SECURE CODING ESSENTIALS

Similar documents
epldt Web Builder Security March 2017

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Ruby on Rails Secure Coding Recommendations

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

1 About Web Security. What is application security? So what can happen? see [?]

OWASP TOP 10. By: Ilia

DreamFactory Security Guide

Copyright

C1: Define Security Requirements

Application security : going quicker

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Application Security. Philippe Bogaerts

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CSWAE Certified Secure Web Application Engineer

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Solutions Business Manager Web Application Security Assessment

Certified Secure Web Application Secure Development Checklist

RKN 2015 Application Layer Short Summary

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Certified Secure Web Application Engineer

Web Application Penetration Testing

Contents. xvii xix xxiil. xxvii

Injecting Security Controls into Software Applications. Katy Anton

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Whitepaper

Secure Application Development. OWASP September 28, The OWASP Foundation

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

COMP9321 Web Application Engineering

An analysis of security in a web application development process

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Bank Infrastructure - Video - 1

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Exploiting and Defending: Common Web Application Vulnerabilities

EasyCrypt passes an independent security audit

Introduction to Ethical Hacking

RiskSense Attack Surface Validation for Web Applications

NET 311 INFORMATION SECURITY

Information Security CS 526 Topic 11

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

TIBCO Cloud Integration Security Overview

CSC 482/582: Computer Security. Cross-Site Security

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Information Security CS 526 Topic 8

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Attacks CMSC 414. September 25 & 27, 2017

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13


Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Web Application Vulnerabilities: OWASP Top 10 Revisited

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

How to perform the DDoS Testing of Web Applications

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

OWASP TOP OWASP TOP

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Combating Common Web App Authentication Threats


HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

All India Council For Research & Training

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

COMP9321 Web Application Engineering

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Tenable.io for Thycotic

Application Layer Security

Welcome to the OWASP TOP 10

Vulnerabilities in online banking applications

Client Side Injection on Web Applications

Applications Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

SECURITY TESTING. Towards a safer web world

Certified Secure Web Application Security Test Checklist

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Evaluating the Security Risks of Static vs. Dynamic Websites

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Application Threats and Remediation. Terry Labach, IST Security Team

Secure coding practices

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Domino Web Server Security

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Transcription:

SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017

AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 2

Ports and related services Property and hotels Retail Infrastructure Energy and Telecom 270,000 people in over 50 countries across the world 3

A.S. WATSON RETAIL BRANDS EUROPE 15 Business Units 40 Websites 2 Datacenters 4

NOT ALL OUR WEBSITE VISITORS ARE FRIENDLY 5

AGENDA Intro A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 6

Created by Rob Augustinus SHOULD DEVELOPERS BOTHER ABOUT SECURITY? 7

YES, BECAUSE Created by Rob Augustinus 8

UNEVEN BATTLE 9

HOW TO WRITE IN/SECURE CODE 10

Created by Rob Augustinus SECURE CODE NEEDS A GOOD FOUNDATION Secure Code Code And Server Maintenance CLEAN CODE Secure Server 11

by Rob Augustinus Created by Rob Augustinus THE 3 PILLARS OF CLEAN CODE Warning! Security Holes Architecture Security Bugs Ahead! Don t glue your application together with code snippets Structure & Organize your code by using an architectural pattern or application framework Design Don t re-invent the wheel Follow proven SW design principles to avoid common pitfalls Created Process The proof of the pudding is in the testing Maintain and improve your code till the end its life 12

AGENDA Intro A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 13

Created by Rob Augustinus MVC ARCHITECTURE PATTERN Controller Model Separation of concerns View 14

Created by Rob Augustinus SECURITY ARCHITECTURE THREAT RISK MODELING Application Modeling: Identify Threats: Data Integrity Is your data clean and can it be trusted? Data Access Data in transit Data in transit Functionality Can users access only the data they should be able to access? Data at Rest Data Protection Is sensitive data well protected against unauthorized access? Functionality Are features and application logic being used as expected? 15

Created by Rob Augustinus SECURITY ARCHITECTURE DATA INTEGRITY Is your data clean and can it be trusted? Validate data before storing Refuse or transform data in a safe format before storing on database or file system Model Controller Application Logic Input Validation & Sanitation: Refuse and/or clean unwanted user input BEFORE any further processing Created by Rob Augustinus View Output Encoding: Transform data in a safe format before sending it to the user Retrieve, Insert & Update Information Web page presented to user 16

SECURITY ARCHITECTURE DATA ACCESS Can users access only the data they should be able to access? Ensure that only authorized users can execute actions on data objects Controller User authorization check in controller: Role-based access controls Least privilege database and file access rights for application user Model Application Logic View Retrieve, Insert & Update Information Web page presented to user 17

SECURITY ARCHITECTURE DATA PROTECTION Is sensitive data well protected against unauthorized access? Protect sensitive data which is stored in databases or files Model Controller Application Logic Protect session data which is exchanged between application, user or third party systems (API s) View Protect sensitive data which is exchanged between application and user Retrieve, Insert & Update Information Safe exception and error handling to avoid exposure of sensitive information Web page presented to user 18

