ESAPI Pictures For Javadoc.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
OWASP Top 10 for 2010 OWASP Education Nishi Kumar
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Tobias Gondrom (OWASP Project Leader)
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
OWASP Top 10 – 2010 The Top 10 Most Critical Web Application Security Risks Dave Wichers COO, Aspect Security OWASP Board Member
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
) Copyright © 2008 – Aspect Security – Establishing an Enterprise Security API to Reduce Application Security Costs Jeff Williams.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Building Secure Web Applications With ASP.Net MVC.
OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top 10 – 2010 The Top 10 Most Critical Web Application Security Risks Dave Wichers COO, Aspect Security OWASP Board Member
Web Application Security
COMP9321 Web Application Engineering Semester 2, 2017
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
The OWASP Enterprise Security API
Establishing an Enterprise Security API to Reduce Application Security Costs Jeff Williams Aspect CEO and Founder Volunteer Chair of OWASP
Finding and Fighting the Causes of Insecure Applications
Marking Scheme for Semantic-aware Web Application Security
OWASP in favor of a more secure world
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

ESAPI Pictures For Javadoc

Architecture Overview Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

OWASP Top Ten Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController

Enforcing Access Control isAuthorizedForFunction() isAuthorizedForData() isAuthorizedForURL() isAuthorizedForService() User Controller Business Functions Data Layer Backend Presentation Layer isAuthorizedForFunction() isAuthorizedForFile() Roles

Handling Authentication and Identity User Controller Business Functions Data Layer Backend Presentation Layer ESAPI Authentication Access Control Logging Intrusion Detection Users

Handling Direct Object References getDirectReference() User Controller Business Functions Data Layer Backend Presentation Layer getIndirectReference() http://app?file=Report123.xls Access Reference Map Report123.xls http://app?file=1 http://app?id=9182374 Acct:9182374 http://app?id=7d3J93

Decoding/Encoding Untrusted Data Codecs: HTML Entity Codec Percent Codec JavaScript Codec VBScript Codec CSS Codec … Decoding Engine Validation Engine User Controller Business Functions Data Layer Backend PresentationLayer Encode: encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForCSS() encodeForURL() Encode: encodeForSQL() encodeForLDAP() encodeForXML() encodeForXPath() encodeForOS() Encoding Engine Encoding Engine

Validating Untrusted Input/Output Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … Validation Engine User Controller Business Functions Data Layer Backend PresentationLayer Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() … Validation Engine

Enhancing HTTP HTTP Utilities User Controller Business Functions Input Utilities: assertSecureRequest() getCSRFToken getSafeFileUploads() safeSendForward() verifyCSRFToken() … HTTP Utilities User Controller Business Functions Data Layer Backend Presentation Layer Output Utilities: addCSRFToken() changeSessionIdentifier() safeSetContentType() setNoCacheHeaders() setRememberToken() verifyCSRFToken() … HTTP Utilities

Security Logging User Controller Business Functions Data Layer Backend Presentation Layer ESAPI Logging: fatal() error() warning() info() debug() trace() … Logger

Logout User, Lock Account Detecting Intrusions User Controller Business Functions Data Layer Backend Presentation Layer ESAPI Authentication Logging Quota Exceeded Intrusion Detection Tailorable Quotas Users Log Intrusion Event Logout User, Lock Account

Basic Cryptography User Controller Business Functions Data Layer Backend PresentationLayer Crypto: encrypt() / decrypt() hash() seal() / unseal() sign() verifySeal() verifySignature() Encryptor

new EncryptedProperties() Encrypted Properties File set() / get() User Controller Business Functions Data Layer Backend PresentationLayer Encryptor Encrypted Properties Encrypted Properties File

Safe OS Command Execution executeSystemCommand() User Controller Business Functions Data Layer Backend PresentationLayer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.