Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application Security Project http://www.owasp.org The OWASP Enterprise Security API Jeff Williams OWASP Foundation Chair jeff.williams@owasp.org Aspect Security CEO jeff.williams@aspectsecurity.com

2 Java Logging The Challenge… 2 Reform ACEGI Struts Stinger Anti-XSS BouncyCastle Spring Log4j Commons Validator Commons Validator Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More

3 Philosophy  Using security controls is different from building  All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls  Most developers shouldn’t build security controls  When to use a control  How to use a control  Why to use a control (maybe)  Most enterprises need the same set of calls 3

4 Design  Only include methods that…  Are widely useful and focus on the most risky areas  Designed to be simple to understand and use  Interfaces with concrete reference implementation  Full documentation and usage examples  Same basic API across common platforms  Java EE,.NET, PHP, others?  Useful to Rich Internet Applications? 4

5 Architecture Overview 5 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

6 Create Your ESAPI Implementation  Your Security Services  Wrap your existing libraries and services  Extend and customize your ESAPI implementation  Fill in gaps with the reference implementation  Your Coding Guideline  Tailor the ESAPI coding guidelines  Retrofit ESAPI patterns to existing code 6

7 Frameworks and ESAPI  ESAPI is NOT a framework  Just a collection of security functions, not “lock in”  Frameworks already have some security  Controls are frequently missing, incomplete, or wrong  ESAPI Framework Integration Project  We’ll share best practices for integrating  Hopefully, framework teams like Struts adopt ESAPI 7

8 Project Plan and Status 8 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 11/07 - Release RC1 2002 – Start Collecting 9/07 – Sneak Peek

9 Quality 9

10 Backend Handling Authentication and Identity ControllerBusiness Functions User Data Layer ESAPI Access Control Logging Intrusion Detection Authentication Users

11 Authenticator  Key Methods  createUser(accountName, pass1, pass2) createUser  generateStrongPassword() generateStrongPassword  getCurrentUser() getCurrentUser  login(request, response) login  logout() logout  verifyAccountNameStrength(acctName) verifyAccountNameStrength  verifyPasswordStrength(newPass, oldPass) verifyPasswordStrength  Use threadlocal variable to store current User  Automatically change session on login and logout 11

12 User  Key Methods  changePassword(old, new1, new2) changePassword  disable() enable() disableenable  getAccountName() getScreenName() getAccountNamegetScreenName  getCSRFToken() getCSRFToken  getLastFailedLoginTime() getLastLoginTime() getLastFailedLoginTimegetLastLoginTime  getRoles() isInRole(role) getRolesisInRole  isEnabled() isExpired() isLocked() isEnabledisExpiredisLocked  loginWithPassword(password, request, response) loginWithPassword  resetCSRFToken() resetPassword() resetCSRFTokenresetPassword  verifyCSRFToken(token) verifyCSRFToken 12

13 Enforcing Access Control Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Function Check

14 AccessController  Key Methods  isAuthorizedForData(key) isAuthorizedForData  isAuthorizedForFile(filepath) isAuthorizedForFile  isAuthorizedForFunction(functionName) isAuthorizedForFunction  isAuthorizedForService(serviceName) isAuthorizedForService  isAuthorizedForURL(url) isAuthorizedForURL  Reference Implementation (not required)  /admin/* | admin | allow | admin access to /admin  /* | any | deny | default deny rule 14

15 Handling Direct Object References Web Service Database Mainframe File System User Access Reference Map Etc… Indirect Reference Direct Reference http://app?file=7d3J93 Report123.xls

16 AccessReferenceMap  Key Methods  getDirectReference(indirectReference) getDirectReference  getIndirectReference(directReference) getIndirectReference  iterator() iterator  update(directReferences) update  Example  http://www.ibank.com?file=report123.xls http://www.ibank.com?file=report123.xls  http://www.ibank.com?file=a3nr38 http://www.ibank.com?file=a3nr38 16

17 Validating and Encoding Untrusted Input Web Service Directory Database File System User Business Processing Etc… EncodeForHTML Validate

18 Validator  Key Methods  isValidFileUpload(filepath, filename, content) isValidFileUpload  getValidDataFromBrowser(type, input) getValidDataFromBrowser  isValidDataFromBrowser(type, input) isValidDataFromBrowser  isValidHTTPRequest (request) isValidHTTPRequest  isValidRedirectLocation(location) isValidRedirectLocation  isValidSafeHTML(input), getValidSafeHTML(input) isValidSafeHTMLgetValidSafeHTML  safeReadLine(inputStream, maxchars) safeReadLine  Canonicalization is really important always ignored  Global validation of HTTP requests 18

