Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP

Published byLauren Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP"— Presentation transcript:

1 Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP http://www.owasp.org Don’t Write Your Own Security Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO Volunteer Chair of OWASP jeff.williams@aspectsecurity.com 410-707-1487

2 OWASP 2

3 3 Vulnerabilities and Security Controls

4 OWASP What Methods Do Developers Need? Custom Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration

5 OWASP Standardize and Isolate Your Security Services and Libraries Custom Applications Your Custom Applications App1 App2 App3 App4 App5 AppN Svc1 Svc2 Svc3 Lib1 Lib2 Lib3

6 OWASP 6 Deceptively Tricky… 1.Input Validation 2.Output Encoding 3.Errors, Logging, and Intrusion Detection Lots more…

7 OWASP 7 Web Escaping and Encoding 7 < Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Punycode <- Simple Double Encoding < --> lt&#59 (double entity) %3c --> %253c (double percent) etc... Double Encoding with Multiple Schemes < --> %26lt%3b (first entity, then percent) %26 --> 26 (first percent, then entity) etc... Simple Nested Escaping %3c --> %33%63 (nested encode percent both nibbles) %3c --> %33c (nested encode first nibble percent) %3c --> %3%63 (nested encode second nibble percent) < --> &&108;t; (nested encode l with entity) etc... Nested Escaping with Multiple Schemes < --> &%6ct; (nested encode l with percent) %3c --> %3c (nested encode 3 with entity) etc... 1,677,721,600,000,000 ways to encode

8 OWASP 8 1. ESAPI Input Validation Any Encoding Any Interpreter Backend Controller Business Functions User Data Layer Presentation Layer Decoding Engine Codecs: HTML Entity Encoding Percent Encoding JavaScript Encoding VBScript Encoding CSS Encoding MySQL Encoding Oracle Encoding LDAP Encoding … Validation Engine Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() …

9 OWASP 9 HTML Execution Contexts CSS JavaScript HTML Attributes HTML Elements Event Handlers URI Attributes \any \xHH \uHHHH \000 (octal) \specials \xHH \uHHHH &#DD &#xHH &entity; " &apos; &#DD &#xHH " &apos; \specials \xHH \uHHHH %HH

10 OWASP 10 ESAPI Swingset http://www.owasp.org/index.php?title=XSS_Prevention

11 OWASP 11 2. ESAPI Output Encoding Backend Controller Business Functions User Data Layer Presentation Layer Encoding Engine Encode: setCharacterEncoding() encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForVBScript() encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP() encodeForDN() …

12 OWASP 12 Applications Enjoy Attacks YouTube Live Search Blogger

13 OWASP 13 3. Errors, Logging, and Detection Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account Configurable Thresholds Responses Backend Controller Business Functions User Data Layer Presentation Layer throw new ValidationException(“User message”, “Log message”);

14 OWASP 14 Quality

15 OWASP 15 Potential Enterprise ESAPI Cost Savings Cost AreaTypicalWith ESAPI AppSec Training (semiannual)$270K$135K AppSec Requirements250 days ($150K)50 days ($30K) AppSec Design (Threat Model, Arch Review) 500 days ($300K)250 days ($150K) AppSec Implementation (Build and Use Controls) 1500 days ($900K)500 days ($300K) AppSec Verification (Scan, Code Review, Pen Test) 500 days ($300K)250 days ($150K) AppSec Remediation500 days ($300K)150 days ($90K) AppSec Standards and Guidelines 100 days ($60K)20 days ($12K) AppSec Inventory, Metrics, and Management 250 days ($150K)200 days ($120K) Totals$2.43M$1.00M

16 OWASP 16 ESAPI Book! http://www.owasp.org/images/7/79/ESAPI_Book.pdf

17 OWASP 17 Questions and Answers  Rollout strategy?  Integrating existing security libraries?  Technical questions? Contact Information: Jeff Williams jeff.williams@aspectsecurity.com Work: 410-707-1487 Main: 301-604-4882

18 OWASP ==== EXTRA SLIDES ====

19 OWASP 19 Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController

20 OWASP 20 Project Plan and Status 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC1 2002 – Start Collecting 3/08 – Version 1.1 Versions Java.NET PHP Classic ASP Haskell Cold Fusion 1/09 – Version 1.5 12/08 – ESAPI Summit

21 OWASP 21 Assurance  Expert advisory/design/implementation team  Includes security consultants, product vendors, software developers  Collectively reviewed over 100 million lines of code  Given guidance to static analysis tool vendors  Taught over 500 application security classes  Minimal and modular design/implementation  Tools and Testing  ~600 JUnit test cases (89% coverage)  FindBugs, PMD, Ounce, Fortify clean  Code review by several Java security experts  Penetration test of sample applications  Full Javadoc for all functions  Working closely with the Java Servlet Spec team at Sun  They’re adopting six new changes to Java EE based on ESAPI Several major enterprises are using and evaluating ESAPI: Sun Oracle Dept. of Census Several Financials

Download ppt "Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP"

Similar presentations

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.

OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.

The OWASP Foundation Setting up a Secure Development Life Cycle with OWASP Seba Deleersnyder OWASP Foundation Board.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google