Professional Documents
Culture Documents
OWASP
http://www.owasp.org
Introductions
Andrew
• Lead, OWASP Guide
van der Stock
• WebAppSec Moderator
• Name
• Company
• Objectives
• Favorite lolcat?
Build Secure Applications
• It takes a team of
professionals and several
months to build a house
The role of security
• Without security, no
business is possible
Application Security
Verification Standard
• Level 1 Automated
verification
• Level 2
• No malicious software
• Documentation Exists
Reporting Standard
• Introduction
• Describe Target
• Architecture
• Verification Results
Enterprise Security API
• Encrypted properties
• Authenticator
• User
• AccessController
• AccessReferenceMap
• Validator
• HTTPUtilities
• Executor
• Encoder
• SafeRequest, SafeResponse
Risk management
Humans suck at RISK
• Poker machines
• Two up
• Roulette
• Blackjack
Which is more likely?
• Winning Lotto
• Drowning
• Mini
• Hummer H2?
Risk is simple
• 8 Likelihood Factors
• 8 Impact Factors
• See worksheet
Architecture
V1 - Security Architecture Verification Requirements
1A 1B 2A 2B 3 4
Architecture
• Present
• Functional
• Used properly
Functional Requirements
• Accountability
• Functions
• Connections
1A 1B 2A 2B 3 4
1.2 Architecture
• Identity
• Accountability
• Data Protection
2A 2B 3 4
1.3 Connections
• ASVS: Define or verify connections between all
components
• Authenticated
• Access Controlled
• Accountable
• Protected
34
1.4 Documentation
• Architecture
• Components
• Connections
34
1.5 Code Integrity
• Document Control
• Hashes of code
4
Identity and Authentication
V2 Authentication Verification Requirements
1A 1B 2A 2B 3 4
Authentication
• Accountability
• My pets’ names
• Passwords
• PINS
1A 1B 2A 2B 3 4
2.2 Central Control
2B 3 4
2.3 Server side Decisions
• ASVS: Requires authentication server side decisions
• BAD http://www.example.com/some/feature?auth=y
• Ajax and RIA logins still possible, but not 100% client-
side 2A 2B 3 4
2.4 Malicious Code
• ASVS: Requires
authentication controls
have no malicious code
• Callers
• Centralized routines
4
2.5 Fail securely
2A 2B 3 4
2.6 Logged
• Soft lockout!
1A 2A 2B 3 4
Last Login Time
• Failed Logins
2A 2B 3 4
2.13 SECURE Credentials
2B 3 4
2.14 Re-authentication
2A 2B 3 4
DEMO
• WebGoat
1A 1B 2A 2B 3 4
Session management
• Hint: I’ve never done this, and I’ve been doing it for 10
years.
4
3.3 Invalidate Sessions
34
3.6 Session regeneration
• ASVS: Requires session token to be regenerated upon:
• Login
• Re-authentication
• Logout
• Rationale:
1A 2A 2B 3 4
3.9 Session integrity
• ASVS: Requires applications to only honor issued
tokens
• WebGoat
• Fail Open
Authentication
• Secondary
Session
Management
Access Control
V4 Access Control Verification Requirements
1A 1B 2A 2B 3 4
Access Control
1A 2A 2B 3 4
4.2 Secured Files
• ASVS: Requires
2B 3 4
4.9 Same access control
rules
2A 2B 3 4
4.10 Integrity of access
control rules
• ASVS: Requires access control rule repository to be
secure from unauthorized changes
1A 2A 2B 3 4
Access Reference Maps
2B 3 4
4.13 Server Side ACCESS
CONTROL
• ASVS: Requires server
side access control
• Callers
• Implementation
4
4.15 Business Limits
2A 2B 3 4
Demo
• WebGoat
1A 1B 2A 2B 3 4
Strong typing
• Many languages, such as PHP and Perl, are not
strongly typed
• Currency
Length
2A 2B 3 4
5.2 Canonicalization
• Positive validation
• Sanitization
• Negative validation
• No validation
1A 2A 2B 3 4
5.4 Single Mechanism
• ASVS: Requires a single input validation mechanism
2A 2B 3 4
5.6 Malicious code
4
5.7 Reject, not sanitize
1A 2A 2B 3 4
5.8 Log all failures
2B 3 4
5.9 Buffer overflows
• WebGoat
Output Encoding
V6 Output Encoding / Escaping Verification
Requirements
1A 1B 2A 2B 3 4
Last Chance Workout
2B 3 4
6.2 Single Mechanism
34
6.3 Server Side
2A 2B 3 4
6.4 Malicious Code
• ASVS: Requires
encoding
mechanism to be
free of malicious
code
4
6.5 HTML Escaping
• Character references: decimal, hex, character entities
(&)
• ESAPI
2B 3 4
6.8 LDAP ESCAPING
2B 3 4
6.9 Command Escaping
2B 3 4
6.10 Interpreters
2B 3 4
Demo
Cryptography
V7 Cryptography Verification Requirements
1A 1B 2A 2B 3 4
7.1 Validated Crypto
• FIPS 140-2
2B 3 4
7.2 Approved Mode
• MD5 == broken
2A 2B 3 4
7.3 Master Secrets
2B 3 4
7.4 Password Hashes
• Salted
2B 3 4
7.5 Server Side operation
2A 2B 3 4
7.6 Malicious Code
4
7.7 Fail securely
• Alert administrators
2B 3 4
7.8 Logging
2B 3 4
7.9 Random Numbers
2B 3 4
7.10 Key management
• Master keys
1A 1B 2A 2B 3 4
Accountability
2B 3 4
8.2 Important Elements
• Time stamp
• Severity level
• Identity of user
2B 3 4
8.3 Protect Logs
2B 3 4
8.4 Centralized Logging
2B 3 4
8.5 Trusted Logging
2A 2B 3 4
8.6 No Malicious Code
4
8.7 Do not log Sensitive data
• Session IDs
• Passwords, tokens
• CC PANs
2B 3 4
8.8 Detailed Error Messages
• Baseline
• Unusual activity
• Heuristics
2B 3 4
Exception handling
• Use structured exception handling - always!
• Too many per second per user? Log out / Lock user
1A 1B 2A 2B 3 4
9.1 Identify Sensitive Data
• Protect appropriately!
2B 3 4
9.3 Disable Client Side
Caching
• Use AUTOCOMPLETE=”off” in forms and fields to
prevent caching of:
• SSNs / TFNs
• Value transactions
1A 1B 2A 2B 3 4
9.4 Sensitive Data in body
2A 3 4
Minimize data collected
• If you don’t have the data, you can’t lose it
• Virus scanned
• Virus scan
Secure Database
The Missing ASVS Section
Authentication
1A 2A 2B 3 4
10.1 Use SSLv3 / TLS
2B 3 4
10.2 Centralized
Implementation
• Only one crypto library to
rule them all!
• Approved mode of
operation
2B 3 4
10.5 Use trusted CA
• No additional security
1A 2A 2B 3 4
10.6 Trusted Certificate
PATHs
2B 3 4
10.7 Encodings
2A 2B 3 4
10.8 SAFE components
2B 3 4
HTTP Security
V11 HTTP Security Verification Requirements
1A 1B 2A 2B 3 4
11.1 HttpOnly
2A 2B 3 4
11.2 Secure Cookies
2A 2B 3 4
11.3 CSRF Guard
• All forms, links, etc should have a random token
1A 1B 2A 2B 3 4
11.5 Unchecked Redirects
http://www.example.com/redir?url=6AF87BDE
http://www.example.com/redir?url=http://evilsite.com
1A 1B 2A 2B 3 4
11.6 Minimal HTTP Methods
1A 1B 2A 2B 3 4
11.7 Safe HEaders
• Make it so!
2A 2B 3 4
Configuration
V12 Security Configuration Verification Requirements
2B 3 4
V12.1 Secure Configuration
2B 3 4
Turn off unnecessary features
2B 3 4
Encrypting configuration
2B 3 4
V12.2 Log all Changes
• Accountability!
• Notify admins
• Log
2B 3 4
12.4 Human READable
Configuration
4
Trojans, Backdoors, and
Easter Eggs
V13 Malicious Code Search Verification Requirements
4
V13.1 Time Bombs
• Sackable offense
4
V13.2 Back doors
4
V13.3 Easter Eggs
• Used to be a fun way of providing credit or props
• Sackable offense
4
V13.4 Salami Attacks
4
V13.5 All Others
4
Internal Security Controls
V14 Internal Security Verification Requirements
34
14.1 Secure Meta Data
34
14.2 Simple Security API
4
14.3 Protect Shared Variables
and Resources
• Protect:
• Singletons
4
Reporting
How to write a great report
1234
Communicating Bad nEws
• Headings should be positive in tone
• Overall verdict
R2 Application Description
• Scope
• Assumptions
R3 Application Security
Architecture
URL or source URL or source URL and any URL and any
Location
file file components components
Description
Risk Rating
Risk
Justification
FAIL
URL or source URL or source URL and any URL and any
Location
file file components components
Risk
Description Description Description Description
Justification
References
OWASP Links
• ASVS
• ESAPI
• Top 10 2007
Thank you!