19 %26lt; 19

20 Encoder  Key Methods  canonicalize(input), normalize(input) canonicalizenormalize  encodeForBase64(input) encodeForBase64  encodeForDN(input) encodeForDN  encodeForHTML(input) encodeForHTML  encodeForHTMLAttribute(input) encodeForHTMLAttribute  …, encodeForJavascript, encodeForLDAP, encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPathencodeForJavascriptencodeForLDAP encodeForSQLencodeForURL encodeForVBScriptencodeForXML encodeForXMLAttributeencodeForXPath 20

21 Enhancing HTTP User Business Processing HTTP Utilities Logging Add CSRF Token Secure Cookies Secure Redirect No Cache Headers Verify CSRF Token Safe Request Logging Safe File Upload Add Safe Header

22 HTTPUtilities  Key Methods  addCSRFToken(href), checkCSRFToken(href) addCSRFTokencheckCSRFToken  addSafeCookie(name, value, age, domain, path) addSafeCookie  addSafeHeader(header, value) addSafeHeader  changeSessionIdentifier() changeSessionIdentifier  getFileUploads(tempDir, finalDir) getFileUploads  isSecureChannel () isSecureChannel  killCookie(name) killCookie  sendSafeRedirect(href) sendSafeRedirect  setContentType () setContentType  setNoCacheHeaders() setNoCacheHeaders  Safer ways of dealing with HTTP, secure cookies 22

23 Encryptor  Key Methods  decrypt(ciphertext) decrypt  encrypt(plaintext) encrypt  hash(plaintext, salt) hash  loadCertificateFromFile(file) loadCertificateFromFile  getTimeStamp() getTimeStamp  seal(data, expiration) verifySeal(seal, data) sealverifySeal  sign(data) verifySignature(signature, data) signverifySignature  Simple master key in configuration  Minimal certificate support 23

24 EncryptedProperties  Key Methods  getProperty(key) getProperty  setProperty(key, value) setProperty  keySet() keySet  load(inputStream) load  store(outputStream, comments) store  Simple protected storage for configuration data  Main program to preload encrypted data! 24

25 Randomizer  Key Methods  getRandomGUID() getRandomGUID  getRandomInteger(min, max) getRandomInteger  getRandomReal(min, max) getRandomReal  getRandomString(length, characterSet) getRandomString  Several pre-defined character sets  Lowers, uppers, digits, specials, letters, alphanumerics, password, etc… 25

26 Exception Handling  EnterpriseSecurityException  AccessControlException(userMsg, logMsg) AccessControlException  AuthenticationException(userMsg, logMsg) AuthenticationException  AvailabilityException(userMsg, logMsg) AvailabilityException  CertificateException(userMsg, logMsg) CertificateException  EncodingException(userMsg, logMsg) EncodingException  EncryptionException(userMsg, logMsg) EncryptionException  ExecutorException(userMsg, logMsg) ExecutorException  IntrusionException(userMsg, logMsg) IntrusionException  ValidationException(userMsg, logMsg) ValidationException  Sensible security exception framework 26

27 Logger  Key Methods  getLogger(applicationName,moduleName) getLogger  formatHttpRequestForLog(request, sensitiveList) formatHttpRequestForLog  logCritical(type, message, throwable) logCritical  logDebug(type, message, throwable) logDebug  logError(type, message, throwable) logError  logSuccess(type, message, throwable) logSuccess  logTrace(type, message, throwable) logTrace  logWarning(type, message, throwable) logWarning  All EASPI exceptions are automatically logged 27

28 Detecting Intrusions User Business Processing Backend ESAPI IntrusionDetector Tailorable Quotas Log, Logout, and Disable

29 IntrusionDetector  Key Methods  addException(exception) addException  addEvent(event) addEvent  Model  EnterpriseSecurityExceptions automatically added  Specify a threshold for each event type  org.owasp.esapi.ValidationException.count=3  org.owasp.esapi.ValidationException.interval=3 (seconds)  org.owasp.esapi.ValidationException.action=logout  Actions are log message, disable account 29

30 SecurityConfiguration  Customizable…  Crypto algorithms  Encoding algorithms  Character sets  Global validation rules  Logging preferences  Intrusion detection thresholds and actions  Etc…  All security-relevant configuration in one place 30

31 Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic Storage A9. Insecure CommunicationsA10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptor HTTPUtilities (secure cookie, channel)AccessController

32 Closing Thoughts  I have learned an amazing amount (I thought I knew)  An ESAPI is a key part of a balanced breakfast  Build rqmts, guidelines, training, tools around your ESAPI  Secondary benefits  May help static analysis do better  Enables security upgrades across applications  Simplifies developer training  Next year – experiences moving to ESAPI 32

Download ppt "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application."

Similar presentations

Whats New in Service Pack 12. 2 Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.

Whats New in Service Pack Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Do’s and Don’ts for web application developers

Do’s and Don’ts for web application developers
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google