Download presentation
Presentation is loading. Please wait.
1
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com Establishing an Enterprise Security API to Reduce Application Security Costs Jeff Williams Aspect CEO and Founder Volunteer Chair of OWASP jeff.williams@aspectsecurity.com 410-707-1487
2
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 2 The Problem… Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Standard Control Java Pattern Java URL Encoder Java URL Encoder Write Custom Code
3
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 3 Vulnerability Theory Vector Vulnerability Asset Technical ImpactBusiness ImpactVulnerabilityVectorThreat Agent Vulnerability Business Impact Business Impact Function Asset Business Impact Control Missing Control A risk is a path from threat agent to business impact
4
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 4 More Vulnerability Theory Every vulnerability stems from…. Missing control ) Lack of encryption ) Failure to perform access control Broken control ) Weak hash algorithm ) Fail open Ignored Control ) Failure to use encryption ) Forgot to use output encoding
5
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 5 Time to Stamp Out Homegrown Controls Security controls are very difficult to get right ) Requires extensive understanding of attacks One was built with stuff “Larry” had lying around!
6
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 6 Imagine an Enterprise Security API All the security controls a developer needs Standard Centralized Organized Integrated High Quality Intuitive Tested Solves the problems of missing and broken controls
7
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 7 Ignored Controls Not solved but we can make it far simpler… ) Coding Guidelines ) Static Analysis ) Developer Training ) Unit Testing ) Etc…
8
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 8 Enterprise Security API 8 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries
9
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 9 Validation, Encoding, and Injection Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Set Character Set Encode For HTML Any Encoding Global Validate Any Interpreter Canonicalize Specific Validate Sanitize Canonicalize Validate
10
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 10 Handling Validation, and Encoding Backend ControllerBusiness Functions User Data Layer Validator Encoder encodeForURL encodeForJavaScript encodeForVBScript encodeForDN encodeForHTML encodeForHTMLAttribute encodeForLDAP encodeForSQL encodeForXML encodeForXMLAttribute encodeForXPath isValidDirectoryPath isValidCreditCard isValidDataFromBrowser isValidListItem isValidFileContent isValidFileName isValidHTTPRequest isValidRedirectLocation isValidSafeHTML isValidPrintable safeReadLine Canonicalization Double Encoding Protection Normalization Sanitization
11
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 11 Handling Authentication and Users Backend ControllerBusiness Functions User Data Layer ESAPI Access Control Logging Intrusion Detection Authentication Users Strong Passwords Random Tokens CSRF Tokens Lockout Remember Me Screen Name Roles Timeout
12
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 12 Handling Access Control Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… isAuthorizedForURL isAuthorizedForFunction isAuthorizedForService isAuthorizedForData isAuthorizedForFile
13
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 13 Handling Direct Object References Access Reference Map Web Service Database Mainframe File System User Etc… http://app?file=7d3J93 Report123.xls Direct ReferencesIndirect References http://app?id=1 Acct:9182374 http://app?id=9182374
14
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 14 Handling Sensitive Information Backend ControllerBusiness Functions User Data Layer Encrypted Properties Encryptor Encryption Digital Signatures Integrity Seals Strong GUID Random Tokens Timestamp Salted Hash Safe Config Details
15
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 15 Handling Exceptions, Logging, and Detection Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account AccessControlException AuthenticationException AvailabilityException EncodingException EncryptionException ExecutorException IntegrityException IntrusionException ValidationException User Message (no detail) Log Message (w/Identity) Configurable Thresholds Responses Backend ControllerBusiness Functions User Data Layer
16
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 16 Handling HTTP Backend ControllerBusiness Functions User Data Layer HTTP Utilities Add Safe Cookie No Cache Headers CSRF Tokens Safe Request Logging Encrypt State in Cookie Add Safe Header Querystring Encryption Change SessionID isSecureChannel sendSafeRedirect sendSafeForward Safe File Uploads Set Content Type Kill Cookie Hidden Field Encryption
17
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 17 Handling Application Security Configuration Select crypto algorithms Select encoding algorithms Define sets of characters Define global validation rules Select logging preferences Establish intrusion detection thresholds and actions Etc… Backend ControllerBusiness Functions User Data Layer ESAPI Configuration ESAPI
18
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 18 Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController
19
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 19 Frameworks and ESAPI Frameworks already have some security ) Controls are frequently missing, incomplete, or wrong ESAPI is NOT a framework ) Just a collection of security building blocks, not “lock in” ) Designed to help retrofit existing applications with security ESAPI Framework Integration Project ) We’ll share best practices for integrating ) Hopefully, framework teams like Struts adopt ESAPI
20
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 20 Potential Enterprise Cost Savings Application Security Program ) AppSec Training ) Secure Development Lifecycle ) AppSec Guidance and Standards ) AppSec Inventory and Metrics Assumptions ) 1000 applications, many technologies, some outsourcing ) 300 developers, 10 training classes a year ) 50 new application projects per year ) Small application security team ) 50 reviews per year
21
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 21 Small Project Costs to Handle XSS Cost AreaTypicalWith Standard XSS Control XSS Training1 days2 hours XSS Requirements2 days1 hour XSS Design (Threat Model, Arch Review) 2.5 days1 hour XSS Implementation (Build and Use Controls) 7 days16 hours XSS Verification (Scan, Code Review, Pen Test) 3 days12 hours XSS Remediation3 days4.5 hours Totals18.5 days4.5 days
22
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 22 Potential Enterprise ESAPI Cost Savings Cost AreaTypicalWith ESAPI AppSec Training (semiannual)$270K$135K AppSec Requirements250 days ($150K)50 days ($30K) AppSec Design (Threat Model, Arch Review) 500 days ($300K)250 days ($150K) AppSec Implementation (Build and Use Controls) 1500 days ($900K)500 days ($300K) AppSec Verification (Scan, Code Review, Pen Test) 500 days ($300K)250 days ($150K) AppSec Remediation500 days ($300K)150 days ($90K) AppSec Standards and Guidelines 100 days ($60K)20 days ($12K) AppSec Inventory, Metrics, and Management 250 days ($150K)200 days ($120K) Totals$2.43M$1.00M
23
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 23 OWASP Project Status
24
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 24 Source Code and Javadoc Online Now! http://code.google.com/p/owasp-esapi-java
25
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 25 Banned Java APIs System.out.println() -> Logger.* Throwable.printStackTrace() -> Logger.* Runtime.exec() -> Executor.safeExec() Reader.readLine() -> Validator.safeReadLine() Session.getId() -> Randomizer.getRandomString() (better not to use at all) ServletRequest.getUserPrincipal() -> Authenticator.getCurrentUser() ServletRequest.isUserInRole() -> AccessController.isAuthorized*() Session.invalidate() -> Authenticator.logout() Math.Random.* -> Randomizer.* File.createTempFile() -> Randomizer.getRandomFilename() ServletResponse.setContentType() -> HTTPUtilities.setContentType() ServletResponse.sendRedirect() -> HTTPUtilities.sendSafeRedirect() RequestDispatcher.forward() -> HTTPUtilities.sendSafeForward() ServletResponse.addHeader() -> HTTPUtilities.addSafeHeader() ServletResponse.addCookie() -> HTTPUtilities.addSafeCookie() ServletRequest.isSecure() -> HTTPUtilties.isSecureChannel() Properties.* -> EncryptedProperties.* ServletContext.log() -> Logger.* java.security and javax.crypto -> Encryptor.* java.net.URLEncoder/Decoder -> Encoder.encodeForURL/decodeForURL java.sql.Statement.execute -> PreparedStatement.execute ServletResponse.encodeURL -> HTTPUtilities.safeEncodeURL (better not to use at all) ServletResponse.encodeRedirectURL -> HTTPUtilities.safeEncodeRedirectURL (better not to use at all)
26
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 26 About Aspect Security Exclusive focus on Application Security since 2002 Key contributors to OWASP and authors of OWASP Top Ten Application security champions in FISMA and SSE-CMM Specialists in Application Security Millions of lines of code verified per month Java, JSP, C/C++, C#, ASP, VB.NET, ABAP, PHP, CFMX, Perl… Platforms – J2EE,.NET, SAP, Oracle, PeopleSoft, Struts, … Assurance Services for Critical Applications Proven application security initiatives Integrate key security activities into existing software teams Framework and tool tailoring for producing secure code Acceleration Services for Software, Security, and Management Teams Over 180 course offerings per year Secure coding for developers (hands-on, language-specific) Leaders and managers, testers, architects, threat modeling Application Security Education and Training Curriculum
27
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 27 Questions and Answers
28
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 28 Extra Slides
29
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 29 Rich Data == Code 29 Tove Jani Reminder Don't forget me this weekend! Tove Jani Reminder Don't forget me this weekend! {"text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }} {"text": { "data": "Click Here", "size": 36, "style": "bold", "name": "text1", "hOffset": 250, "vOffset": 100, "alignment": "center", "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" } }}
30
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 30 Browser Same Origin Policy investorsblog.net XHR document, cookies TAG JS www.mybank.com
31
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 31 Operating System Javascript Engine Browser == Operating System Javascript Engine Java Engine Flash Engine Quicktime Engine Acrobat Reader Acrobat Reader Silverlight, etc…
32
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 32 DOM Checker IE 7.0.6… latest patches (remote)Firefox 2.0.0.12 latest patches (remote) http://code.google.com/p/dom-checker/
33
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 33 Network == Computer Storage Services CPU, Identities, and Access loop through top 100 banks { use local credentials to attempt access to bank if access allowed { pull list of attacks from storage attack 1: use checking service to steal $99 attack 2: post this comment to a blog... } Internet API
34
) Copyright © 2008 – Aspect Security – www.aspectsecurity.com 34 Potential Enterprise ESAPI Cost Savings
Similar presentations
