Application Security & Verification Requirements

Similar documents
Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Copyright

OWASP Top 10 The Ten Most Critical Web Application Security Risks

SECURITY TESTING. Towards a safer web world

Web Application Security. Philippe Bogaerts

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Developing Secure Systems. Associate Professor

CSWAE Certified Secure Web Application Engineer

C1: Define Security Requirements

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Keep the Door Open for Users and Closed to Hackers

Professional Services Overview

Ethical Hacking and Prevention

10 FOCUS AREAS FOR BREACH PREVENTION

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Trustwave Managed Security Testing

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security Solutions. Overview. Business Needs

Best Practices Guide to Electronic Banking

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology


NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

NET 311 INFORMATION SECURITY

The Top 6 WAF Essentials to Achieve Application Security Efficacy

PCI Compliance. What is it? Who uses it? Why is it important?

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Aguascalientes Local Chapter. Kickoff

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Employee Security Awareness Training

CISO Success Strategies: On Becoming a Security Business Leader

Mitigating Security Breaches in Retail Applications WHITE PAPER

Security Communications and Awareness

HP 2012 Cyber Security Risk Report Overview

90% of data breaches are caused by software vulnerabilities.

Fortify Software Security Content 2017 Update 4 December 15, 2017

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Achieving End-to-End Security in the Internet of Things (IoT)

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Certified Secure Web Application Engineer

Exploiting and Defending: Common Web Application Vulnerabilities

RiskSense Attack Surface Validation for Web Applications

IBM Future of Work Forum

Protect Your Organization from Cyber Attacks

Cybersecurity Today Avoid Becoming a News Headline

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Trustwave Managed Security Testing

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

Cyber Insurance: What is your bank doing to manage risk? presented by

Exposing The Misuse of The Foundation of Online Security

Engineering Your Software For Attack

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Security Communications and Awareness

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

Entertaining & Effective Security Awareness Training

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Cyber-Threats and Countermeasures in Financial Sector

The requirements were developed with the following objectives in mind:

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Streamline IT with Secure Remote Connection and Password Management

QUICK WINS: Why You Must Get Defensive About Application Security

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

TRAINING CURRICULUM 2017 Q2

Development*Process*for*Secure* So2ware

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Who We Are! Natalie Timpone

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Automating the Top 20 CIS Critical Security Controls

Securing Today s Mobile Workforce

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Panda Security 2010 Page 1

Top 10 Application Security Vulnerabilities in Web.config Files Part One

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Are You Avoiding These Top 10 File Transfer Risks?

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

WordPress Security Plugins vs. WAF Services. A Comparative Test of WAF Accuracy in Security Solutions

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

Unique Phishing Attacks (2008 vs in thousands)

Qualys Cloud Platform

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

CSCD 303 Essential Computer Security Fall 2017

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Transcription:

Application Security & Verification Requirements David Jones July 2014 This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contains content Copyright 2008 2013 The OWASP Foundation.

Application security for custom development projects is a challenge. Working with customers to determine security requirements and balancing competing demands on a project s budget is made more difficult when there is lack of rigorous experience amongst developers with implementing secure solutions. Graded levels of security verification requirements provide a potential way to work with customers while providing the development team with a clear and directed approach to implementation and verification of the security of a system.

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps

How well are internet technology firms doing?

Adobe Breach Impacted At Least 38 Million Users The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company s Photoshop family of graphical design products

Skype users warned of serious security problem - accounts can be hijacked with ease The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out

Microsoft rushes out fix after hackers reset passwords to hack Hotmail accounts News of the critical bug spread rapidly across underground hacking forums, and Whitec0de reported earlier this week that hackers were offering to break into any Hotmail account for as little as $20

Cisco warns of big remote management hole in tiny routers In simple English, that means a crook could connect to your router via HTTPS and, without entering a username or password, take it over

OpenSSL Heartbleed Heartbleed sees first arrest in wake of Canada Revenue Agency breach

Apple HTTPS goto fail When you update, be sure to follow the advice below about avoiding insecure networks. The Software Update app uses the buggy Security library!

NSA grabbing Cisco shipments en route to be loaded up with physical spyware before they reach the end user

What about non-technology companies?

Man pleads guilty to bank fraud, 48-hour global operation netted $14 million Code Spaces shuts down following DDoS extortion, deletion of sensitive data Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware Home Depot staffers arrested, stole employee info and opened fraudulent credit cards

Lowe's employee info accessible online for about 10 months Computers stolen, health data compromised for 168K in L.A. Web crawlers tap data, put about 146K Indiana Univ. students at risk Phishing scam lures three Calif. physicians, patient data compromised Virginia county school data accidentally posted online

It seems anyone can fail Even the best funded and capable internet companies can fail with security. Smaller companies also struggle and they can also experience targeted attacks. Threats can come from staff as well as from external/network sources. Some of these failures could have been detected with a reasonably thorough development and release process.

