Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Italy The Owasp Orizon Project: bring the security at the source Paolo Perego - thesp0nge Owasp Orizon Leader October 2007
2 OWASP Italy SMAU eAcademy 2007, Milano October Agenda Introduction Web application vulnerabilities The Owasp Orizon Project
3 OWASP Italy SMAU eAcademy 2007, Milano October $ whoami Security Spike Reply Srl penetration testing secure application building code review & source code assessment Owasp Orizon Project leader ikea fellow l
4 OWASP Italy SMAU eAcademy 2007, Milano October Kickoff Implement a safe coding practice that involves code review and so on, is: time consuming expensive something requiring high level skills something that changes my internal SDLC Why do I need it?
5 OWASP Italy SMAU eAcademy 2007, Milano October Web application vulnerabilities Security is not a concern in application development A lot of effort spent in evaluating performances instead of security incidents risk The number of web applications affected by vulnerabilities is growing
6 OWASP Italy SMAU eAcademy 2007, Milano October Web application vulnerabilities Multiple reasons: missing skills about safe coding practices missing awareness about the risks concerned with a web applications “People are not interested in attack my apps” One ending: applications are cracked and business is exposed to a breach
7 OWASP Italy SMAU eAcademy 2007, Milano October Web application vulnerabilities Users must not be trusted Coding defensively is not a crime Use community resources code snippets third party libraries Building an hardened application is a ROI
8 OWASP Italy SMAU eAcademy 2007, Milano October Web application vulnerabilities User input is nor validated than sanitized Cross site scripting, Injection flows vulnerabilities, Cross site forgery No attention paid to errors & friends Improper error handling Unsafe log messages, unsafe storage Environment is not hardened Hidden URLs can be revealed requesting them
9 OWASP Italy SMAU eAcademy 2007, Milano October Web application: how can I write a secure one? Design a good model with strong interaction with modules (architectural stage) “divide et impera” and KISS approaches put together choose safe protocols to let your software modules to interact Implement your code with security in mind use safe coding best practices use third party libraries perform security code review over your code
10 OWASP Italy SMAU eAcademy 2007, Milano October Web application: how can I write a secure one? Test your code perform a dynamic code review perform ethical hacking over your application Use lightweight development lifecycles the more time you write code in a single coding session the probability of making mistakes grows use short development sessions and but test and peer reviews between them
11 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project Started the 2 nd October 2006 Introduced last year as proof of concept here at eAcademy 2006last year one year ago... orizon was enable just to check a very simple class there was just two very basic security checks there was no logging facilities there was no reporting facilities there was no an usable API
12 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project today... close to 500 downloads close to 130 just for latest 0.40 family version both static than dynamic code review are implemented 12 security checks flexible reporting APIs usable APIs (Milk project)Milk
13 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: what is? A security source code assessment engine Provides APIs to do static code review checks how the code has been written source is checked without being executed Provides APIs to do dynamic code review checks how the code behaves to known attack patterns source is checked without being read, just executed instead
14 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project Independent from language used in the source file being checked The source file is translated to XML and then security checks were applied over it Add support for another language means writing a translator for the source file to XML creating a class that extends org.owasp.orizon.xml.Translator org.owasp.orizon.xml.Translator A Java to XML translator is included in Orizon (it uses Java compiler APIs introduced in J2EE 6)Java // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (j2xml.mustTranslate()) { if (!j2xml.translate()) { log.error(fileName + ": translation failed"); System.exit(-1); } log.info(j2xml.getOutputFilename() + " created"); } else log.info("XML file is up to date, translation is not needed. Good!"); // java 2 xml translation... Java2XML j2xml = new Java2XML(fileName); if (j2xml.mustTranslate()) { if (!j2xml.translate()) { log.error(fileName + ": translation failed"); System.exit(-1); } log.info(j2xml.getOutputFilename() + " created"); } else log.info("XML file is up to date, translation is not needed. Good!");
15 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project The core is Source class located in org.owasp.orizon.core packageSource A Source object is instantiated with the XML filename being checked as parameter The first method that an application must call is read() the XML file is parsed object internal fields are populated with source code informations // xml file reading Source s = new Source(j2xml.getOutputFilename()); s.read(); // xml file reading Source s = new Source(j2xml.getOutputFilename()); s.read();
16 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the checks Security checks are written in XML The root tag is called check... The check is a best practice, so if it fails your code need to be fixed Checks are encoded Base64 if the will break XML format <check id="O_CV_2" severity="error" impact="high" description="Avoid your class for being clonable"> <check id="O_CV_2" severity="error" impact="high" description="Avoid your class for being clonable"> <check id="O_XSS_1" severity="error" impact="high" description="sanitize your input"> <check id="O_XSS_1" severity="error" impact="high" description="sanitize your input">
17 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the checks A Check is handled by a class in org.owasp.orizon.library packageCheck Just a bunch of getter and setter methods to fill the check properties If needed check body can be encoded with org.owasp.orizon.utils.Base64Encoder A public toXML() method translate the check into an XML row c = new Check("class_contains"); c.setId("O_CV_2"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("Avoid your class for being clonable"); c.addAttribute("name", "clone"); c.addAttribute("scope", "final");// r is a Recipe object r.addCheck(c.toXML()); c = new Check("class_contains"); c.setId("O_CV_2"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("Avoid your class for being clonable"); c.addAttribute("name", "clone"); c.addAttribute("scope", "final");// r is a Recipe object r.addCheck(c.toXML()); c = new Check("xss"); c.setId("O_XSS_1"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("sanitize your input"); c.addAttribute("pattern", Base64Coder.encodeString("/> alert('xss');</ script>")); r.addCheck(c.toXML()); c = new Check("xss"); c.setId("O_XSS_1"); c.setImpact("high"); c.setSeverity("error"); c.setDescription("sanitize your input"); c.addAttribute("pattern", Base64Coder.encodeString("/> alert('xss');</ script>")); r.addCheck(c.toXML());
18 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the recipes A recipe is an XML file with one or more Checks Recipe is handled by a class in org.owasp.orizon.library package Recipe Some getter and setter method to handle properties public boolean read() : it reads the XML file storing recipe properties in internal fields and all checks contained in the recipe public boolean write() : it writes the XML recipe with all checks included r = new Recipe("design_violation.xml", false); r.setFamily("Code design"); r.setCactus(true); r.setDawn(false); r.setDescription("Some methods can used by an attacker to overrun class behaviour."); r.setName("Ensure a class override potentially dangerous methods"); r.setLanguage(OrizonCons.language("java"));... r.addCheck(c.toXML());... if (!r.write()) { log.error("can't write recipe: design_violation.xml"); return false; } log.info("recipe design_violation.xml written successfully"); r = new Recipe("design_violation.xml", false); r.setFamily("Code design"); r.setCactus(true); r.setDawn(false); r.setDescription("Some methods can used by an attacker to overrun class behaviour."); r.setName("Ensure a class override potentially dangerous methods"); r.setLanguage(OrizonCons.language("java"));... r.addCheck(c.toXML());... if (!r.write()) { log.error("can't write recipe: design_violation.xml"); return false; } log.info("recipe design_violation.xml written successfully");
19 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the library Library is a ZIP file containing one or more recipes It provides classic methods about managing a collection of thing add() delete() find() list() create() get()
20 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the jericho engine Library is opened and recipes extracted to disk Source object apply () method is invoked with the recipe as parameter A Report object is returned back to calling program to give results in a fancy way The extracted recipe is deleted from disk // loop for all recipes contained in the library for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { log.error("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.apply(r); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++) // loop for all recipes contained in the library for (int count = 0; count < recipeCount; count++) { String rName = dl.getRecipeName(count); if (!dl.extract(rName)) { log.error("can't extract " + rName); System.exit(-1); } r = new Recipe(rName); org.owasp.orizon.report.Report report = s.apply(r); if (report != null) { PlainFormatter p = new PlainFormatter(); report.report(p); } r.dispose(); } // for (int count = 0; count < recipeCount; count++)
21 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the jericho engine Demo
22 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the jericho engine APIs for static code review are 80% mature as listed in the roadmap to Orizon 1.0 Next actions are: improve translation engine dictionary to handle all possible instructions create new translator for popular languages such as: C#, ASP.NET and other refactor engine namespace
23 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the dawn engine Almost equal to static code review approach for the developer The dawn () method is called instead Dawn parameters are the recipe to apply and the working directory to create helpers An helper is created for each method in the source file being checked The helper is a Java program that invokes the method giving its command line as argument
24 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the dawn engine Helper is executed passing attack patterns as arguments Helper output is collected and examined to understand how the method reacts to attack pattern Dynamic code review concerns about: cross site scripting attacks sql injection attacks unexpected inputs such null values, empty strings, negative integers,...
25 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the dawn engine Demo
26 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the dawn engine APIs for dynamic code review are mature to 35% as listed in the roadmap to Orizon 1.0 Next actions are: improve helper creation source file methods need a more general handling routine improve documentation is a must
27 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the reporting API org.owasp.orizon.report package Report is returned back to calling program with security checks that failed Formatters are provided in order to take a Report and printing it out in: plain text file XML + XSL Next actions are to improve the number of report ouput format
28 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: the roadmap October 2007Orizon v0.50 static code review API's will be completed 10 security checks will be added in the default library a dynamic code review PoC will be included for Smau eAcademy 2007 speech Smau eAcademy 2007 speech December 2007Orizon v0.60 the default library will be full of the planned 30 security checks the dawn engine will be able to fully generate helper programs XML reporting will be complete March 2008Orizon v0.80 the dawn engine will be complete with class interaction support reports will be available in the following format: plain text, XML+XSL, HTML, latex C# support will be started June 2008Orizon v0.99 C# will be supported API's freeze Source code review and cleanup Documentation review July 2008Orizon v1.0rc1 Bug fixes Source code review and cleanup Documentation review September 2008Orizon v1.0rc2 Bug fixes Source code review and cleanup Documentation review 2 nd October 2008Orizon v1.02 nd birthday party and final 1.0 release
29 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project: links & contact Orizon site: Orizon blog: Orizon Owasp: ASP_Orizon_Project ASP_Orizon_Project Milk site: complaints, opinions, bug reports and beer can be sent to: thesp0nge_at_owasp_dot_org
30 OWASP Italy SMAU eAcademy 2007, Milano October The Owasp Orizon Project Q&A