SECURITY ARCHITECTURE FUNCTIONALITY Are features and application logic being used as expected? Only implement features and functionality that you actually need Controller Ensure that your application can only be used as the expected order of operations Model Application Logic View Retrieve, Insert & Update Information Web page presented to user 19

AGENDA Intro A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 20

SOFTWARE DESIGN PRINCIPLES COCO Coding Conventions DRY Don t Repeat Yourself 21

SECURE CODING DESIGN PRINCIPLES Data Integrity Never, ever, trust the user Data Access Control access to protected resources User rights: Less is more! Data Protection Keep sensitive information private Don t expose yourself Functionality Expect the unexpected Minimize attack surface 22

DATA INTEGRITY DESIGN PRINCIPLES NEVER, EVER, TRUST THE USER - INPUT VALIDATION & SANITIZATION Input: (hidden) form input, http headers, cookies, captcha code, etc. Sanitize unwanted input, but be careful it can make your data unusable Validate and reject unwanted input always at the server side 23

Created by Rob Augustinus DATA INTEGRITY DESIGN PRINCIPLES NEVER, EVER, TRUST THE USER SQL INJECTION Prevent that user data can alter your SQL queries Query with user input //select entered username from users table SELECT * FROM `users` WHERE `users`.`name` = '".$name."' 1) Construct query string Query with prepared statements //prepare select statement with parameters $sth = $conn->prepare( SELECT * FROM users WHERE name = :name") //bind the statement parameters to the input variables $sth->bindparam(':name', $name, PDO::PARAM_STR, 30) 1) Prepare (compile) query 2) Add variable parameters SELECT * FROM `users` WHERE `users`.`name` = Rob OR 1 = 1 Database Driver Database 2) Execute query This will return all rows from the table users, since WHERE 1=1 is always true 3) Execute query Abstraction Layer ( PDO) Database Driver Database 24

DATA INTEGRITY DESIGN PRINCIPLES NEVER, EVER, TRUST THE USER - MALICIOUS FILE UPLOADS AND CODE INJECTIONS Don t allow users to upload whatever they want Prevent code injection vulnerabilities Disable script execution in upload directories 25

DATA ACCESS DESIGN PRINCIPLES CONTROL ACCESS TO PROTECTED RESOURCES - WEB PAGE AUTHORIZATION Check user authorization for each web page Use centralized Authorization Routines 26

DATA ACCESS DESIGN PRINCIPLES CONTROL ACCESS TO PROTECTED RESOURCES - DATA OBJECT AUTHORIZATION Always ensure the data owner is referenced in queries Prevent tampering with query parameters Is the user who requests this delete action the owner of this record? Vulnerable SQL query: Integrate access control in your SQL queries 27

DATA ACCESS DESIGN PRINCIPLES CONTROL ACCESS TO PROTECTED RESOURCES - SESSION DATA Prevent theft of (session) cookies by XSS attacks Tell browsers that client scripts aren t allowed to access cookies Prevent that attackers can obtain a valid session identifier (session hijacking) Change session ID s at any transition in authentication state Prevent that attackers can force users to use known session ID (session fixation) Enforce that always a new session ID is created if a session is requested with a ID that does not exist 28

DATA ACCESS DESIGN PRINCIPLES USER RIGHTS: LESS IS MORE! - DATABASE PERMISSIONS Don t use a single shared database account for your application Don t give application users complete access to your database 29

Created by Rob Augustinus DATA PROTECTION DESIGN PRINCIPLES KEEP SENSITIVE INFORMATION PRIVATE - WEB FORMS Use HTTPS and POST for sending sensitive information via web forms Prevent that usernames and passwords on shared computers get exposed to other users 30

DATA PROTECTION DESIGN PRINCIPLES KEEP SENSITIVE INFORMATION PRIVATE - SESSION DATA Prevent that session data is visible in the URL (enforce that only cookies are used) Encrypt session data between user and application (set session.cookie_secure flag) Prevent that session data is being transmitted in plain text (enforce HTTPS for whole site) 31

DATA PROTECTION DESIGN PRINCIPLES KEEP SENSITIVE INFORMATION PRIVATE - CREDENTIALS Use a recent salted password hashing algorithm (argon2, bcrypt, scrypt ) (PASSWORD_DEFAULT for salted bcrypt hash) Keep database connection strings out of your source code (keep them in a trusted place) 32

DATA PROTECTION DESIGN PRINCIPLES DON T EXPOSE YOURSELF - SENSITIVE CONTENT Use URL rewriting and routing to prevent access to physical file paths and files Prevent attackers to discover admin consoles or pages Don t allow attackers to view sensitive content in your web directories 33

DATA PROTECTION DESIGN PRINCIPLES DON T EXPOSE YOURSELF - WEB APPLICATION FINGERPRINTING Don t expose valuable information to attackers such as PHP and Web server version expose_php = Off in php.ini Apache httpd.conf: ServerTokens Product ServerSignature Off GET https://www.autoplanet.nu GET https://www.autoplanet.nu -- response -- -- response -- 200 OK 200 OK Date: Fri, 28 Oct 2016 15:54:56 GMT Date: Fri, 28 Oct 2016 16:13:38 GMT Server: Apache/2.4.23 (Fedora) OpenSSL/1.0.2j-fips PHP/5.6.27 Server: Apache X-Powered-By: PHP/5.6.27 Don t put information in HTML or JavaScript comments 34

35 DON T EXPOSE YOURSELF INFORMATION EXPOSURE THROUGH ERROR MESSAGES Fail safe: Error messages reveal sensitive information such as passwords, file paths, etc.

