4 OWASP AppSecEU09 Poland Do we need another Top 10?
5 OWASP AppSecEU09 Poland Why do we need another Top 10 Owasp Top 10 is great to describe what is wrong with a web application when dynamically tested Stuff like CWE are great to categories vulnerabilities Source code flaws Top 10 was born to: make a pair with classic Owasp Top 10 document give Owasp Code review guide, Owasp Orizon, Owasp Code Crawler a way to summarize flaws in a web application is statically analyzed Categories != Vulnerabilities
6 OWASP AppSecEU09 Poland The Source code flaws top 10 C1 - Design Weakness C2 - Architectural Weakness C3 - Missing input validation C4 - Insecure communications C5 - Information leakage and improper error handling C6 - Direct object reference C7 - Misuse of local resources C8 - Usage of potentially dangerous APIs C9 - Documentation weakness C10 - Best practices violation
7 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Safe coding starts from designing an application with security in mind Safe design starts with a threat modeling activity and continues with designing classes and database schema Can reveal SDLC workflow weakness A design weakness can be detected in early stage of SDLC, prior development starts It addresses how the application is designed
8 OWASP AppSecEU09 Poland The SCF Top 10: C1 - Design Weakness Can be a design weakness missing threat modeling no questionnaire is submitted to customer no extra care is taken for sensitive data stored in a database a class field scope is public two or more main methods are present in different application classes duplicated functionalities are present in application design...
9 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness With the word architecture we talk about the underlying application server / operating system auxiliary systems such as Mail server, DNS server,... the overall application subsystems and how they are connected Can reveal SDLC workflow weakness An architectural weakness can be detected in early stage of SDLC, prior development starts It addresses how the architecture is built
10 OWASP AppSecEU09 Poland The SCF Top 10: C2 - Architectural Weakness Can be an architectural weakness no hardening guidelines are expected to be applied for operating system, DBMS, mail server,... architecture is designed by the developers themselves...
11 OWASP AppSecEU09 Poland The SCF Top 10: C3 - Missing input validation The category that gather together the first two points of the Owasp Top 10 (Cross site scripting, Injection flaws) There is an input vs output debate Can be a missing input validation when there is not a data filtering policy to be applied when managing user supplied data, then can input filtering is not centralized Most risky vulnerabilities are here
12 OWASP AppSecEU09 Poland The SCF Top 10: C4 - Insecure communications Match the correspondent Classic Top 10 voice to the source code side Doesnt care for invalid certificate, we care how communication APIs are used Easy to spot with a code crawling Can be an insecure communication vulnerability missing cryptography usage usage of weak function such as MD5 or SHA1 missing secure attribute for cookies...
13 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Match the correspondent Classic Top 10 voice to the source code side To avoid false positives, a manual code review can be better to spot these vulnerabilities It will be evaluated how in the code are managed: error conditions exceptions log / debug messages database data
14 OWASP AppSecEU09 Poland The SCF Top 10: C5 - Information leakage and improper error handling Can be an info leakage and improper error handling using System.out or System.err in a J2EE application empty catch block not all exceptions are caught method return value is ignored no checks performed over methods parameters (to spot null values)...
15 OWASP AppSecEU09 Poland The SCF Top 10: C6 - Direct object reference Match the correspondent Classic Top 10 voice to the source code side No magic here Easy to spot with a manual review
16 OWASP AppSecEU09 Poland The SCF Top 10: C7 - Misuse of local resources Often code doesnt handle OS resources fairly Resources that can be misused are disk space memory cpu time Can be a misuse of local resources not checking for available disk space prior I/O not freeing your m-allocated() memory spawning too much processes double free()...
17 OWASP AppSecEU09 Poland The SCF Top 10: C8 - Usage of potentially dangerous APIs Ideal to match source code crawling findings Known frameworks, languages potentially dangerous keywords should not to be used Can be detected with a blind code crawl (potentially with some false positives) a code crawl adding inference to the arguments passed to the keyword Should be marked as low critical vulnerability unless manually reviewed
18 OWASP AppSecEU09 Poland The SCF Top 10: C9 - Documentation weakness Yes... were lazy and we love coding instead of writing documentation Look at the Orizon code... I know what I say (is it correct Dinis? :-)) A documentation weakness can be missing documentation in the code, it is easy to spot automatically poor documentation in the code, it is easy to spot with a manual review with the code the developer that wrote it missing or non suitable documentation used in the SDLC...
19 OWASP AppSecEU09 Poland The SCF Top 10: C10 - Best practices violation The garbage collector vulnerability category All the issues not included in other 9 categories falls here It addresses missing or violated best practices normally applied to source code or to SDLC process
20 OWASP AppSecEU09 Poland Some key values before we leave... Venerable Owasp Top 10 doesnt fit very well code review findings This Top 10 can be a glue between Code Review and Testing guide We dont want to enumerate checks to be done keywords to avoid these are already there in the Testing and Code review guide Just flaws categories
21 OWASP AppSecEU09 Poland Before we leave Thanks to OWASP the Italian chapter and its board the mailing list gang my Mom my Wife
22 OWASP AppSecEU09 Poland Some link Owasp Source Code Flaws Top 10 link Homepage: http://www.owasp.org/index.php/OWASP_Source_Co de_Flaws_Top_10_Project_Index http://www.owasp.org/index.php/OWASP_Source_Co de_Flaws_Top_10_Project_Index