Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
OWASP. To ensure that strong simple security controls are available to every developer in every environment ESAPI Mission.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Enterprise Security API (ESAPI) 2.0 Crypto Changes
Web Development 101 Presented by John Valance
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation OWASP
Bob German Principal Architect Developing SharePoint Applications with MVC and Entity Framework.
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security
Web Application Vulnerabilities
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Finding and Fighting the Causes of Insecure Applications
Marking Scheme for Semantic-aware Web Application Security
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP AppSec DC Don’t Write Security Code! (The OWASP Enterprise Security API) Jeff Williams Aspect Security CEO OWASP Foundation Chair November 12, 2009

OWASP AppSec DC 2009 Reality Check  Financial  Government  Technology  Banking  Healthcare  Insurance  Publishing  Retail  Utilities  Education Applications average 20 serious vulnerabilities 90% of applications are vulnerable 2

OWASP AppSec DC 2009 OWASP ESAPI Project Charter… To ensure that strong simple security controls are available to every developer in every environment 3

OWASP AppSec DC Before After

OWASP AppSec DC Platform ESAPI Core Ent. Security Services Ent. Security Services LDAP, DB, Web Services, etc.. LDAP, DB, Web Services, etc.. ESAPI Adapters Custom Application Application Framework Enterprise Security API

OWASP AppSec DC 2009 Participants 2008 ESAPI Summit  The ESAPI Summit sparked innovation for version 2.0!  Logging  Access Control  Input Validation  Maven  Internationalization  ESAPI WAF!! 6

OWASP AppSec DC 2009 Project Scorecard Authentication  Identity  Access Control  **  Input Validation  **  Output Escaping   Canonicalization  Encryption  Random Numbers  Exception Handling  Logging  Intrusion Detection  Security Configuration  WAF  7

OWASP AppSec DC 2009 Select ESAPI Early Adopters Many unnamed financial orgs… 8

OWASP AppSec DC 2009 // validate request against developer-defined patterns ValidationErrorList errorList = new ValidationErrorList(); String name = ESAPI.validator().getValidInput( "Name", form.getName(), “UserName", 255, false, errorList); Integer weight = ESAPI.validator().getValidInteger( “UserWeight", form.getWeight(), 1, 10000, false, errorList); request.setAttribute(“VERROR”, errorList ); … // get validation errors and update web page ValidationErrorList errors = (ValidationErrorList)request.getAttribute(“VERROR"); // update page Better Input Validation 9

OWASP AppSec DC 2009 Escaping Gone Wild Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &# &# < < < < < &# ; &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lT &Lt &LT < &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Punycode <- < < 10

OWASP AppSec DC 2009 Rule #1: HTML Element Content ESAPI.encoder.encodeForHTML(input)encodeForHTML(input) Rule #2: HTML Common Attributes ESAPI.encoder.encodeForHTMLAttribute(input)encodeForHTMLAttribute(input) Rule #3: HTML Javascript Data Values ESAPI.encoder.encodeForJavaScript(input)encodeForJavaScript(input) Rule #4: HTML Style Property Values ESAPI.encoder.encodeForCSS(input)encodeForCSS(input) Rule #5: HTML URL Attributes ESAPI.encoder.encodeForURL(input)encodeForURL(input) Use these in components and developers won’t even know! Stamping Out XSS 11

OWASP AppSec DC 2009 String input = request.getParameter( "input" ) String safeMarkup = ESAPI.validator().getValidSafeHTML( "input", input, 2500, true ); … Rich Content 12

OWASP AppSec DC 2009 // setup a map and store somewhere safe - like the session! Set fileSet = new HashSet(); fileSet.addAll(...); AccessReferenceMap map = new AccessReferenceMap( fileSet );... // create an indirect reference to send to browser String ref = map.getIndirectReference( file1 ); String href = "esapi?file=" + ref );... // get direct reference String ref = request.getParameter( "file" ); File file = (File)map.getDirectReference( ref ); Stopping Insecure Direct Object References 13

OWASP AppSec DC 2009 // check the current user’s credentials User user = ESAPI.authenticator().login(); // display their last login time User user = ESAPI.authenticator().getCurrentUser() ; out.println( “Login: “ + user.getLastLoginTime() ); // rotate their session id ESAPI.httpUtilities().changeSessionIdentifier(); // kill their session and session cookie ESAPI.authenticator().logout; You can rotate your session without losing the contents Identity Everywhere 14

OWASP AppSec DC 2009 ESAPI Web App Firewall (WAF) attacker user ESAPI WAF Critical Application? PCI requirement? 3 rd party application? Legacy application? Incident response? Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security 15

OWASP AppSec DC 2009 Documentation  Javadoc  java.googlecode.com/svn/trunk_d oc/index.html java.googlecode.com/svn/trunk_d oc/index.html  Banned APIs  ESAPI_Secure_Coding_Guideline ESAPI_Secure_Coding_Guideline  Release Notes  0/JavaEE- ESAPI_2.0a_ReleaseNotes.doc 0/JavaEE- ESAPI_2.0a_ReleaseNotes.doc  Install Guide  c/JavaEE-ESAPI_2.0a_install.doc c/JavaEE-ESAPI_2.0a_install.doc 16

OWASP AppSec DC 2009

Questions and Answers Jeff Williams Aspect Security CEO OWASP Foundation Chair You can send me application security questions anytime! 19

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.