FUNCTIONALITY DESIGN PRINCIPLES EXPECT THE UNEXPECTED - APPLICATION LOGIC ATTACKS Some jokers don t respect your rules Prevent that application logic steps can be bypassed Avoid being helpful for attackers 36

FUNCTIONALITY DESIGN PRINCIPLES MINIMIZE ATTACK SURFACE - UNNECESSARY FEATURES Don t display search queries back to the user (XSS risks) Don t use the URL as input for the navigation bar Disable default application settings which you don t need 37

AGENDA Intro A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 38

SECURITY IN THE SDLC Debugging All bugs definitely fixed? 39

SECURITY TESTING One week before launch Screenshots Examples Proposed Fixes Automated Security Tests Short Security Scans Unit Tests Integration Tests System Tests Acceptance Tests Pen Test 40

INTEGRATING SECURITY IN THE SDLC Agile Sec DevOps Automated Security Testing Evil User Stories ZAP Plugin 41

AGENDA Intro A.S. Watson and Me Why this Presentation Security Architecture Secure Code Design Principles The Process - Security in the SDLC Mission Accomplished? 42

AUTOPLANET A SECURE WEB APPLICATION? https://home-url/controller?param1=value1&param2=value2... Controller Include helpers, models and views include controller get css and images.htaccess index.php upload of car images Rewrites all requests to index.php Model Helpers css car images View images application directory public directory 43

APPSCAN TEST RESULTS 44

Access-Control-Allow-Origin Password recovery attacks HTTP parameter pollution iframe injection X-Path injection Email injection Blind XSS Default passwords DOM based XSS attacks Slow HTTP attacks XML external entity attacks Vulnerable Javascript library Third party includes/plugins Flash parameter ScriptAccess TRACK method is enabled Cross Site Request Forgery Secure HTTP response headers Apache user Chroot Security logging & auditing HTTP Response Splitting Javascript eval() usage Brute Force Attacks Data encryption Oversized POST requests Clickjacking Rename uploaded files SE Linux Session expiration HTTP Parameter pollution Insufficient Entropy Http redirect security bypass TRACE method is enabled 45

Created by Rob Augustinus Created by Rob Augustinus Created by Rob Augustinus THE WHOLE PICTURE WAF IPS CDN Data Access Data Integrity Security Safety Net Functionality Secure Code Data Protection Architecture Design Process Hardening Clean Code Patches & Updates Secure Server Secure Coding Essenrials 46

MISSION ACCOMPLISHED OR.. Can we build with secure coding a Trump wall to keep out the hackers? Can we do much better than the millions of poorly secured websites on the Internet? 47

rob.augustinus@the-future-group.com 48

CONTROLLER STRUCTURE (SEARCH FORM) Load includes (views, model, helpers) Display menu (page header view) Authorization check (page access) Initialize form (based on submit status) Validate & sanitize form input Search car in database (data model) Display search results (page view) 49

DATA INTEGRITY SECURITY TESTING How does the application respond to unexpected input? Test input such as special characters and SQL queries, try parameter tampering How does the input appear in the returned HTML? (dangerous characters not removed /encoded) Can SQL queries as input cause (SQL) error messages or stack traces? What can you upload and do with it? Test uploading of files with unexpected extension, type, content, size, etc. Can uploaded HTML or scripts be executed? 50

DATA ACCESS SECURITY TESTING Unauthorized access to protected resources Try to access to webpages or data which you shouldn t be able to access Try if session cookies are protected (cookie HttpOnly flag), are they visible in URL or (hidden) parameters? Test for directories and/or files which shouldn t be visible (use fuzzer tool to discover) User rights Review database permissions for application users Do they use the lowest possible level of permissions? 51

DATA PROTECTION SECURITY TESTING Is sensitive information well protected? Check if forms with sensitive data can t be sent via GET and/or HTTP Check for autocomplete on form fields with sensitive data Check session.cookie_secure flag and what happens if cookies are denied? Information exposure Check server response for webserver version and other information (Wappalyzer) Force stack trace errors (e.g. stop database) and check if sensitive information is exposed Check source code for hard coded credentials 52

FUNCTIONALITY SECURITY TESTING EVIL USER STORIES Be creative: What data, steps, parameters, etc. can be tampered with? Try to resubmit email reply forms an unlimited number of times Intercept POST requests and remove or change parameters before submitting See what happens if you enter negative amounts or item numbers Change your token or account nr to another number to see what will happen Form can be resubmitted with removed captcha 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback