Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

Published byMoris Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission."— Presentation transcript:

1 OWASP

2 To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission

3 Where Do Vulnerabilities Come From?

4 Controls Every Application Needs Access Control Authenti- cation and Identity App Firewall Access Reference Map Output Escaping Input Validation Logging Exception Handling Secure Config Intrusion Detection HTTP Utilities Encryption and Signing

5 Security Controls Are Hard

6 Escaping Gone Wild Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Punycode <- < <

7 Cheaper, Better, Faster

8 Independence

9 Positive Security attacks threatsexploits vulnerabilities risks controls accountability pentest scanning assurance patterns verification architecture policy impact flaws metrics visibility completeness

10 ESAPI Scorecard Authentication  Identity  Access Control  ** **  Input Validation  Output Escaping  Canonicalization  Encryption  Random Numbers  Exceptions  Logging  IntrusionDetection  Security Config  App Firewall  Scorecard

11 Assurance

12 Deceptively Tricky Problems for Developers 1.Input Validation and Output Encoding 2.Authentication and Identity 3.URL Access Control 4.Business Function Access Control 5.Data Layer Access Control 6.Presentation Layer Access Control 7.Errors, Logging, and Intrusion Detection 8.Encryption, Hashing, and Randomness Lots more…

13 Stopping Injection 13 Quick and Dirty Ad Hoc Escaping Generic Validation

14 Stopping Injection 14 Enterprise Automatic Escaping Managed Specific Validation Managed Generic Validation

15 Questions

16

17 Stopping Injection 17 Quick and Dirty Ad Hoc Escaping Generic Validation

18 Stopping Injection 18 Strong Application Mandatory Escaping Specific Validation Generic Validation (+can)

19 ESAPI Web App Firewall (WAF) attacker user ESAPI WAF Critical Application? PCI requirement? 3 rd party application? Legacy application? Incident response? Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security

20 AuthN and AuthZ 20 Quick and Dirty User in Session Simple Authentication Model Ad Hoc Authorization

21 AuthN and AuthZ 21 Strong Application Identity Everywhere Automatic CG Authorization Alternate Authentication Automatic FG Authorization

22 AuthN and AuthZ 22 Enterprise AuthZ Policy Management AuthZ Entitlement Mgmt Identity Management

23 Applications Enjoy Attacks YouTube Live Search Blogger

24 Accountability and Detection 24 Quick and Dirty Ad Hoc Security Logging Security Exceptions (2 msgs) Ad Hoc Authorization

25 Accountability and Detection 25 Strong Application Intrusion Detection Automatic Security Logging

26 Accountability and Detection 26 Enterprise Log Policy Management Dynamic Incident Response Centralized Logging

27 ESAPI Swingset

Download ppt "OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BalaBit Shell Control Box

BalaBit Shell Control Box
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction to Web Application Security

Introduction to Web Application Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Web services security I

Web services security I
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google