Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Enterprise Security API

Published byCameron Hancock Modified over 6 years ago

Similar presentations

Presentation on theme: "The OWASP Enterprise Security API"— Presentation transcript:

1 The OWASP Enterprise Security API
Jeff Williams OWASP Foundation Chair Aspect Security CEO Hi – my name is Jeff Williams. I’m the CEO of Aspect Security, an application security consulting company, and I volunteer my time as the Chair of OWASP.

2 Your enterprise has hundreds of applications Every one of them needs:
The Challenge… Your enterprise has hundreds of applications Every one of them needs: Authentication, access control, input validation, encoding, encryption, logging, error handling, etc… You can use these building blocks: Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, HDIV, xml-dsig, xml-enc, lots lots more….

3 The Challenge… Spring Commons Jasypt Validator Log4j xml-enc Cryptix
JAAS JCE Stinger ACEGI Struts BouncyCastle Reform Anti-XSS xml-dsig HDIV Java Logging

4 Using security controls is different from building
Philosophy Using security controls is different from building All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls Most developers shouldn’t build security controls When to use a control How to use a control Why to use a control (maybe) Most enterprises need the same set of calls

5 Only include methods that…
Design Only include methods that… Are widely useful and focus on the most risky areas Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples Same basic API across common platforms Java EE, .NET, PHP, others? Useful to Rich Internet Applications?

6 Architecture Overview
Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

7 Create Your ESAPI Implementation
Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code

8 ESAPI is NOT a framework
Frameworks and ESAPI ESAPI is NOT a framework Just a collection of security functions, not “lock in” Frameworks already have some security Controls are frequently missing, incomplete, or wrong ESAPI Framework Integration Project We’ll share best practices for integrating Hopefully, framework teams like Struts adopt ESAPI

9 Project Plan and Status
6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 11/07 - Release RC1 9/07 – Sneak Peek 2002 – Start Collecting

10 Quality

11 Handling Authentication and Identity
User Controller Business Functions Data Layer Backend ESAPI Authentication Access Control Logging Intrusion Detection Users

12 Use threadlocal variable to store current User
Authenticator Key Methods createUser(accountName, pass1, pass2) generateStrongPassword() getCurrentUser() login(request, response) logout() verifyAccountNameStrength(acctName) verifyPasswordStrength(newPass, oldPass) Use threadlocal variable to store current User Automatically change session on login and logout

13 User Key Methods changePassword(old, new1, new2) disable() enable()
getAccountName() getScreenName() getCSRFToken() getLastFailedLoginTime() getLastLoginTime() getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) resetCSRFToken() resetPassword() verifyCSRFToken(token)

14 Enforcing Access Control
Controller Business Functions Data Layer Web Service URL Check Function Check Data Check Service Check Database User Mainframe Etc… User Interface Function Check File Check File System

15 Reference Implementation (not required)
AccessController Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url) Reference Implementation (not required) /admin/* | admin | allow | admin access to /admin /* | any | deny | default deny rule

16 Handling Direct Object References
Access Reference Map Web Service Indirect Reference Direct Reference Database User Mainframe File System Report123.xls Indirect Reference Direct Reference Etc…

17 AccessReferenceMap Key Methods Example
getDirectReference(indirectReference) getIndirectReference(directReference) iterator() update(directReferences) Example

18 Validating and Encoding Untrusted Input
Web Service Validate EncodeForLDAP Directory User Business Processing Database File System EncodeForHTML Validate Etc…

19 Canonicalization is really important always ignored
Validator Key Methods canonicalize(input), normalize(input) isValidFileUpload(filepath, filename, content) getValidDataFromBrowser(type, input) isValidDataFromBrowser(type, input) isValidHTTPRequest (request) isValidRedirectLocation(location) isValidSafeHTML(input), getValidSafeHTML(input) safeReadLine(inputStream, maxchars) Canonicalization is really important always ignored Global validation of HTTP requests

