Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver Leveraging OWASP in Open.

Published byAngel Romaine Modified over 9 years ago

Similar presentations

Presentation on theme: "David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver Leveraging OWASP in Open."— Presentation transcript:

1 David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver Leveraging OWASP in Open Source Projects - CAS AppSec Working Group

2 Hosted by OWASP & the NYC Chapter

3 Central Authentication Service (CAS) Simple, Flexible, Extensible Open Source Web Single Sign-On for the Enterprise ●Alfresco ●Confluence ●DokuWiki ●Drupal ●Google Apps ●JIRA ●Joomla! ●Liferay ●MediaWiki ●Moodle ●OpenCMS ●PeopleAdmin ●Roller ●Sakai ●Twiki ●uPortal ●Wordpress ●Zimbra ●Spring Security ●Apache Shiro ●Java CAS Client ●.Net CAS Client ●php CAS Client ●mod_auth_cas ●ASP to Zope

4 Hosted by OWASP & the NYC Chapter Central Authentication Service (CAS) ●CAS initially create by Shawn Bayern in 2001 at Yale ●CAS3 jointly designed and developed by Rutgers and Yale in 2005 as Jasig project ●Simple protocol, flexible architecture, wide deployment

5 Hosted by OWASP & the NYC Chapter Central Authentication Service (CAS) But...is it secure? How do we know? ●Based on Kerberos ●Wide deployment and many eye balls ●Reports of dynamic scans from time to time ●Maybe we should really check?

6 Hosted by OWASP & the NYC Chapter Central Authentication Service (CAS) CAS AppSec Working Group - Jan 2013 Joachim Fritschi Jérôme Leleu Misagh Moayyed Parker Neff https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group David Ohsie Andrew Petro Bill Thompson Aaron Weaver

7 ●Proactively work to improve the security posture ●Respond to potential vulnerabilities ●Produce artifacts that help potential CAS adopters evaluate the security of CAS ●Create and maintain recommendations on good security practices for deployments Hosted by OWASP & the NYC Chapter CAS AppSec Working Group Goals

8 Hosted by OWASP & the NYC Chapter

9 Google pays coders to improve open-source security

10 Hosted by OWASP & the NYC Chapter Open Source software needs to be open on software security.

11 Hosted by OWASP & the NYC Chapter As an adopter or potential adopter I want to know how the project deals with security

12 Hosted by OWASP & the NYC Chapter Security can be a strong “selling” point!

13 Hosted by OWASP & the NYC Chapter How to avoid being one of the "73%" of WordPress sites vulnerable to attack Or it can detract from your project

14 Hosted by OWASP & the NYC Chapter Vulnerability Handling Practices

15 Hosted by OWASP & the NYC Chapter

16 OSS AppSec Program ●Form a working group ●OWASP Resources ●Meet regularly ●Make it easy to report vulnerabilities ●Threat Analysis with Developers ●Run security tools (ZAP, Static Code)

17 Hosted by OWASP & the NYC Chapter Contributors ●Use OWASP Resources and Libraries ●Threat Model ●Work with security researchers

18 Hosted by OWASP & the NYC Chapter Make it easy to report a vulnerability ●Security issue email address ●Provide a PGP Key

19 Hosted by OWASP & the NYC Chapter Static Code Analysis Issues were found, prioritized and worked through false positives

20 ●What people think/say: “We probably don’t have any major security issues.” ●Threat analysis gives you a way to systematically analyze the possible threats against your system and rank them by potential impact. ●Threat analysis also gives adopters the information they need to analyze the deployment of your system in their environment. Hosted by OWASP & the NYC Chapter Threat analysis: Purpose

21 ●Decompose the application: Draw a dataflow diagram in order to enumerate the attack surfaces. ●For each attack surface, enumerate the threats to the system and rank them. ●For each threat, create a list of possible mitigations. ●More details: https://www.owasp.org/index.php/Application_Threat_M odeling https://www.owasp.org/index.php/Application_Threat_M odeling Hosted by OWASP & the NYC Chapter Threat analysis: Methodology

22 ●Started with whiteboarding session at Apereo conference to produce initial DFD and threats ●Biweekly follow-up meeting via Webex ●Used STRIDE to help identify threats ●Results maintained on wiki page ●https://wiki.jasig.org/display/CAS/CAS+Threat+Modelin ghttps://wiki.jasig.org/display/CAS/CAS+Threat+Modelin g Hosted by OWASP & the NYC Chapter CAS Appsec Experience

23 Hosted by OWASP & the NYC Chapter CAS Context DFD

24 Hosted by OWASP & the NYC Chapter CAS Protocol DFD Browser CAS Server CAS Client (Agent) Application Username/Password + Application Service URL SSO Session Cookie (TGT) Application Service Ticket (ST) HTTP(S) Request + ST HTTP(S) + Optional Session Cookie HTTPS

25 Hosted by OWASP & the NYC Chapter STRIDE ThreatSecurity Control SpoofingAuthentication TamperingIntegrity RepudiationNon-Repudiation Information DisclosureConfidentiality Denial of ServiceAvailability Elevation of PrivelegeAuthorization

26 ●Identifier: PC_3 ●Category: Information Disclosure ●Threat: The pgtIou and pgtId are send as GET parameters, which can be a problem as they might be stored in logs or indexed in internal search engines... ●Mitigation: Never log the GET parameters on the proxy callback url. Though, it might be not sufficient. Should we change the CAS protocol in the next revision (v4.0) to POST these parameters ? Hosted by OWASP & the NYC Chapter CAS Appsec Sample Threat

27 ●Easy: Security Guide Contents ○Disable http ○How to write a safe CAS client/plugin ○Securing the ticket registry ●Harder: Change the code ○Secure-by-default ○Encrypted/signed ticket registry Hosted by OWASP & the NYC Chapter Classifying Remediation

28 ●Classified 19 threat against the system ●Generated 10 proposals ●One proposal (secure-by-default) integrated into CAS 4.0 ●Paraphrase from a CAS committer: ○“I thought when we started that we would not find any problems, but now I see that there are lots of improvements to be made” Hosted by OWASP & the NYC Chapter CAS Threat modeling results

29 ●Even in a security project, features are favored over security! ●Difficult to get consistent participation (although a core of contributors have kept it up; thank you, Jérôme Leleu and co-presenters!) ●Difficult to get changes prioritized and into the project Hosted by OWASP & the NYC Chapter Challenges

30 Hosted by OWASP & the NYC Chapter Application Security Professionals Find an open source project and volunteer!

31 Hosted by OWASP & the NYC Chapter Thanks! David Ohsie Bill Thompson, CISSP, CSSLP IAM Practice Director, Unicon wgthom@unicon.net Aaron Weaver

Download ppt "David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver Leveraging OWASP in Open."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Usage Statistics in Context: related standards and tools Oliver Pesch Chief Strategist, E-Resources EBSCO Information Services Usage Statistics and Publishers:

Usage Statistics in Context: related standards and tools Oliver Pesch Chief Strategist, E-Resources EBSCO Information Services Usage Statistics and Publishers:
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.

What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

Similar presentations

Ads by Google