Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP

Published byAudrey Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP"— Presentation transcript:

1 Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP http://www.owasp.org OWASP and ESAPI Jeff Williams OWASP Chair jeff.williams@owasp.org October 21, 2008

2 OWASP OWASP Conferences (2008-2009) 2 NYC Sep 2008 NYC Sep 2008 San Jose Sep 2009 San Jose Sep 2009 Brussels May 2008 Brussels May 2008 Poland May 2009 Poland May 2009 Taiwan Oct 2008 Taiwan Oct 2008 Portugal Nov 2008 Portugal Nov 2008 Israel Sep 2008 Israel Sep 2008 India Aug 2008 India Aug 2008 Gold Coast Feb 2008 Gold Coast Feb 2008 Minnesota Oct 2008 Minnesota Oct 2008 Denver Spring 2009 Denver Spring 2009

3 OWASP OWASP Projects 3

4 OWASP OWASP AppSec Body of Knowledge 3,913 total articles 427 presentations 205 blogs monitored 200 wiki updates/day 179 mailing lists 101 projects 80 videos 19 deface attempts OWASP Quality Team

5 OWASP Finances and Grants 5 100% OWASP Grants OWASP Foundation 55% 45%

6 OWASP Join OWASP “It’s the right thing to do” – Microsoft 10/2008

7 OWASP About the ^

8 OWASP Coverage No malicious developers The design has to be right The controls have to be right Tools Depth – Level of Rigor Breadth – Number of Requirements    

9 OWASP Requirement Summary ToolsManualArchDeep

10 OWASP More Information http://www.owasp.org/images/7/ 73/OWASP_ASVS_Standard_2008_- _DRAFT001.pdf

11 OWASP Vulnerabilities and Security Controls

12 OWASP Enabling Developers Your Secure Coding Guideline Your Enterprise Security API Hands-on Training

13 OWASP The Problem with Security Libraries Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Java Pattern Java URL Encoder Java URL Encoder Write Custom Code Overpowerful Incomplete Not Integrated Broken Can’t Update Custom

14 OWASP OWASP ESAPI Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries

15 OWASP Deceptively Tricky 1.Input Validation 2.Output Encoding 3.Authentication 4.Access Control 5.Direct Object References 6.Errors, Logging, and Intrusion Detection

16 OWASP Some Valid Web Encodings for “less-than” < // percent encoding %3c %3C // html entity encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; // javascript escape syntax \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C // css escape syntax \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Double Encoding // double encoding examples < -> lt&#59 (double entity) \ -> %5c -> %255c(double percent) etc... // double encoding with multiple schemes example < -> %26lt%3b (first entity, then percent) %26 -> 26 (first percent, then entity) etc... // nested encoding examples %3c -> %253c (nested encode % with percent) %3c -> %33%63 (nested encode percent both nibbles) %3c -> %33c (nested encode first nibble with percent) %3c -> %3%63 (nested encode second nibble with percent) &&108;t; (nested encode l with entity) etc... // nested encoding with multiple schemes examples &%6ct; (nested encode l with percent) %3c -> %&x33;c (nested encode 3 with entity) etc...

17 OWASP Handling Double Encoding OriginalDecode 1PartialDecode 2Final %26lt;HTML Entity%26lt;URL Decode< %26lt;URL Decode<HTML Entity< 3cHTML Entity%3cURL Decode< 3cURL Decode3cHTML Entity%3c %2526lt%253BHTML Entity%2526lt%253BURL Decode%26lt%3B %2526lt%253BURL Decode%26lt%3BHTML Entity%26lt%3B %2526lt%253B2x URL Decode<HTML Entity< What components decode what? In what order?

18 OWASP 1. ESAPI Input Validation Any Encoding Any Interpreter Backend Controller Business Functions User Data Layer Presentation Layer Decoding Engine Codecs: HTML Entity Encoding Percent Encoding JavaScript Encoding VBScript Encoding CSS Encoding MySQL Encoding Oracle Encoding LDAP Encoding … Validation Engine Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() …

19 OWASP HTML Execution Contexts CSS JavaScript HTML Attributes HTML Elements Event Handlers URI Attributes \any \xHH \uHHHH \000 (octal) \specials \xHH \uHHHH &#DD &#xHH &entity; " &apos; &#DD &#xHH " &apos; \specials \xHH \uHHHH %HH

20 OWASP 2. ESAPI Output Encoding Backend Controller Business Functions User Data Layer Presentation Layer Encoding Engine Encode: setCharacterEncoding() encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForVBScript() encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP() encodeForDN() …

21 OWASP 3. ESAPI Authentication Web Application User Authentication Users logout() login() Also Supported: Encrypted Cookies CSRF Protection Change SESSIONID Verify Secure Channel Strong Credentials Remember Me Cookie Screen Name Timeout Lockout …

22 OWASP 4. ESAPI Access Control isAuthorizedForURL() isAuthorizedForFunction() isAuthorizedForService() isAuthorizedForData() isAuthorizedForFile() Backend Controller Business Functions User Data Layer Presentation Layer Roles

23 OWASP 5. ESAPI Direct Object Reference Protection http://app?file=1 Report123.xls http://app?id=7d3J93 Acct:9182374 http://app?id=9182374 http://app?file=Report123.xls Backend Controller Business Functions User Data Layer Presentation Layer Access Reference Map getIndirectReference() getDirectReference()

24 OWASP 6. Errors, Logging, and Detection Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account Configurable Thresholds Responses Backend Controller Business Functions User Data Layer Presentation Layer throw new ValidationException(“User message”, “Log message”);

25 OWASP Data Protection Challenges Encrypted Properties Encryptor Random Tokens and GUIDs Web Application User encrypt/decrypt() seal/unseal() sign/verify() hash() getTimeStamp()

26 OWASP SafeRequest and SafeResponse User Web Application SafeRequest SafeResponse

27 OWASP Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController

28 OWASP Tools – Time to Go Positive!  Searching for negative signatures is hard  We need research in verifying the positive

29 OWASP Project Plan and Status 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC1 2002 – Start Collecting 9/08 - Latest Release – v1.3.1 Future - Rich client extensions - Web service extensions - Framework integration 12/08 –Summit

30 OWASP Source Code and Javadoc Online Now! Project Home Page: http://www.owasp.org/index.php/ESAPIhttp://www.owasp.org/index.php/ESAPI Code Repository: http://code.google.com/p/owasp-esapi-javahttp://code.google.com/p/owasp-esapi-java

31 OWASP Quality

32 OWASP Microsoft Secure Development Lifecycle (SDL)

33 OWASP Potential Enterprise ESAPI Cost Savings Cost AreaTypicalWith ESAPI AppSec Training (semiannual)$270K$135K AppSec Requirements250 days ($150K)50 days ($30K) AppSec Design (Threat Model, Arch Review) 500 days ($300K)250 days ($150K) AppSec Implementation (Build and Use Controls) 1500 days ($900K)500 days ($300K) AppSec Verification (Scan, Code Review, Pen Test) 500 days ($300K)250 days ($150K) AppSec Remediation500 days ($300K)150 days ($90K) AppSec Standards and Guidelines 100 days ($60K)20 days ($12K) AppSec Inventory, Metrics, and Management 250 days ($150K)200 days ($120K) Totals$2.43M$1.00M

34 OWASP More Information ESAPI BOOK http://www.owasp.org/im ages/7/79/ESAPI_Book.pdf

35 OWASP Questions and Answers  Existing security libraries?  Would this be valuable to your enterprise?  Technical questions? Contact Information: Jeff Williams jeff.williams@aspectsecurity.com Work: 410-707-1487 Main: 301-604-4882

Download ppt "Copyright © 2007 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP"

Similar presentations

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP Overview Germany 2008 Conference

OWASP Overview Germany 2008 Conference
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google