Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Similar documents
Andrew van der Stock OWASP Foundation

How to hack and secure your Java web applications

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

OWASP InfoSec Romania 2013

Notes From The field

Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Application Penetration Testing

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

C1: Define Security Requirements

Copyright

RiskSense Attack Surface Validation for Web Applications

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

C and C++ Secure Coding 4-day course. Syllabus

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

TRAINING CURRICULUM 2017 Q2

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

The requirements were developed with the following objectives in mind:

OWASP Romania Chapter

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web Security, Summer Term 2012

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Security Best Practices. For DNN Websites

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Engineering Your Software For Attack

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Hacking by Numbers OWASP. The OWASP Foundation

1 About Web Security. What is application security? So what can happen? see [?]

How were the Credit Card Numbers Published on the Web? February 19, 2004

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Certified Secure Web Application Security Test Checklist

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

W H IT E P A P E R. Salesforce Security for the IT Executive

Combating Common Web App Authentication Threats

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Training Program Catalog SECURITY INNOVATION

Solutions Business Manager Web Application Security Assessment

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Security Communications and Awareness

Aguascalientes Local Chapter. Kickoff

Application Layer Security

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Exploiting and Defending: Common Web Application Vulnerabilities

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

Integrigy Consulting Overview

Continuously Discover and Eliminate Security Risk in Production Apps

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Improving Security in the Application Development Life-cycle

Web Application Vulnerabilities: OWASP Top 10 Revisited

Development*Process*for*Secure* So2ware

90% of data breaches are caused by software vulnerabilities.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Cloud Customer Architecture for Securing Workloads on Cloud Services

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Welcome to the OWASP TOP 10


TIBCO Cloud Integration Security Overview

Secure Development Guide

Bank Infrastructure - Video - 1

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Hacking 102 Integrating Web Application Security Testing into Development

Tiger Scheme SST Standards Web Applications

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

Web Applications (Part 2) The Hackers New Target

Security Communications and Awareness

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Managed Application Security trends and best practices in application security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

IEEE Sec Dev Conference

A D V I S O R Y S E R V I C E S. Web Application Assessment

Sichere Software vom Java-Entwickler

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Ethical Hacker Foundation and Security Analysts Course Semester 2

Simplifying Application Security and Compliance with the OWASP Top 10

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

V Conference on Application Security and Modern Technologies

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Web Application Security. Philippe Bogaerts

Copyright

Test Harness for Web Application Attacks

Web Application Security GVSAGE Theater

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

InterCall Virtual Environments and Webcasting

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

INNOV-09 How to Keep Hackers Out of your Web Application

Transcription:

Developing Secure Applications with OWASP Martin Knobloch martin.knobloch@owasp.org OWASP OWASP NL Chapter Board OWASP Global Education Committee Chair Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

www.owasp.org OWASP 2 2

OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks OWASP 3

OWASP Resources and Community Documentation (Wiki and Books) Code Review, Testing, Building, Legal, more Code Projects Defensive, Offensive (Test tools), Education, Process, more Chapters Over 100 and growing Conferences Major and minor events all around the world OWASP

OWASP KnowledgeBase 3,913 total articles 427 presentations 200 updates per day 179 mailing lists 180 blogs monitored 31 doc projects 19 deface attempts 12 grants OWASP

OWASP Books (http://stores.lulu.com/owasp) OWASP

Part of the Big 4 Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) OWASP

SDLC & OWASP Guidelines OWASP Framework OWASP 8

The Guide v2.0 Free and open source Gnu Free Doc License Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Thread Modeling Advise & Best Practices Web Services Key AppSec Area s: Authorization/Authentication Session Management Data Validation OWASP 9

Code Review Guide v1.1 Introduction Preparation Security Code Review in the SDLC Security Code Review Coverage Application Threat Modeling Code Review Metrics Crawling code Searching for code in.. Code review and PCI DSS.. Reviewing by technical control: Reviewing Code for... Additional security considerations: How to write an application code review finding OWASP

Code Review Guide v1.1 Reviewing by technical control: Authentication Authorization Session Management Input Validation Error Handling Secure application deployment Cryptographic controls Reviewing Code for: Buffer Overruns and Overflows OS Injection SQL Injection Data Validation Cross-site scripting Cross-Site Request Forgery issues Logging Issues Session Integrity issues Race Conditions OWASP

Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection OWASP

What s new? V2à 8 sub-categories (for a total amount of 48 controls) V3 à10 sub-categories (for a total amount of 66 controls) 36 new articles! Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix OWASP

OWASP Tools and Technology OWASP 14

OWASP Projects OWASP.NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project OWASP 15

Part of the Big 4 +1 ASVS Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) OWASP

* Key Application Security Areas * OWASP 17

Authentication Major re-write Covers a long list of areas: Strong authentication, federated authentication, client-side, positive authentication, referer checks, remember my password, default accounts, password strength, encryption/hashing, automated reset, brute force, timeout, logout, self-registration, CAPTCHA OWASP 18

Authorization Topics include: ACL s, centralization, authorization matrix, client-side authorization tokens, access to functions, access to static resources OWASP 19

Session Management Complete re-write Topics Include: Permissive session generation, exposed session variables, page and form tokens, weak session ids, session encryption, session forging, timeout, logout, hijacking, session brute forcing, session fixation, HTTP split session attacks, HTTP request smuggling OWASP 20

Data Validation Complete re-write Considerably shorter! State of the art validation strategies Sanitize is no longer an acceptable first choice Practical advice for several platforms Topics: Integrity checks, validation, business rule validation, parameter tampering, hidden fields, ASP.NET viewstate, URL encoding, HTML entity encoding, special characters OWASP 21

Interpreter Injection Shows how injection really works For any interpreter Covers many different interpreters User agent injection SQL Injection ORM Injection OS Command Injection Code Injection LDAP Injection XML Injection (XPath / XSLT) OWASP 22

Canonicalization The process of making Unicode and other encodings real to the underlying application One of the last bastions of unexplored vulnerability Difficult to protect against Unicode Locale Multiple encoding OWASP 23

Error Handling, Logging, Auditing Complete re-write Topics Include: Traceability - aims for SOX compliance Error messages, error handling Don t log noise, destruction, audit trails OWASP 24

File System Goal: Minimize dangers from file based operations Topics: File referencing, defacement, insecure permissions, insecure indexing, unmapped files, temp files, old files, second order injection OWASP 25

Buffer overflows New(ish) section for one of the oldest security problems Heap, Stack, Buffer overflows Integer and array overflows Unicode overflows String format overflows Not really an issue for Java,.NET, PHP Unless you re invoking native libraries or exec ing operating system commands OWASP 26

Administrative Interfaces Must have segregation of duties Administrators are not users To be effective, ensure that admin application uses completely different RDBMS users Prefer separate servers and access control lists Security through obscurity not good enough Strong authentication OWASP 27

Cryptography Revamped section Future proofing (SHA1 / MD5 anyone?) How to select algorithms Poor secret storage Stream ciphers OWASP 28

Privacy Objective is to ensure that the tracks left by an application are minimalist and safe (enough) Completely revamped Major controls: Laws in effect Look for browser droppings (cookies, history, logs, etc) The (in)-effectiveness of cache control GET vs POST What SSL really hides Various EU, AU, and US laws compared Information disclosure Front page of the paper test OWASP 29

Configuration New Section Objective is to ensure that an application is safe out of the box Code Access Security Policies Default passwords (NO!) Clear text passwords in config files Connecting to RDBMs and middleware OWASP 30

Maintenance Topics include: Security incident response, rescues and fixes, update notifications, permission checking OWASP 31

Denial of Service Attacks Topics include: Excessive consumption of resources Disk I/O CPU Network I/O User Account Lockout OWASP 32

Appliaction Security Verification Standaard Business Criticality (Impact of Loss) (Defined by Business) 0 1 2 3 4 5 Manual Security Code Review (Specialist) Manual Penetration Testing (Specialist) Auto Source Code Review (Tool) External App Scan (Tool) Threat Analysis & Architecture Review (Analyst) 0 1 2 3 4 5 Expected Security Assurance (Assessment Depth Expected Level of Security) (Defined by Corporate Security) OWASP 33

Appliaction Security Verification Standaard Business Criticality (Defined by Business) 0 1 2 3 4 5 AL1 AL2 AL3 AL4 AL5 AL6 0 1 2 3 4 5 Expected Security Assurance (Defined by Corporate Security) AL1: Architecture Review/Threat Analysis - Design level review to identify critical assets, sensitive data stores and business critical interconnections. In addition to architecture reviews is threat analysis to determine potential attack vectors, which could be used in testing. AL2: Quick Hit Application Security Check - Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification. AL3: Basic Application Security Check AL2 + verification and validation of scan results. Security areas not scanned (encryption, access control, etc.) must be lightly tested or code reviewed. OWASP 34

Appliaction Security Verification Standaard Business Criticality (Defined by Business) 0 1 2 3 4 5 AL1 AL2 AL3 AL4 AL5 AL6 0 1 2 3 4 5 Expected Security Assurance (Defined by Corporate Security) AL4: Standard Application Security Verification AL3 + verification of common security mechanisms and common vulnerabilities using either manual penetration testing or code review or both. Not all instances of problems found - Sampling allowed. AL5: Enhanced Application Security Verification AL1 + AL3 + verification of all security mechanisms and vulnerabilities based on threat analysis model using either manual penetration testing or code review or both. AL6: Comprehensive Application Security Verification AL1 + AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested. OWASP 35

CLASP Comprehensive, Lightweight Application Security Process Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development) Adaptable to any development process Defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs OWASP

SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager OWASP

SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a silo for improvement OWASP

Subscribe to Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get monthly news letters Contribute to discussions! OWASP 39

That s it Any Questions? http://www.owasp.org http://www.owasp.org/index.php/portuguese martin.knobloch@owasp.org Thank you! OWASP 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback