Presentation is loading. Please wait.

Presentation is loading. Please wait.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Published byJared Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer."— Presentation transcript:

1 Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer Aspect)Security chris.schmidt@aspectsecurity.com AppSec DC 2010

2 OWASP Who the heck am I? [Rumour has it I should be presenting my credentials] Application Security Engineer – Aspect Security Project Manager - OWASP ESAPI Developer – ESAPI for Java Project Owner - ESAPI for JS Blogger - Yet Another Developer's Blog Aspiring Author - Designing Secure Enterprise Applications

3 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting Case Study: Direct Object Reference Case Study: Yours! Additional Resources Questions?

4 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI?

5 OWASP What is an Enterprise Security API? The ESAPI Family Community Breakdown

6 OWASP What is an Enterprise Security API? High-Level API that provides access to common security functions as services to the calling code. Centrally configured to keep configuration separate from implementation. Developers don't have to focus on writing custom security controls for components. Compliments a Secure Software Development Environment and Secure Coding Conventions Enforces a common API (interfaces) but also allows customization or extension to adapt to specific environments.

7 OWASP What is an Enterprise Security API?

8 OWASP What is an Enterprise Security API? Addressing The OWASP Top Ten OWASP Top Ten OWASP ESAPI A1: Injection A2: Cross Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards Encoder Encoder, Validator Authenticator, User, HTTPUtilities AccessReferenceMap, AccessController User (CSRF Token) SecurityConfiguration Encryptor AccessController HTTPUtilities AccessController

9 OWASP What is an Enterprise Security API? OWASP ESAPI Project Scorecard 2.0

10 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI

11 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) Getting OWASP’s ESAPI (Java) Download from Google Code: http://owasp-esapi-java.googlecode.com Use Maven: org.owasp.esapi esapi org.owasp.esapi esapi

12 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) Basics OWASP ESAPI Uses a Service Locator class to access implementations of core interfaces. This locator is currently configured via the ESAPI.properties file. ESAPI.encoder() ESAPI.validator() ESAPI.randomizer() ESAPI.encryptor() ESAPI.accessController() ESAPI.authenticator() ESAPI.logger() ESAPI.httpUtilities()

13 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting

14 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) The Problem Contact Form is vulnerable to XSS The Solution ”> Full Name ”> Full Name

15 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting Case Study: Direct Object Reference

16 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) The Problem Direct Reference to File allows writing to Filesystem Behavior: 1. Servlet POSTs to /save.action 2. Filename is stored in a hidden form field 3. Content is entered through a textfield on the page Post looks like: POST /save.action HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 35 filename=user-info.txt&content=test Direct Reference to File allows writing to Filesystem Behavior: 1. Servlet POSTs to /save.action 2. Filename is stored in a hidden form field 3. Content is entered through a textfield on the page Post looks like: POST /save.action HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 35 filename=user-info.txt&content=test

17 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) The Solution class SaveFileServlet extends HttpServlet { // List of accessible files static Set VALID_FILES = new HashSet (); // add file paths to set public void doPost( … ) { AccessReferenceMap filemap = ESAPI.httpUtilities().getSessionAttribute(“valid-files”); if ( filemap == null ) { filemap = new RandomAccessReferenceMap(); filemap.addAll(VALID_FILES); request.setAttribute(“valid-files”, filemap); } else { String fileToken = request.getParameter(“fileToken”); String filename = filemap.get(filetoken); if ( filename == null ) { throw new EnterpriseSecurityException(…); } else { String content = request.getParameter(“content”); if ( ESAPI.validator().isValidInput( “SaveFile”, content, “FileContent”, 512, true ) ) { //.. Save file } else { throw EnterpriseSecurityException(…); } class SaveFileServlet extends HttpServlet { // List of accessible files static Set VALID_FILES = new HashSet (); // add file paths to set public void doPost( … ) { AccessReferenceMap filemap = ESAPI.httpUtilities().getSessionAttribute(“valid-files”); if ( filemap == null ) { filemap = new RandomAccessReferenceMap(); filemap.addAll(VALID_FILES); request.setAttribute(“valid-files”, filemap); } else { String fileToken = request.getParameter(“fileToken”); String filename = filemap.get(filetoken); if ( filename == null ) { throw new EnterpriseSecurityException(…); } else { String content = request.getParameter(“content”); if ( ESAPI.validator().isValidInput( “SaveFile”, content, “FileContent”, 512, true ) ) { //.. Save file } else { throw EnterpriseSecurityException(…); }

18 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) The Solution - Continued <% AccessReferenceMap validFiles = ESAPI.httpUtilities().getRequestAttribute(“valid-files”); String fileToken = validFiles.getIndirectReference(“user-info.txt”); String existingContent = FileHelper.readFile( validFiles.getDirectReference(fileToken)); %> ”/> <% AccessReferenceMap validFiles = ESAPI.httpUtilities().getRequestAttribute(“valid-files”); String fileToken = validFiles.getIndirectReference(“user-info.txt”); String existingContent = FileHelper.readFile( validFiles.getDirectReference(fileToken)); %> ”/>

19 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting Case Study: Direct Object Reference Case Study: Yours!

20 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) The Problem YOU TELL ME! Describe a problem or requirement that you have encountered and let’s discuss how using an ESAPI you could resolve the issue, or meet the requirement. YOU TELL ME! Describe a problem or requirement that you have encountered and let’s discuss how using an ESAPI you could resolve the issue, or meet the requirement.

21 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting Case Study: Direct Object Reference Case Study: Yours! Additional Resources

22 OWASP Additional Resources OWASP Home Page o http://www.owasp.org http://www.owasp.org ESAPI Project Page o http://www.esapi.org http://www.esapi.org ESAPI-Users Mailing List o https://lists.owasp.org/mailman/listinfo/esapi-users https://lists.owasp.org/mailman/listinfo/esapi-users ESAPI-Dev Mailing List o https://lists.owasp.org/mailman/listinfo/esapi-dev https://lists.owasp.org/mailman/listinfo/esapi-dev E-Mail Me o chris.schmidt@aspectsecurity.com chris.schmidt@aspectsecurity.com Follow me on Twitter o http://twitter.com/carne http://twitter.com/carne

23 OWASP Solving Real World Problems with An Enterprise Security API (ESAPI) What is an ESAPI? Using OWASP ESAPI Case Study: Cross Site Scripting Case Study: Direct Object Reference Case Study: Yours! Additional Resources Questions?

24 OWASP Questions? Comments? Feel free to stop me in the hall or speak to me after the talk with any additional questions you may have. Interested in contributing to the OWASP ESAPI project or any other OWASP Project – let me know! Cycles to Spare? We are looking for people to contribute cycles to ESAPI on documentation and helping to bring non-java languages up to date with the 2.0 API. Interested – See me!

25 GET IN TOUCH WITH ME Twitter Email twitter.com/carne chris.schmidt@owasp.org

Download ppt "Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer."

Similar presentations

Webgoat.

Webgoat.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
ESAPI Pictures For Javadoc.

ESAPI Pictures For Javadoc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.

Gayle J Yaverbaum, PhD Professor of Information Systems Penn State Harrisburg.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|

“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google