OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BalaBit Shell Control Box
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Barracuda Web Application Firewall
ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction to Web Application Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Web services security I
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Security Update CTC 18 March 2015 Julianne Tolson.
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
A Security Review Process for Existing Software Applications
Web Application Firewall (WAF) RSA ® Conference 2013.
Attacking Applications: SQL Injection & Buffer Overflows.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
ClearAvenue, LLC Headquartered in Columbia, Maryland
Case studies on Authentication, Authorization and Audit in SOA Environments Dr. Srini Kankanahalli.
Cybersecurity - What’s Next? June 2017
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
^ About the.
A Security Review Process for Existing Software Applications
Threat Management Gateway
Relevance of the OWASP Top 10
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Identity & Access Management
Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”
Presentation transcript:

OWASP

To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission

Where Do Vulnerabilities Come From?

Controls Every Application Needs Access Control Authenti- cation and Identity App Firewall Access Reference Map Output Escaping Input Validation Logging Exception Handling Secure Config Intrusion Detection HTTP Utilities Encryption and Signing

Security Controls Are Hard

Escaping Gone Wild Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &# &# < < < < < &# ; &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Punycode <- < <

Cheaper, Better, Faster

Independence

Positive Security attacks threatsexploits vulnerabilities risks controls accountability pentest scanning assurance patterns verification architecture policy impact flaws metrics visibility completeness

ESAPI Scorecard Authentication  Identity  Access Control  ** **  Input Validation  Output Escaping  Canonicalization  Encryption  Random Numbers  Exceptions  Logging  IntrusionDetection  Security Config  App Firewall  Scorecard

Assurance

Deceptively Tricky Problems for Developers 1.Input Validation and Output Encoding 2.Authentication and Identity 3.URL Access Control 4.Business Function Access Control 5.Data Layer Access Control 6.Presentation Layer Access Control 7.Errors, Logging, and Intrusion Detection 8.Encryption, Hashing, and Randomness Lots more…

Stopping Injection 13 Quick and Dirty Ad Hoc Escaping Generic Validation

Stopping Injection 14 Enterprise Automatic Escaping Managed Specific Validation Managed Generic Validation

Questions

Stopping Injection 17 Quick and Dirty Ad Hoc Escaping Generic Validation

Stopping Injection 18 Strong Application Mandatory Escaping Specific Validation Generic Validation (+can)

ESAPI Web App Firewall (WAF) attacker user ESAPI WAF Critical Application? PCI requirement? 3 rd party application? Legacy application? Incident response? Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security

AuthN and AuthZ 20 Quick and Dirty User in Session Simple Authentication Model Ad Hoc Authorization

AuthN and AuthZ 21 Strong Application Identity Everywhere Automatic CG Authorization Alternate Authentication Automatic FG Authorization

AuthN and AuthZ 22 Enterprise AuthZ Policy Management AuthZ Entitlement Mgmt Identity Management

Applications Enjoy Attacks YouTube Live Search Blogger

Accountability and Detection 24 Quick and Dirty Ad Hoc Security Logging Security Exceptions (2 msgs) Ad Hoc Authorization

Accountability and Detection 25 Strong Application Intrusion Detection Automatic Security Logging

Accountability and Detection 26 Enterprise Log Policy Management Dynamic Incident Response Centralized Logging

ESAPI Swingset

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.