Sichere Software vom Java-Entwickler

Similar documents
Welcome to the OWASP TOP 10

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application Layer Security

Web Application Security. Philippe Bogaerts

1 About Web Security. What is application security? So what can happen? see [?]

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Sichere Webanwendungen mit Java

OWASP Top The Top 10 Most Critical Web Application Security Risks. The OWASP Foundation

Copyright

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Application Penetration Testing

Your Turn to Hack the OWASP Top 10!

WHY CSRF WORKS. Implicit authentication by Web browsers

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Solutions Business Manager Web Application Security Assessment

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Application vulnerabilities and defences

Security Course. WebGoat Lab sessions

Applications Security

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Advanced Web Technology 10) XSS, CSRF and SQL Injection


OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Aguascalientes Local Chapter. Kickoff

Combating Common Web App Authentication Threats

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CSCD 303 Essential Computer Security Fall 2017

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Web Application Threats and Remediation. Terry Labach, IST Security Team

COMP9321 Web Application Engineering

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

GOING WHERE NO WAFS HAVE GONE BEFORE

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CSCD 303 Essential Computer Security Fall 2018

Information Security. Gabriel Lawrence Director, IT Security UCSD

Secure Development Guide

Introduction to Ethical Hacking

CIT 380: Securing Computer Systems. Web Security II

C1: Define Security Requirements

EasyCrypt passes an independent security audit

OWASP TOP 10. By: Ilia

COMP9321 Web Application Engineering

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Tabular Presentation of the Application Software Extended Package for Web Browsers

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Web Application Security GVSAGE Theater

Web Security: Web Application Security [continued]

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

REALTIME WEB APPLICATIONS WITH ORACLE APEX

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Ruby on Rails Secure Coding Recommendations

COMP9321 Web Application Engineering

Certified Secure Web Application Engineer

DreamFactory Security Guide

Application. Security. on line training. Academy. by Appsec Labs

CIS 4360 Secure Computer Systems XSS

About the OWASP Top 10

WEB SECURITY: XSS & CSRF

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Domino Web Server Security

Certified Secure Web Application Security Test Checklist

TIBCO Cloud Integration Security Overview

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Injecting Security Controls into Software Applications. Katy Anton

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Application Security

Top 10 Web Application Vulnerabilities

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Attacks CMSC 414. September 25 & 27, 2017

RKN 2015 Application Layer Short Summary

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Preparing for the Cross Site Request Forgery Defense

P2_L12 Web Security Page 1

Exploiting and Defending: Common Web Application Vulnerabilities

Web Application Whitepaper

Internet Security VU Web Application Security 3. Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Robust Defenses for Cross-Site Request Forgery Review

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

CS 142 Winter Session Management. Dan Boneh

Transcription:

Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN

We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10. OWASP

Secure software is not developed accidentally Applications must be protected from the beginning Security fix does not bring back stolen data Problem may be caused by the architecture 100% secure software will never exist But we can stop making it that easy for attackers

Open Web Application Security Project (OWASP) Improving the security of (web) application software Not-for-profit organization since 2001 Raise interest in secure development Top 10 Cheat Sheets Development Guides... Enterprise Security API (ESAPI) WebScarab WebGoat...

2x > > 2x 2x > 2x > > 2x http://owasptop10.googlecode.com/files/owasp_top_10_-_2010%20presentation.pptx

(1) Injection 2 1 6 The famous (and least necessary) SQL injection Simple to avoid with prepared statements - Use OR-Mapper like Hibernate or Spring JDBCTemplate - Use it correctly 2007 2010 2004 Limit database user permissions Other injections (like LDAP injection, XPath injection) White list validation for all user supplied input

(6) Security Misconfiguration Some other guys job Server/ database configuration, firewall, user rights Disable unnecessary features, services, ports, Developer s job Configure logging/ exception handling No technical errors in frontend Never serve log over web application in production environment Framework security configuration Security updates, new versions

(7) Insecure Cryptographic Storage Most of the time, the problem is not the algorithm Data isn t protected at all Identify and protect all sensitive data in all places Never log any sensitive data (unencrypted) Real threats not identified DB encryption protects data from DBA/ stolen disks, not SQL injection Use standards, never invent your own,algorithm Prepare key exchange and revocation Change keys periodically

(8) Failure to Restrict URL Access Presentation layer access control No restriction enforcement in backend Think about roles from the beginning Store view files (JSP, JSF, ) in different folders based on roles Makes filter configuration much easier

