.aspx Evangelize around you: Show and share with your teammates what you learned! 44 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 45. #3: Talk to management! Be ready to hit walls Otherwise, stay silent and just fix what you can. Compile your data C-levels understand “financial profit”, “compliance”, and “reputation exposure”: Tell them what is the current situation Look into your bug tracking tool: how much time was (or will be) involved into fixing the flaws you found? How much time would it take fixing them at design time? Get promoted (and ask for a raise, if you date) “Product Manager – Security & Privacy” 45 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 46. #4: Continue securingyourSDLC Choose your college: Security Development Lifecycle (Microsoft)http://blogs.msdn.com/sdl/ Open Software Assurance Maturity Model (OWASP)http://www.opensamm.org/ Building Security in Maturity Model (Cigital/Fortify)http://www.bsi-mm.com/ 46 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 47. Conclusion What’s the 1stmajor wall? Just start. 47 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 48. Conclusion What’s the 2ndmajor wall? Not applying those damn checklists. 48 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 49. Conclusion If you can “start” and “apply a checklist”… You’re almost done! ;) 49 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 50. questions…? 50 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 51.
  • 53. slideshare: starbuck3000Thank you! 51 Antonio Fontes / Confoo Conference, Montreal / 2010
  • 54. next Google:“list of (free) web application security scanners” Find checklists: Google:”web application security checklist” OWASP ASVS MS web application threats and countermeasures security checklist Start fixing!
  • 55. Copyright You are free: To share (copy, distribute, transmit) To remix But only if: You attribute this work You use it for non-commercial purposes And you keep sharing your result the same way I did 53 Antonio Fontes / Confoo Conference, Montreal / 2010