Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byShannon Cole Modified over 7 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Secure Coding Practices Quick Reference Guide Miguel Almeida miguelalmeida@miguelalmeida.pt December, 2010

2 OWASP 2 About Me  Independent Author and Consultant  Used to work on security for KPMG and Deloitte  Been working on security since 2000  Main focus on Financial Institutions Security  More info at www.miguelalmeida.pt

3 OWASP 3 Guide Overview  Technology agnostic coding practices  What to do, not how to do it  Compact, but comprehensive checklist format  Focuses on secure coding requirements, rather then on vulnerabilities and exploits  Includes a cross referenced glossary to get developers and security folks talking the same language

4 OWASP 4 Checklist Sections  Input Validation  Output Encoding  Authentication and Password Management  Session Management  Access Control  Cryptographic Practices  Error Handling and Logging  Data Protection  Communication Security  System Configuration  Database Security  File Management  Memory Management  General Coding Practices - Only 17 pages long

5 OWASP 5 Input Validation  Conduct all data validation on a trusted system (e.g.,The Server)  Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code  There should be a centralized input validation routine for the application ...

6 OWASP 6 Output Encoding  Conduct all encoding on a trusted system (e.g.,The Server)  Encode all characters unless they are known to be safe for the intended interpreter  Contextually sanitize all output of un-trusted data to queries for SQL,XML, and LDAP ...

7 OWASP 7 Authentication and Password Management  Require authentication for all pages and resources, except those specifically intended to be public  Establish and utilize standard, tested, authentication services whenever possible  Enforce password complexity requirements established by policy or regulation. Authentication credentials should be sufficient to withstand attacks that are typical of the threats in the deployed environment. (e.g., requiring the use of alphabetic as well as numeric and/or special characters) ...

8 OWASP 8 Session Management  Use the server or framework’s session management controls.The application should only recognize these session identifiers as valid  Session identifier creation must always be done on a trusted system (e.g.,The Server)  Set the "secure" attribute for cookies transmitted over an TLS connection ...

9 OWASP 9 Access Control  Enforce authorization controls on every request, including those made by server side scripts, "includes" and requests from rich client- side technologies like AJAX and Flash  Use the "referer" header as a supplemental check only, it should never be the sole authorization check, as it is can be spoofed  Implement account auditing and enforce the disabling of unused accounts ...

10 OWASP 10 Cryptographic Practices  All random numbers, random filenames, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable  Protect master secrets from unauthorized access  Establish and utilize a policy and process for how cryptographic keys will be managed ...

11 OWASP 11 Error Handling and Logging  Do not disclose sensitive information in error responses, including system details, session identifiers or account information  Logging controls should support both success and failure of specified security events  Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords ...

12 OWASP 12 Data Protection  Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks  Encrypt highly sensitive stored information, like authentication verification data, even on the server side. Always use well vetted algorithms, see "Cryptographic Practices" for additional guidance  Disable client side caching on pages containing sensitive information. Cache-Control:no-store, may be used in conjunction with the HTTP header control "Pragma: no-cache", which is less effective, but is HTTP/1.0 backward compatible ...

13 OWASP 13 Communication Security  Implement encryption for the transmission of all sensitive information  TLS certificates should be valid and have the correct domain name, not be expired, and be installed with intermediate certificates when required  Filter parameters containing sensitive information from the HTTP referer, when linking to external sites ...

14 OWASP 14 System Configuration  Ensure servers, frameworks and system components have all patches issued for the version in use  Remove all unnecessary functionality and files  Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is required, utilize a well-vetted authentication mechanism ...

15 OWASP 15 Database Security  Utilize input validation and output encoding and be sure to address metacharacters. If these fail,do not run the database command  Connection strings should not be hardcoded within the application. Connection strings should be stored in a separate configuration file on a trusted system and they should be encrypted.  Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database ...

16 OWASP 16 File Management  Validate uploaded files are the expected type by checking fileheaders. Checking for filetype by extension alone is not sufficient  Ensure application files and resources are read-only  Scan user uploaded files for viruses and malware ...

17 OWASP 17 Memory Management  Check buffer boundaries if calling the function in a loop and make sure there is no danger of writing past the allocated space  Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions  Use non-executable stacks when available ...

18 OWASP 18 General Coding Practices  Explicitly initialize all your variables and other datastores, either during declaration or just before the first usage  In cases where the application must run with elevated privileges, raise privileges as late as possible, and drop them as soon as possible  Review all secondary applications, third party code and libraries to determine business necessity and validate safe functionality, as these can introduce new vulnerabilities ...

19 OWASP 19 Using the guide  Scenario #1: Developing Guidance Documents Coding Practices General Security Policies Application Security Procedures Application Security Coding Standards Guiding PrinciplesWhat to doHow to do it

20 OWASP 20 Using the guide continued  Scenario #2: Support Secure Development Lifecycle Application Security Requirements Secure Development Processes Standardized Libraries Standard Guidance for non-Library Solutions Review Solutions Test Solution Implementation What to doHow you should do itWhat you didDid it work Coding Practices

21 OWASP 21 RFP Best Software Ever Using the guide continued  Scenario #3: Contracted Development  Identify security requirements to be added to outsourced software development projects.  Include them in the RFP and Contract Contract Best Software Ever I need cool Software We can build anything How do I make it work CustomerSalesmanProgrammer Coding Practices

22 OWASP 22 A Secure Development Framework  Implement a secure software development lifecycle  OWASP CLASP Project  Establish secure coding standards  OWASP Development Guide Project  Build a re-usable object library  OWASP Enterprise Security API (ESAPI) Project  Verify the effectiveness of security controls  OWASP Application Security Verification Standard (ASVS) Project)  Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contract  OWASP Legal Project Guidance on implementing a secure software development framework is beyond the scope of the Quick reference Guide, however the following OWASP projects can help:

23 OWASP 23 Questions

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Reduce Security Risk in Your Development

Reduce Security Risk in Your Development
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.

1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.

Similar presentations

Ads by Google