(10) Unvalidated Redirects and Forwards Redirects send request to new external page Target: Phishing, pharming, malware installation Forwards send request to new page in same application Target: Bypass authentication/ authorization checks Avoid redirects and forwards wherever possible Don t allow user parameters in target URL User parameters in target URL required Validate final URL Call access controller

http://owasptop10.googlecode.com/files/owasp_top_10_-_2010%20presentation.pptx

(2) Cross-Site Scripting (XSS) Execute code in victim s browser Steal user session, sensitive user data,... Redirect to phishing sites, malware installation,... Different XSS types Stored Reflected DOM based Often because of missing input validation <img src="javascript:alert('xss');"> <input type="image" src="javascript:alert('xss');"> <b onmouseover=alert('xss')>click me!</b> <body onload=alert('xss')>

Input validation and output escaping for every input Input validate with a white list Output escape JSF implicitly escapes output ESAPI.encoder() provides different encoding methods

Prevent scripts from accessing cookie with http-only

(3) Broken Authentication and Session Management One of the most complex security tasks to develop Simply: Don t invent it again, use existing frameworks Spring Security http://www.springsource.org/spring-security Apache Shiro http://shiro.apache.org Centralize: One library, one place Independent of authentication system (LDAP, AD, DB,...) Know exactly how to use it HTTP is a stateless protocol --> credentials (session id) are included in every request

Protect all connections with authentication data with SSL Session id and credentials must be protected at all times As valuable as username and password Unprotected connection exposes session id Don t include session information (like session id) in URLs @

(4) Insecure Direct Object References Presentation layer access control No restriction enforcement in backend 1. User logs in with username/ password URL is https://www.fakesite.com/account?no=123456789 2. User experiments with URL no parameter URL is https://www.fakesite.com/account?no=987654321 3. User can view/ change other accounts

(5) Cross Site Request Forgery (CSRF) Browser with authenticated user must send credentials Attacker causes request from his site to vulnerable application - e.g. with an invisible <img> or <iframe> - User s credentials are used to execute attacker s request Often a vulnerable (standard) intranet application Not accessible externally Victim s browser inside corporate network is tricked into issuing commands?

Calculate and use a random secret token Calculate a random secret token at beginning of session Calculate per request for higher security needs Value not automatically submitted like session cookie Add this token as hidden field to all (critical) forms <input type="hidden" name="csrftoken" value="928ce83948da9389eb9384019c38de8c"/> Check token before executing selected action

Develop your own secure form type for easy usage Create own form like SecureForm Adds token automatically Easy (re)usable by developers Standard unprotected form still available Configure session timeout in web.xml

(9) Insufficient Transport Layer Protection Correct SSL/TLS configuration is difficult Web-/application server administrator Identify all routes where sensitive data is broadcasted Protect all (or nothing) Don t mix protected with unprotected content Secure the input form for log-in credentials Secure the session cookie less vulnerable for Man-inthe-Middle attacks

Use the HTTP Strict Transport Security (HSTS) IETF draft HttpServletResponse response...; response.setheader("strict-transport-security", "max-age=8640000; includesubdomains"); Application forces browser to only use HTTPS when visiting For specified time, renewed with every response Access blocked if communication is insecure Invalid certificate --> error page (not strange warning dialog) Browser support required No backwards compatibility issues

Security is every developer s job

Developing with security awareness is a good start Every developer must know at least security basics One (senior) developer per team with deep security knowledge Design security in from the beginning Think about security requirements before starting to code Much harder/ more expensive to secure an existing application

Security must be a natural part of your development process

Resources OWASP www.owasp.org OWASP WebScarab https://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project with Firefox QuickProxy https:// addons.mozilla.org/de/firefox/addon/quickproxy ESAPI http://esapi.org Java Secure Coding Guidelines http://www.oracle.com/technetwork/java/seccodeguide-139067.html Qualys SSL Labs https://www.ssllabs.com Preventing CSRF with JSF 2.0 http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html HTTP Strict Transport Security Header http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec

Secure coding... Visit us at our booth for more (security) questions... Trivadis GmbH Dominik Schadow Industriestrasse 4 D-70565 Stuttgart Phone +49-711-903 63 230 Fax +49-711-903 63 259 dominik.schadow@trivadis.com www.trivadis.com BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback