Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byIris Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org The OWASP Enterprise Security API (ESAPI) Project Dave Wichers Aspect Security COO Volunteer Conferences Chair of OWASP Member of OWASP Board dave.wichers@aspectsecurity.com 443-745-6268

2 OWASP AppSecEU09 Poland The Problem – How do you deal with this? http://www.owasp.org/index.php/Top_10 OWASP Top Ten (2007 Edition)... 2

3 OWASP AppSecEU09 Poland When you are using this? Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Java Pattern Java URL Encoder Java URL Encoder Write Custom Code ???? 3

4 OWASP AppSecEU09 Poland Vulnerabilities and Security Controls 4

5 OWASP AppSecEU09 Poland What Methods Do Developers Need? Custom Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration 5

6 OWASP AppSecEU09 Poland Standardize and Isolate Your Security Services and Libraries Custom Applications Your Custom Applications App1 App2 App3 App4 App5 AppN Svc1 Svc2 Svc3 Lib1 Lib2 Lib3 6

7 OWASP AppSecEU09 Poland Architecture Evolution TodayTomorrowFuture Library 7

8 OWASP AppSecEU09 Poland Expected ESAPI Influence OWASP (Refined and Proven) Language Influence Framework Influence Org 1 Enterprise Security API Org N Enterprise Security API... Organization Influence 8

9 OWASP AppSecEU09 Poland Deceptively Tricky Problems for Developers 1.Input Validation and Output Encoding 2.Authentication and Identity 3.URL Access Control 4.Business Function Access Control 5.Data Layer Access Control 6.Presentation Layer Access Control 7.Errors, Logging, and Intrusion Detection 8.Encryption, Hashing, and Randomness Lots more… 9

10 OWASP AppSecEU09 Poland Why Input Validation Is Hard < Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80 %bc US-ASCII ¼ UTF-7 +ADw- Punycode <- Simple Double Encoding < --> lt&#59 (double entity) %3c --> %253c (double percent) etc... Double Encoding with Multiple Schemes < --> %26lt%3b (first entity, then percent) %26 --> 26 (first percent, then entity) etc... Simple Nested Escaping %3c --> %33%63 (nested encode percent both nibbles) %3c --> %33c (nested encode first nibble percent) %3c --> %3%63 (nested encode second nibble percent) < --> &&108;t; (nested encode l with entity) etc... Nested Escaping with Multiple Schemes < --> &%6ct; (nested encode l with percent) %3c --> %3c (nested encode 3 with entity) etc... 1,677,721,600,000,000 ways to encode 10

11 OWASP AppSecEU09 Poland ESAPI Input Validation Any Encoding Any Interpreter Backend Controller Business Functions User Data Layer Presentation Layer Decoding Engine Codecs: HTML Entity Encoding Percent Encoding JavaScript Encoding VBScript Encoding CSS Encoding MySQL Encoding Oracle Encoding LDAP Encoding … Validation Engine Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … 11

12 OWASP AppSecEU09 Poland HTML Execution Contexts HTML Attributes HTML Elements URI Attributes &#DD &#xHH &entity; " &apos; &#DD &#xHH %HH JavaScript Data HTML Styles (CSS) \any \HH \uHHHH \000 (octal) " &apos; \specials \xHH \uHHHH See www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for details 12

13 OWASP AppSecEU09 Poland 2. ESAPI Output Encoding Backend Controller Business Functions User Data Layer Presentation Layer Encoding Engine Encode: setCharacterEncoding() encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForVBScript() encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP() encodeForDN() … 13

14 OWASP AppSecEU09 Poland Applications Enjoy Attacks YouTube Live Search Blogger 14

15 OWASP AppSecEU09 Poland 3. Errors, Logging, and Detection Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account Configurable Thresholds Responses Backend Controller Business Functions User Data Layer Presentation Layer throw new ValidationException("User message", "Log message"); 15

16 OWASP AppSecEU09 Poland Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController 16

17 OWASP AppSecEU09 Poland Creating a Foundation for Application Security Your Secure Coding Guideline Your Enterprise Security API Hands-on Training 17

18 OWASP AppSecEU09 Poland ESAPI Progress Since Last OWASP EU Conf.  Continuous improvements since last EU conference  ESAPI Swingset sample app, Javadoc Overhaul  Overhaul of Canonicalization reference implementation  Other languages now being supported!!  Started  Starting this summer (OWASP intern)  ESAPI Summit Held Dec 9-11, 2008 (16 attendees) 18

19 OWASP AppSecEU09 Poland ESAPI Swingset 19

20 OWASP AppSecEU09 Poland ESAPI Adopters Many unnamed financial orgs… 20

21 OWASP AppSecEU09 Poland ESAPI 2.0 Release Coming Soon!  The ESAPI Summit sparked more changes  Logging  API simplification, Log4j, improved messages  Access Control  Strategy pattern for extensibility, simplified policy  Input Validation  Strategy pattern for extensibility  XSS Defenses  Direct support for http://www.owasp.org/index.php/XSS_Preventionhttp://www.owasp.org/index.php/XSS_Prevention  Maven and Hudson Environment  Continuous integration, dependency management  Internationalization  ESAPI WAF!!  All in Java 2.0 RC1 being released soon 21

22 OWASP AppSecEU09 Poland ESAPI Web App Firewall (WAF) 22 attacker user ESAPI WAF Critical Application? PCI requirement? 3 rd party application? Legacy application? Incident response? Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security

23 OWASP AppSecEU09 Poland OWASP ESAPI Project Versions Java EE.NET PHP Classic ASP Haskell Python (starting this summer) License Free and open source Software: BSD Doc: Creative Commons Project Home Page: http://www.owasp.org/index.php/ESAPIhttp://www.owasp.org/index.php/ESAPI Code Repository: http://code.google.com/p/owasp-esapi-javahttp://code.google.com/p/owasp-esapi-java 23

24 OWASP AppSecEU09 Poland Questions and Answers  Rollout strategy?  Integrating existing security libraries?  Technical questions? Contact Information: Dave Wichers dave.wichers@aspectsecurity.com Work: 443-745-6268 Main: 301-604-4882 24

25 OWASP AppSecEU09 Poland ==== EXTRA SLIDES ==== 25

26 OWASP AppSecEU09 Poland ESAPI Book! http://www.owasp.org/images/7/79/ESAPI_Book.pdf 26

27 OWASP AppSecEU09 Poland Tools – At Best 45%  MITRE found that all application security tool vendors’ claims put together cover only 45% of the known weakness types (700+)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true) 27

28 OWASP AppSecEU09 Poland Project Plan and Status 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC1 2002 – Start Collecting 3/08 – Version 1.1 Versions Java.NET PHP Classic ASP Haskell 1/09 – Version 1.5 12/08 – ESAPI Summit 28

29 OWASP AppSecEU09 Poland Assurance  Expert advisory/design/implementation team  Includes security consultants, product vendors, software developers  Collectively reviewed over 100 million lines of code  Given guidance to static analysis tool vendors  Taught over 500 application security classes  Minimal and modular design/implementation  Tools and Testing  ~700 JUnit test cases (89% coverage)  FindBugs, PMD, Ounce, Fortify clean  Code review by several Java security experts  Penetration test of sample applications  Full Javadoc for all functions  Working closely with the Java Servlet Spec team at Sun  They’re adopting six new changes to Java EE based on ESAPI Several major enterprises are using and evaluating ESAPI: Sun Oracle Dept. of Census Several Financials 29

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|

“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google