Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Europe Conference 2008 The Benefits of Establishing an Enterprise Security API for Your Organization Dave Wichers Cofounder and COO Aspect Security Volunteer Member of OWASP Board and OWASP Conferences Chair

OWASP The Problem – How do you deal with this? OWASP Top Ten (2007 Edition)... 2

OWASP When you are using this? Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Java Pattern Java URL Encoder Java URL Encoder Write Custom Code ??? ? 3

OWASP Example – Properly Addressing Canonicalization / Encoding  What do these mean?  ‘%26lt;’, ‘3c’, ‘%2526lt%253B’ OriginalDecode Scheme ValueDecode Scheme Final Value %26lt;HTML Entity%26lt;%< %26lt;%<HTML Entity< 3c% HTML Entity%3c 3cHTML Entity%3c%< %2526lt%253BHTML Entity%2526lt%253B%26lt%3B %2526lt%253B%26lt%3BHTML Entity%26lt%3B %2526lt%253Bdouble %<HTML Entity< And how did you get there? 4

OWASP Handling Encodings & Validation Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Set Character Set Encode For HTML Any Encoding Global Validate Any Interpreter Canonicalize Specific Validate Sanitize Canonicalize Validate 5

OWASP Handling Direct Object References Access Reference Map Web Service Database Mainframe File System User Etc… Report123.xls Direct ReferencesIndirect References Acct: Is User Authorized? (Check Role, Privs, Rights … again) 6

OWASP Application Layer Logging/Intrusion Detection  Really, important! – Arguably one of the most important security mechanisms. Simply not done in the wild  Is it hard? – It can be, but ESAPI can make it easy Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account User Message (no detail) Log Message (w/Identity) Configurable Thresholds Responses Backend ControllerBusiness Functions User Data Layer 7

OWASP So what do we do? Industry Standardization Standard Gauge Rail Standard Sized Shipping Containers Standard Cryptographic Algorithms / Implementations ) Why? – Because Crypto is thought to be HARD! ) Encryption Standards ) Hash Standards ) Digital Signature Standards ) PKI Standards ) Wireless Standards … ) Well – Apparently, all this application security stuff is HARD too!! 8

OWASP Time to Stamp Out Homegrown Controls  Security controls are very difficult to get right  Requires extensive understanding of attacks  One was built with stuff “Larry” had lying around!  More expensive and security likely to be missing or broken 9

OWASP Philosophy  Using security controls is different from building  All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls  Most developers shouldn’t build security controls  When to use a control  How to use a control  Why to use a control (maybe)  Most enterprises need the same set of calls 10

OWASP Imagine an Enterprise Security API  All the security controls a developer needs  Standard  Centralized  Organized  Integrated  High Quality  Intuitive  Tested 11

OWASP OWASP Enterprise Security API 12 Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration OWASP Reference Implementation and/or Existing Enterprise Security Services/Libraries

OWASP Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController 13

OWASP Process for building ESAPI  ESAPI is being produced by  Applying 10 years of application security research  Expert Team focused exclusively on application security  - Has reviewed 100s of applications/100+ million of lines of code  - Has worked with static analysis vendors to improve tool capabilities  - Has taught over 400 classes to developers on how to write secure code across a curriculum of 15+ different application security courses  - Has helped numerous company’s change the way they write software  Long time contributors to OWASP  Expert Review Panel (Members of OWASP Community)  Other Experts?? – Please Contribute!! 14

OWASP Quality 15

OWASP Project Plan and Status 16 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC – Start Collecting 3/08 - Latest Release – v ESAPI Continued Enhancements -.NET, PHP reference implementations underway - Client side, web service extensions being considered Projects are starting to use ESAPI - OWASP AntiSamy - Sun OpenRMS - Aspect Security internal projects - U.S. Dept. of Treasury

OWASP Create Your ESAPI Implementation  Your Security Services  Compare your standard security services to the ESAPI  Wrap your existing libraries and services  Extend and customize your ESAPI implementation  Fill in gaps with the reference implementation  Or, simply adopt ESAPI if you don’t have your own standards  Your Coding Guideline  Tailor the ESAPI coding guidelines  Retrofit ESAPI patterns to existing code 17

OWASP Source Code and Javadoc Online Now! Project Home Page: Code Repository: 18

OWASP Questions and Answers 19

OWASP Background Slides

OWASP Handling Validation, and Encoding Backend ControllerBusiness Functions User Data Layer Validator Encoder encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization 21

OWASP Handling Authentication and Users Backend ControllerBusiness Functions User Data Layer ESAPI Access Control Logging Intrusion Detection Authentication Users Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout 22

OWASP Handling Access Control Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… isAuthorizedForURL isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile 23

OWASP Handling Sensitive Information Backend ControllerBusiness Functions User Data Layer Encrypted Properties Encryptor Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details 24

OWASP Handling HTTP Backend ControllerBusiness Functions User Data Layer HTTP Utilities Add Safe Cookie No Cache Headers CSRF Tokens Safe Request Logging Encrypt State in Cookie Add Safe Header Querystring Encryption Change SessionID isSecureChannel sendSafeRedirect sendSafeForward Safe File Uploads Set Content Type Kill Cookie Hidden Field Encryption 25

OWASP Handling Application Security Configuration Select crypto algorithms Select encoding algorithms Define sets of characters Define global validation rules Select logging preferences Establish intrusion detection thresholds and actions Etc… Backend ControllerBusiness Functions User Data Layer ESAPI Configuration ESAPI 26