Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byGiovanna Hyatt Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Europe Conference 2008 The Benefits of Establishing an Enterprise Security API for Your Organization Dave Wichers Cofounder and COO Aspect Security Volunteer Member of OWASP Board and OWASP Conferences Chair dave.wichers@aspectsecurity.com 443-745-6268

2 OWASP The Problem – How do you deal with this? http://www.owasp.org/index.php/Top_10 OWASP Top Ten (2007 Edition)... 2

3 OWASP When you are using this? Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Java Pattern Java URL Encoder Java URL Encoder Write Custom Code ??? ? 3

4 OWASP Example – Properly Addressing Canonicalization / Encoding  What do these mean?  ‘%26lt;’, ‘3c’, ‘%2526lt%253B’ OriginalDecode Scheme ValueDecode Scheme Final Value %26lt;HTML Entity%26lt;%< %26lt;%<HTML Entity< 3c% HTML Entity%3c 3cHTML Entity%3c%< %2526lt%253BHTML Entity%2526lt%253B%26lt%3B %2526lt%253B%26lt%3BHTML Entity%26lt%3B %2526lt%253Bdouble %<HTML Entity< And how did you get there? 4

5 OWASP Handling Encodings & Validation Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Set Character Set Encode For HTML Any Encoding Global Validate Any Interpreter Canonicalize Specific Validate Sanitize Canonicalize Validate 5

6 OWASP Handling Direct Object References Access Reference Map Web Service Database Mainframe File System User Etc… http://app?file=1 Report123.xls Direct ReferencesIndirect References http://app?id=7d3J93 Acct:9182374 http://app?id=9182374 http://app?file=Report123.xls Is User Authorized? (Check Role, Privs, Rights … again) 6

7 OWASP Application Layer Logging/Intrusion Detection  Really, important! – Arguably one of the most important security mechanisms. Simply not done in the wild  Is it hard? – It can be, but ESAPI can make it easy Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account User Message (no detail) Log Message (w/Identity) Configurable Thresholds Responses Backend ControllerBusiness Functions User Data Layer 7

8 OWASP So what do we do? Industry Standardization Standard Gauge Rail Standard Sized Shipping Containers Standard Cryptographic Algorithms / Implementations ) Why? – Because Crypto is thought to be HARD! ) Encryption Standards ) Hash Standards ) Digital Signature Standards ) PKI Standards ) Wireless Standards … ) Well – Apparently, all this application security stuff is HARD too!! 8

9 OWASP Time to Stamp Out Homegrown Controls  Security controls are very difficult to get right  Requires extensive understanding of attacks  One was built with stuff “Larry” had lying around!  More expensive and security likely to be missing or broken 9

10 OWASP Philosophy  Using security controls is different from building  All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls  Most developers shouldn’t build security controls  When to use a control  How to use a control  Why to use a control (maybe)  Most enterprises need the same set of calls 10

11 OWASP Imagine an Enterprise Security API  All the security controls a developer needs  Standard  Centralized  Organized  Integrated  High Quality  Intuitive  Tested 11

12 OWASP OWASP Enterprise Security API 12 Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration OWASP Reference Implementation and/or Existing Enterprise Security Services/Libraries

13 OWASP Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController 13

14 OWASP Process for building ESAPI  ESAPI is being produced by  Applying 10 years of application security research  Expert Team focused exclusively on application security  - Has reviewed 100s of applications/100+ million of lines of code  - Has worked with static analysis vendors to improve tool capabilities  - Has taught over 400 classes to developers on how to write secure code across a curriculum of 15+ different application security courses  - Has helped numerous company’s change the way they write software  Long time contributors to OWASP  Expert Review Panel (Members of OWASP Community)  Other Experts?? – Please Contribute!! 14

15 OWASP Quality 15

16 OWASP Project Plan and Status 16 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC1 2002 – Start Collecting 3/08 - Latest Release – v1.1.1 - ESAPI Continued Enhancements -.NET, PHP reference implementations underway - Client side, web service extensions being considered Projects are starting to use ESAPI - OWASP AntiSamy - Sun OpenRMS - Aspect Security internal projects - U.S. Dept. of Treasury

17 OWASP Create Your ESAPI Implementation  Your Security Services  Compare your standard security services to the ESAPI  Wrap your existing libraries and services  Extend and customize your ESAPI implementation  Fill in gaps with the reference implementation  Or, simply adopt ESAPI if you don’t have your own standards  Your Coding Guideline  Tailor the ESAPI coding guidelines  Retrofit ESAPI patterns to existing code 17

18 OWASP Source Code and Javadoc Online Now! Project Home Page: http://www.owasp.org/index.php/ESAPIhttp://www.owasp.org/index.php/ESAPI Code Repository: http://code.google.com/p/owasp-esapi-javahttp://code.google.com/p/owasp-esapi-java 18

19 OWASP Questions and Answers 19

20 OWASP Background Slides

21 OWASP Handling Validation, and Encoding Backend ControllerBusiness Functions User Data Layer Validator Encoder encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization 21

22 OWASP Handling Authentication and Users Backend ControllerBusiness Functions User Data Layer ESAPI Access Control Logging Intrusion Detection Authentication Users Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout 22

23 OWASP Handling Access Control Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… isAuthorizedForURL isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile 23

24 OWASP Handling Sensitive Information Backend ControllerBusiness Functions User Data Layer Encrypted Properties Encryptor Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details 24

25 OWASP Handling HTTP Backend ControllerBusiness Functions User Data Layer HTTP Utilities Add Safe Cookie No Cache Headers CSRF Tokens Safe Request Logging Encrypt State in Cookie Add Safe Header Querystring Encryption Change SessionID isSecureChannel sendSafeRedirect sendSafeForward Safe File Uploads Set Content Type Kill Cookie Hidden Field Encryption 25

26 OWASP Handling Application Security Configuration Select crypto algorithms Select encoding algorithms Define sets of characters Define global validation rules Select logging preferences Establish intrusion detection thresholds and actions Etc… Backend ControllerBusiness Functions User Data Layer ESAPI Configuration ESAPI 26

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Meet OWASP: resources you can use, today. Antonio Fontes OWASP Geneva Chapter Leader Switzerland.

Meet OWASP: resources you can use, today. Antonio Fontes OWASP Geneva Chapter Leader Switzerland.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Similar presentations

Ads by Google