Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byAubrey Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Italy http://www.owasp.org The Owasp Orizon Project: bring the security at the source Paolo Perego - thesp0nge Owasp Orizon Leader thesp0nge@owasp.org 17-20 October 2007

2 2 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Agenda  Introduction  Web application vulnerabilities  The Owasp Orizon Project

3 3 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October $ whoami  Security Consultant @ Spike Reply Srl  penetration testing  secure application building  code review & source code assessment  Owasp Orizon Project leader  ikea fellow l

4 4 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Kickoff  Implement a safe coding practice that involves code review and so on, is:  time consuming  expensive  something requiring high level skills  something that changes my internal SDLC Why do I need it?

5 5 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application vulnerabilities  Security is not a concern in application development  A lot of effort spent in evaluating performances instead of security incidents risk  The number of web applications affected by vulnerabilities is growing

6 6 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application vulnerabilities  Multiple reasons:  missing skills about safe coding practices  missing awareness about the risks concerned with a web applications  “People are not interested in attack my apps”  One ending: applications are cracked and business is exposed to a breach

7 7 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application vulnerabilities  Users must not be trusted  Coding defensively is not a crime  Use community resources  code snippets  third party libraries  Building an hardened application is a ROI

8 8 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application vulnerabilities  User input is nor validated than sanitized  Cross site scripting, Injection flows vulnerabilities, Cross site forgery  No attention paid to errors & friends  Improper error handling  Unsafe log messages, unsafe storage  Environment is not hardened  Hidden URLs can be revealed requesting them

9 9 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application: how can I write a secure one?  Design a good model with strong interaction with modules (architectural stage)‏  “divide et impera” and KISS approaches put together  choose safe protocols to let your software modules to interact  Implement your code with security in mind  use safe coding best practices  use third party libraries  perform security code review over your code

10 10 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October Web application: how can I write a secure one?  Test your code  perform a dynamic code review  perform ethical hacking over your application  Use lightweight development lifecycles  the more time you write code in a single coding session the probability of making mistakes grows  use short development sessions and but test and peer reviews between them

11 11 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project  Started the 2 nd October 2006  Introduced last year as proof of concept here at eAcademy 2006last year  one year ago...  orizon was enable just to check a very simple class  there was just two very basic security checks  there was no logging facilities  there was no reporting facilities  there was no an usable API

12 12 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project  today...  close to 500 downloads  close to 130 just for latest 0.40 family version  both static than dynamic code review are implemented  12 security checks  flexible reporting APIs  usable APIs (Milk project)‏Milk

13 13 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: what is?  A security source code assessment engine  Provides APIs to do static code review  checks how the code has been written  source is checked without being executed  Provides APIs to do dynamic code review  checks how the code behaves to known attack patterns  source is checked without being read, just executed instead

14 14 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project  Independent from language used in the source file being checked  The source file is translated to XML and then security checks were applied over it  Add support for another language means writing a translator for the source file to XML  creating a class that extends org.owasp.orizon.xml.Translator org.owasp.orizon.xml.Translator  A Java to XML translator is included in Orizon (it uses Java compiler APIs introduced in J2EE 6)‏Java // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (j2xml.mustTranslate()) { if (!j2xml.translate()) { log.error(fileName + ": translation failed"); System.exit(-1); } log.info(j2xml.getOutputFilename() + " created"); } else log.info("XML file is up to date, translation is not needed. Good!"); // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (j2xml.mustTranslate()) { if (!j2xml.translate()) { log.error(fileName + ": translation failed"); System.exit(-1); } log.info(j2xml.getOutputFilename() + " created"); } else log.info("XML file is up to date, translation is not needed. Good!");

15 15 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project  The core is Source class located in org.owasp.orizon.core packageSource  A Source object is instantiated with the XML filename being checked as parameter  The first method that an application must call is read()‏  the XML file is parsed  object internal fields are populated with source code informations // xml file reading Source s = new Source(j2xml.getOutputFilename()); s.read(); // xml file reading Source s = new Source(j2xml.getOutputFilename()); s.read();

16 16 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the checks  Security checks are written in XML  The root tag is called check...  The check is a best practice, so if it fails your code need to be fixed  Checks are encoded Base64 if the will break XML format <check id="O_CV_2" severity="error" impact="high" description="Avoid your class for being clonable"> <check id="O_CV_2" severity="error" impact="high" description="Avoid your class for being clonable"> <check id="O_XSS_1" severity="error" impact="high" description="sanitize your input"> <check id="O_XSS_1" severity="error" impact="high" description="sanitize your input">

17 17 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the checks  A Check is handled by a class in org.owasp.orizon.library packageCheck  Just a bunch of getter and setter methods to fill the check properties  If needed check body can be encoded with org.owasp.orizon.utils.Base64Encoder  A public toXML() method translate the check into an XML row c = new Check("class_contains"); c.setId("O_CV_2"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("Avoid your class for being clonable"); c.addAttribute("name", "clone"); c.addAttribute("scope", "final");// r is a Recipe object r.addCheck(c.toXML()); c = new Check("class_contains"); c.setId("O_CV_2"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("Avoid your class for being clonable"); c.addAttribute("name", "clone"); c.addAttribute("scope", "final");// r is a Recipe object r.addCheck(c.toXML()); c = new Check("xss"); c.setId("O_XSS_1"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("sanitize your input"); c.addAttribute("pattern", Base64Coder.encodeString("/> alert('xss');</ script>")); r.addCheck(c.toXML()); c = new Check("xss"); c.setId("O_XSS_1"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("sanitize your input"); c.addAttribute("pattern", Base64Coder.encodeString("/> alert('xss');</ script>")); r.addCheck(c.toXML());

18 18 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the recipes  A recipe is an XML file with one or more Checks  Recipe is handled by a class in org.owasp.orizon.library package Recipe  Some getter and setter method to handle properties  public boolean read() : it reads the XML file storing recipe properties in internal fields and all checks contained in the recipe  public boolean write() : it writes the XML recipe with all checks included r = new Recipe("design_violation.xml", false); r.setFamily("Code design"); r.setCactus(true); r.setDawn(false); r.setDescription("Some methods can used by an attacker to overrun class behaviour."); r.setName("Ensure a class override potentially dangerous methods"); r.setLanguage(OrizonCons.language("java"));... r.addCheck(c.toXML());... if (!r.write()) { log.error("can't write recipe: design_violation.xml"); return false; } log.info("recipe design_violation.xml written successfully"); r = new Recipe("design_violation.xml", false); r.setFamily("Code design"); r.setCactus(true); r.setDawn(false); r.setDescription("Some methods can used by an attacker to overrun class behaviour."); r.setName("Ensure a class override potentially dangerous methods"); r.setLanguage(OrizonCons.language("java"));... r.addCheck(c.toXML());... if (!r.write()) { log.error("can't write recipe: design_violation.xml"); return false; } log.info("recipe design_violation.xml written successfully");

19 19 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the library  Library is a ZIP file containing one or more recipes  It provides classic methods about managing a collection of thing  add()‏  delete()‏  find()‏  list()‏  create()‏  get()‏

20 20 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the jericho engine  Library is opened and recipes extracted to disk  Source object apply () method is invoked with the recipe as parameter  A Report object is returned back to calling program to give results in a fancy way  The extracted recipe is deleted from disk // loop for all recipes contained in the library for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { log.error("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.apply(r); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)‏ // loop for all recipes contained in the library for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { log.error("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.apply(r); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)‏

21 21 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the jericho engine Demo

22 22 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the jericho engine  APIs for static code review are 80% mature as listed in the roadmap to Orizon 1.0  Next actions are:  improve translation engine dictionary to handle all possible instructions  create new translator for popular languages such as: C#, ASP.NET and other  refactor engine namespace

23 23 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the dawn engine  Almost equal to static code review approach for the developer  The dawn () method is called instead  Dawn parameters are the recipe to apply and the working directory to create helpers  An helper is created for each method in the source file being checked  The helper is a Java program that invokes the method giving its command line as argument

24 24 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the dawn engine  Helper is executed passing attack patterns as arguments  Helper output is collected and examined to understand how the method reacts to attack pattern  Dynamic code review concerns about:  cross site scripting attacks  sql injection attacks  unexpected inputs such null values, empty strings, negative integers,...

25 25 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the dawn engine Demo

26 26 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the dawn engine  APIs for dynamic code review are mature to 35% as listed in the roadmap to Orizon 1.0  Next actions are:  improve helper creation  source file methods need a more general handling routine  improve documentation is a must

27 27 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the reporting API  org.owasp.orizon.report package  Report is returned back to calling program with security checks that failed  Formatters are provided in order to take a Report and printing it out in:  plain text  file  XML + XSL  Next actions are to improve the number of report ouput format

28 28 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: the roadmap October 2007Orizon v0.50 static code review API's will be completed 10 security checks will be added in the default library a dynamic code review PoC will be included for Smau eAcademy 2007 speech Smau eAcademy 2007 speech December 2007Orizon v0.60 the default library will be full of the planned 30 security checks the dawn engine will be able to fully generate helper programs XML reporting will be complete March 2008Orizon v0.80 the dawn engine will be complete with class interaction support reports will be available in the following format: plain text, XML+XSL, HTML, latex C# support will be started June 2008Orizon v0.99 C# will be supported API's freeze Source code review and cleanup Documentation review July 2008Orizon v1.0rc1 Bug fixes Source code review and cleanup Documentation review September 2008Orizon v1.0rc2 Bug fixes Source code review and cleanup Documentation review 2 nd October 2008Orizon v1.02 nd birthday party and final 1.0 release

29 29 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project: links & contact  Orizon site: http://orizon.sourceforge.nethttp://orizon.sourceforge.net  Orizon blog: http://blogs.owasp.org/orizonhttp://blogs.owasp.org/orizon  Orizon page @ Owasp: http://www.owasp.org/index.php/Category:OW ASP_Orizon_Project http://www.owasp.org/index.php/Category:OW ASP_Orizon_Project  Milk site: http://milk.sourceforge.nethttp://milk.sourceforge.net  complaints, opinions, bug reports and beer can be sent to: thesp0nge_at_owasp_dot_org

30 30 OWASP Italy SMAU eAcademy 2007, Milano 17-20 October The Owasp Orizon Project Q&A

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.

1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
 Copyright Wipro Technologies JSP Ver 1.0 Page 1 Talent Transformation Java Server Pages.

 Copyright Wipro Technologies JSP Ver 1.0 Page 1 Talent Transformation Java Server Pages.
Using JavaServer Pages Harry R. Erwin, PhD CIT304/CSE301.

Using JavaServer Pages Harry R. Erwin, PhD CIT304/CSE301.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
J4www/jea Week 3 Version 2.3.2009Slide edits: nas1 Format of lecture: Assignment context: CRUD - “update details” JSP models.

J4www/jea Week 3 Version Slide edits: nas1 Format of lecture: Assignment context: CRUD - “update details” JSP models.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google