Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.

Published byTodd Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application."— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application Security Project http://www.owasp.org A Sneak Peek at the OWASP Enterprise Security API Jeff Williams OWASP Foundation Chair jeff.williams@owasp.org Aspect Security CEO jeff.williams@aspectsecurity.com

2 The Challenge…  Developers need to rip, mix, and burn authentication, access control, input validation, encoding, encryption, logging, error handling, etc…  Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml- dsig, xml-enc, lots lots more…. 2

3 Drivers  I’m tired of security “researchers”  Most developers shouldn’t build security controls  When to use a control  How to use a control  Why to use a control (maybe)  All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls  Few organizations have a complete security API 3

4 Design  Only include methods that…  Are useful in a large percentage of applications  Focus on the most risky areas  Designed to be simple to understand and use  Interfaces with concrete reference implementation  Full documentation and usage examples  Same basic API across common platforms  Java EE,.NET, PHP, others? 4

5 Strawman 5 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector Existing Enterprise Libraries and Services Preliminary

6 Customizing  ESAPI is an API  Wrap existing libraries and services  Extend and customize ESAPI  Fill in gaps with reference implementation  Easy to retrofit to existing applications 6

7 Project Plan and Status 7 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 11/07 - Release RC1 2002 – Start Collecting 9/07 – Sneak Peek

8 Quality 8

9 Authenticator  Key Methods  createUser(accountName, pass1, pass2) createUser  generateStrongPassword() generateStrongPassword  getCurrentUser() getCurrentUser  login(request, response) login  verifyAccountNameStrength(acctName) verifyAccountNameStrength  verifyPasswordStrength(newPass, oldPass) verifyPasswordStrength  Reference Implementation  Use threadlocal variable to store current User  Automatically changes sessionid on login and logout 9

10 User  Key Methods  changePassword(old, new1, new2) changePassword  disable() enable() disableenable  getAccountName() getScreenName() getAccountNamegetScreenName  getCSRFToken() getCSRFToken  getLastFailedLoginTime() getLastLoginTime() getLastFailedLoginTimegetLastLoginTime  getRoles() isInRole(role) getRolesisInRole  isEnabled() isExpired() isLocked() isEnabledisExpiredisLocked  loginWithPassword(password, request, response) loginWithPassword  logout(request, response) logout  resetCSRFToken() resetPassword() resetCSRFTokenresetPassword  verifyCSRFToken(java.lang.String token) verifyCSRFToken 10

11 AccessController  Key Methods  isAuthorizedForData(key) isAuthorizedForData  isAuthorizedForFile(filepath) isAuthorizedForFile  isAuthorizedForFunction(functionName) isAuthorizedForFunction  isAuthorizedForService(serviceName) isAuthorizedForService  isAuthorizedForURL(url) isAuthorizedForURL  Reference Implementation (not required)  /* | any | deny | default deny rule  /admin/* | admin | allow | admin access to /admin 11

12 AccessReferenceMap  Key Methods  getDirectReference(indirectReference) getDirectReference  getIndirectReference(directReference) getIndirectReference  iterator() iterator  update(directReferences) update  Example  http://www.ibank.com?file=report123.xls http://www.ibank.com?file=report123.xls  http://www.ibank.com?file=a3nr38 http://www.ibank.com?file=a3nr38 12

13 Validator  Key Methods  canonicalize(input) canonicalize  isValidFileUpload(filepath, filename, content) isValidFileUpload  isValidCreditCard(input) isValidCreditCard  isValid***** (input) isValid*****  isValidRedirectLocation(location) isValidRedirectLocation  isValidSafeHTML(input) isValidSafeHTML  safeReadLine(inputStream, maxchars) safeReadLine  Canonicalization is really important 13

14 Encoder  Key Methods  encodeForBase64(byte[] input) encodeForBase64  encodeForDN(input) encodeForDN  encodeForHTML(input) encodeForHTML  encodeForHTMLAttribute(input) encodeForHTMLAttribute  …, encodeForJavascript, encodeForLDAP, encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPathencodeForJavascriptencodeForLDAP encodeForSQLencodeForURL encodeForVBScriptencodeForXML encodeForXMLAttributeencodeForXPath  Function names help tell developer when to use  Some of these are quite hard 14

15 HTTPUtilities  Key Methods  changeSessionIdentifier(request) changeSessionIdentifier  formatHttpRequestForLog(request, sensitiveList) formatHttpRequestForLog  getFileUploads(request, tempDir, finalDir) getFileUploads  killAllCookies(request, response) killAllCookies  killCookie(name, request, response) killCookie  sendRedirect(location sendRedirect  setCookie(name, value, age, domain, path, response) setCookie  setNoCacheHeaders(response) setNoCacheHeaders  Safer ways of dealing with HTTP, uses HTTPOnly 15

16 Encryptor  Key Methods  decrypt(ciphertext) decrypt  encrypt(plaintext) encrypt  hash(plaintext, salt) hash  loadCertificateFromFile(file) loadCertificateFromFile  getTimeStamp() getTimeStamp  seal(data, expiration) verifySeal(seal, data) sealverifySeal  sign(data) verifySignature(signature, data) signverifySignature  Simple master key in configuration  Minimal certificate support 16

17 EncryptedProperties  Key Methods  getProperty(key) getProperty  setProperty(key, value) setProperty  keySet() keySet  load(inputStream) load  store(outputStream, comments) store  Simple protected storage for configuration data 17

18 Randomizer  Key Methods  getRandomInteger(min, max) getRandomInteger  getRandomReal(min, max) getRandomReal  getRandomString(length, characterSet) getRandomString  Several pre-defined character sets  Lowers, uppers, digits, specials, letters, alphanumerics, password, etc… 18

19 Exception Handling  EnterpriseSecurityException  AccessControlException AccessControlException  AuthenticationException AuthenticationException  AvailabilityException AvailabilityException  CertificateException CertificateException  EncryptionException EncryptionException  ExecutorException ExecutorException  IntrusionException IntrusionException  ValidationException ValidationException  Allows a sensible security exception framework 19

20 Logger  Key Methods  getLogger(applicationName,moduleName) getLogger  logCritical(type, message, throwable) logCritical  logDebug(type, message, throwable) logDebug  logError(type, message, throwable) logError  logSuccess(type, message, throwable) logSuccess  logTrace(type, message, throwable) logTrace  logWarning(type, message, throwable) logWarning  All EnterpriseSecurityExceptions are automatically logged 20

21 IntrusionDetector  Key Methods  addException(exception) addException  createQuota(exception, limit) createQuota  Current Plan  EnterpriseSecurityExceptions are automatically sent to IntrusionDetector  Can set a quota for any exception  Detects exceeding quota in a specified time period 21

22 OWASP Top Ten Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object ReferenceA5. Cross Site Request Forgery (CSRF)A6. Leakage and Improper Error Handling A7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure CommunicationsA10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (upload)AccessReferenceMapUser (csrftoken)EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtilitiesEncryptorHTTPUtilities (cookie)AccessController 22

23 Closing Thoughts  I have learned an amazing amount (I thought I knew)  An ESAPI is a key part of a balanced breakfast  Integrated API has huge benefits over separate libraries  Secondary benefits  May help static analysis do better  Enables security upgrades across applications  Simplifies developer training  Next year – experiences moving to ESAPI 23

Download ppt "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application."

Similar presentations

Whats New in Service Pack 12. 2 Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.

Whats New in Service Pack Educator Efficiency and Effectiveness Focused Insight Student Experience Administrator Efficiency and Effectiveness Blackboard.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Similar presentations

Ads by Google