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps

The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigour available in the market when it comes to performing web application security verification. The ASVS standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL This standard can be injection.1 used to establish a level of confidence in the security of Web applications.

The standard defines over one hundred security verification requirements. An example security requirement from the Session management area:! V2.2 Verify that sessions are invalidated when the user logs out.! The rationale for the verifications are not included in the standard, however, they are all based on common threats and security approaches, which can be found in other online resources. The requirements can be manually tested, and in some cases automatically verified through static analysis, penetration testing or functional tests.

V1. Authentication V8. Communication Security V2. Session Management V9. HTTP Security V3. Access Control V10. Malicious Controls V4. Input Validation V11. Business Logic V5. Cryptography (at Rest) V12. Files and Resources V6. Error Handling and Logging V13. Mobile V7. Data Protection

Different threats have different motivations, and some industries have unique information and technology assets as well as regulatory compliance requirements. Although some unique criteria and some differences in threats exist for each industry, a common theme throughout all industry segments is that opportunistic attackers will look for any vulnerable applications reachable through the Internet, which is why ASVS Level 1 is recommended for all Internet-accessible applications regardless of industry.

How could this be used? Collaborating with the customer early in the engagement to identify which of the three requirement levels best matches the risks and expectations of the solution. Consideration of the identified security requirements during the formative technical design and architecture. More rigorous security verification during story DAT and acceptance testing. And a way to deepen the knowledge of practical security skills throughout the course of the project.

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps

The ASVS Verification Requirements opens the door to identifying a security level of an application with the customer and a way to confirm it was reached. How can this be implemented in code when the development staff have a mix of experience implementing secure solutions?

The OWASP Top 10 for 2013 is based on data that spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas and also provides guidance on where to go from here. The Top 10 critical web security risks are represented at the Application Security Verification Standard (ASVS) Level 2 Standard.

SQL Injection using JPA String empid= req.getparameter( empid"); q = entitymanager.createquery( select e from Employee e WHERE + e.id = ' + empid + ); Expected URL: /api/employees?empid=123 Injection Example: /api/employees?empid=123 or a = a The SQL query will return details for all employees rather than a single employee.

Named Parameters is one way to protect against SQL Injection With JPA or Hibernate you should use Named Parameters. Named parameters are parameters in a query that are prefixed with a colon (:). Named parameters in a query are bound to an argument by the javax.persistence.query.setparameter(string name, Object value) method. For example: q = entitymanager.createquery( select e from Employee e WHERE + e.id = ':id' ); q.setparameter( id, empid); This sets the id to the empid in the SQL command and any dangerous characters should be automatically escaped by the JDBC driver.! https://blogs.oracle.com/carolmcdonald/entry/owasp_top_10_number_2

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps

How could you apply verification requirements on your current project?

Identify which of the three verification levels (Opportunistic, Standard, or Advanced) best match the needs of your current project. Use the industry segment descriptions to guide you. The standard PDF includes some additional segments. Which verification requirements in Level One (Opportunistic) apply to your current development story? Test each of the verification requirements of Level One (Opportunistic) against your current system. For each failed requirement consider whether they should be added to your project s backlog of work. Can you explain the rationale for the inclusion of the Level One and Level Two verification requirements? Use the Top 10 list and other online resources to help you. Can you automate the verification of any of the requirements that seem significant to your project? Consider also using static analysis tools, for example those that come with Sonar as well as third party tools.

Application Security & Verification Requirements 1. Security Headlines 2. Verification Requirements Using ASVS 3. Common Web Security Risks 4. Next Steps Questions?!

Appendix - Resources

A. Resources OWASP Application Security Verification Standard Project https://www.owasp.org/index.php/ Category:OWASP_Application_Security_Verification_Standard_Project ASVS 2.0 beta used by presentation Creative Commons Attribution ShareAlike 3.0 OWASP Top Ten 2013 https://www.owasp.org/index.php/top10#owasp_top_10_for_2013 Creative Commons Attribution ShareAlike 3.0

Appendix - A9 Components with Vulnerabilities

B. Components with vulnerabilities 88% of code in today s applications come from libraries and frameworks 31 most popular Java frameworks/libs 26% had known vulnerabilities

Dependency-Checker Tool Dependency-check scans directories and files and if it contains an Analyzer that can scan a particular file type then information from the file is collected. This information is then used to identify the Common Platform Enumeration (CPE). If a CPE is identified a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report Analyzes Java &.Net libraries Triggered by CLI, Ant Task, Maven Plugin, and Jenkins plugin https://github.com/jeremylong/dependencycheck!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback