Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Published byVirginia Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities."— Presentation transcript:

1 OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities

2 Background and Material Will Bechtel, Blue Oasis - CISSP 18 years of experience in Software Development, IT and Security. Development of web based applications for Sony, American Express, Cellular One, Federal Express, Sega, US Navy, Wells Fargo. Core of presentation from Open Web Application Security Project (OWASP) – www.owasp.org

3 Overview How Much Security Do You Really Need ? –how to assess the security need and perform risk assessments. Security Guidelines – A set of high level principles that all applications should adhere to. Architecture – Discussion on how Architecture considerations can ensure security where its needed. Authentication – Describes the different types of authentication possible and the common problems. Session Management – Describes the right way to manage sessions and generate session tokens.

4 Overview (cont) Access Control – Describes access control concepts Event Logging – Describes what to log and how to log user and system events Data Validation – Describes strategies for dealing with unexpected input and what you need to block Common Problems – Describes problems like cross site scripting and SQL Injection and offers practical advise on how to stop them cold Privacy – Discusses privacy issues that may face your application. Cryptography - How to use cryptography and describes some common mistakes.

5 Risk Management How much security do you need? Risks, threats and vulnerabilities Quantitative approach – utilize SLE x ARO = ALE – Most applicable to physical security or specific asset protection Qualitative approach – ranking of potential risks and their ability to do harm. Subjective. – Because data for the quantitative approach is usually hard to come by, many times a more subjective approach is needed.

6 Security Guidelines Validate ALL input and output Fail securely Use and reuse trusted components Defense in depth Only secure as the weakest link No security by obscurity Least privilege, separation of privilege

7 Architecture Design for a secure location – Don’t design in a test lab, then worry about working in a DMZ environment later. – Realize at some point least privilege will be enforced. – There is (usually) a trade-off between convenience and security. Separate, segregate and control access. OS and Network security

8 Authentication Determining if a user is who they say they are. Browser limitations – consider all input ‘tainted’ HTTP Basic/HTTP Digest Forms based authentication – use SSL Digital certificates Entity Authentication – Cookies

9 Authentication (cont) Password Based Authentication Schemes – Limits on user names (reduce guessing) – Storing username/passwords – hashing or other secure storage – Ensure password quality – Password lockout, aging and history – Automated password reset strategies – risk remains

10 Managing User Sessions Cookies Session Tokens Session Management Schemes Access Control and Authorization Event Logging Data Validation

11 Preventing common problems Cross site scripting (validate) SQL injection (validate) Direct OS commands (URL filter) Directory traversal and path disclosure (URL filter) Null bytes (string termination)

12 Preventing common problems (cont) Parameter manipulation – URL manipulation – Cookie manipulation – HTTP Header – Form field manipulation

13 URL manipulation His/her choices are recorded by pressing the submit button. The page is actually storing the entries in form field values and submitting them using a form submit command. The command sends the following HTTP request. http://www.victim.com/example?accountnumber=12345&debitamount=1 A malicious user could construct his own account number and change the parameters as follows: http://www.victim.com/example?accountnumber=67891&creditamount=999999 999

14 Form field manipulation All of the same rules apply to hidden forms fields as apply to regular form fields. Take the same application. Behind the login form may have been the HTML tag; By manipulating the hidden value to a Y, the application would have logged the user in as an Administrator.

15 Cookie manipulation The extent of cookie manipulation depends on what the cookie is used for but usually ranges from session tokens to arrays that make authorization decisions. (Many cookies are Base64 encoded; this is an encoding scheme and offers no cryptographic protection). Example from a real world example on a travel web site modified to protect the innocent (or stupid). Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ; The attacker can simply modify the cookie to; Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;

16 OWASP Top Ten Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) flaws Buffer Overflows Injection Problems Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management

17 Reasons behind poor web app security Lack of knowledge/education – security has not been a focus for software engineers Lack of quality assurance in general, and specifically lack of security related testing Economic – consumers have been willing to purchase poorly engineered software and have not made this a primary purchasing decision.

18 Web App security tools Proxy – used to intercept traffic – view/modify data. Web security training apps – – Foundstone’s Hacme Bank -.Net – OWASP Webgoat – Java

19

Download ppt "OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Similar presentations

Ads by Google