20 Decode This <input name=“test” value=“test” onblur=“&#x61ler&#116(‘xss’)”> %26lt;

21 Function names help tell developer when to use
Encoder Key Methods encodeForBase64(input) encodeForDN(input) encodeForHTML(input) encodeForHTMLAttribute(input) …, encodeForJavascript, encodeForLDAP, encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPath Function names help tell developer when to use Some of these are quite hard

22 Enhancing HTTP HTTP Utilities User Business Processing Logging
Safe File Upload Verify CSRF Token Add Safe Header No Cache Headers Secure Redirect Secure Cookies Add CSRF Token Safe Request Logging Logging

23 Safer ways of dealing with HTTP, secure cookies
HTTPUtilities Key Methods addCSRFToken(href), checkCSRFToken(href) addSafeCookie(name, value, age, domain, path) addSafeHeader(header, value) changeSessionIdentifier() getFileUploads(tempDir, finalDir) isSecureChannel() killCookie(name) sendSafeRedirect(href) setContentType() setNoCacheHeaders() Safer ways of dealing with HTTP, secure cookies

24 Simple master key in configuration Minimal certificate support
Encryptor Key Methods decrypt(ciphertext) encrypt(plaintext) hash(plaintext, salt) loadCertificateFromFile(file) getTimeStamp() seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data) Simple master key in configuration Minimal certificate support

25 Simple protected storage for configuration data
EncryptedProperties Key Methods getProperty(key) setProperty(key, value) keySet() load(inputStream) store(outputStream, comments) Simple protected storage for configuration data Main program to preload encrypted data!

26 Several pre-defined character sets
Randomizer Key Methods getRandomGUID() getRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet) Several pre-defined character sets Lowers, uppers, digits, specials, letters, alphanumerics, password, etc…

27 EnterpriseSecurityException
Exception Handling EnterpriseSecurityException AccessControlException(userMsg, logMsg) AuthenticationException(userMsg, logMsg) AvailabilityException(userMsg, logMsg) CertificateException(userMsg, logMsg) EncodingException(userMsg, logMsg) EncryptionException(userMsg, logMsg) ExecutorException(userMsg, logMsg) IntrusionException(userMsg, logMsg) ValidationException(userMsg, logMsg) Sensible security exception framework

28 All EASPI exceptions are automatically logged
Logger Key Methods getLogger(applicationName,moduleName) formatHttpRequestForLog(request, sensitiveList) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable) All EASPI exceptions are automatically logged

29 Detecting Intrusions User Business Processing Backend ESAPI
Events and Exceptions Log, Logout, and Disable IntrusionDetector Tailorable Quotas

30 IntrusionDetector Key Methods Model addException(exception)
addEvent(event) Model EnterpriseSecurityExceptions automatically added Specify a threshold for each event type org.owasp.esapi.ValidationException.count=3 org.owasp.esapi.ValidationException.interval=3 (seconds) org.owasp.esapi.ValidationException.action=logout Actions are log message, disable account

31 SecurityConfiguration
Customizable… Crypto algorithms Encoding algorithms Character sets Global validation rules Logging preferences Intrusion detection thresholds and actions Etc… All security-relevant configuration in one place

32 Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS)
A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController

33 I have learned an amazing amount (I thought I knew)
Closing Thoughts I have learned an amazing amount (I thought I knew) An ESAPI is a key part of a balanced breakfast Build rqmts, guidelines, training, tools around your ESAPI Secondary benefits May help static analysis do better Enables security upgrades across applications Simplifies developer training Next year – experiences moving to ESAPI

Download ppt "The OWASP Enterprise Security API"

Similar presentations

Whats New in Service Pack 12. 2 Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.

Whats New in Service Pack Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Do’s and Don’ts for web application developers

Do’s and Don’ts for web application developers
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
CSC 2720 Building Web Applications

CSC 2720 Building Web Applications

Similar presentations

Ads by Google