Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken...
Transcript of Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken...
![Page 1: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/1.jpg)
Web Application Security DevelopmentCSE 4032013-11-20
![Page 2: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/2.jpg)
Introduction
● Who am I?○ Zak Dehlawi
● Why am I here?○ Talk to you about Secure Development Lifecyles
(SDL) and WebApp security
![Page 3: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/3.jpg)
Introduction
● PhD Student○ UW Information School○ Advising Committee
■ Dr. Barbara Endicott-Popovsky■ Dr. Jochen Scholl■ Dr. Yoshi Kohno
● Education○ Johns Hopkins M.S. Security Informatics○ UW CSE and PoliSci bachelor degrees
![Page 4: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/4.jpg)
Introduction
● Senior Security Engineer○ Security Innovation, Inc.
■ Cool place, come work there with me○ Primary Tasks:
■ Threat Modeling■ Secure Development Lifecycle■ Penetration Testing
![Page 5: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/5.jpg)
Outline
● SDL● OWASP● A1-Injection● A2-Broken Authentication and Session
Management● A3-Cross-Site Scripting (XSS)● A6-Sensitive Data Exposure
![Page 6: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/6.jpg)
SDL
● Why a Secure Development Lifecycle?○ Reduces the total number of vulnerabilities○ Addresses compliance requirements○ Reduce the cost of
development■ Fixes later in
development cycleare more costly toaddress
Source: Micrsoft SDL - Benefits, NIST May 2002
![Page 7: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/7.jpg)
SDL
● Phases○ Training (Regularly scheduled)○ Requirements○ Design○ Implementation○ Verification○ Release○ Response (Post-Release)
![Page 8: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/8.jpg)
SDL
● Phases○ Training (Regularly scheduled)
■ Developers, Testers, PMs, Architects○ Requirements
■ Establish security requirements (Compliance + regulation
○ Design■ Security architecture review■ Attack surface analysis■ Threat modeling
![Page 9: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/9.jpg)
SDL
● Phases○ Implementation
■ Security code reviews■ Static code analysis
○ Verification■ Penetration testing■ Fuzz testing
○ Release■ Incident response plan■ Black-box penetration testing
○ Response (Post-Release)■ Execute incident response plan
![Page 10: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/10.jpg)
OWASP
● OWASP Top 10-2013 (Select few)○ A1-Injection○ A2-Broken Authentication and Session Management○ A3-Cross-Site Scripting (XSS)○ A6-Sensitive Data Exposure
![Page 11: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/11.jpg)
OWASP: A1-Injection
● Types:○ SQL
■ Update, delete, read arbitrarily from database● Little Bobby Tables
○ Robert'); DROP TABLE Students;--○ OS
■ Execute arbitrary OS or interpreter commands○ XML
■ XML Bombs with inline DTD■ XML External Entity attacks
○ JSON■ Define arbitrary entities
○ etc.
![Page 12: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/12.jpg)
OWASP: A1-Injection
● Mitigations○ SQL
■ Use ORMs and DALs■ Use parameterized queries
○ OS■ Never eval or execute user supplied input
○ XML■ Disable inline DTD in the XML parser
● Default in most parsers now○ JSON
■ Use CSRF tokens○ etc.
![Page 13: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/13.jpg)
OWASP: A1-Injection
![Page 14: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/14.jpg)
OWASP: A2-Broken Authentication and Session Management
● Types:○ Session Fixation○ Session tokens are weakly generated○ Session tokens are not protected by SSL/TLS
● Mitigations○ Issue new sessions upon login○ Use cryptographically secure random number
generators■ Or make sure your framework is using one
○ Use HTTPS and mark cookies as Secure
![Page 15: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/15.jpg)
OWASP: A3-Cross-Site Scripting
● Types:○ Stored○ Reflected○ DOM based○ Includes HTML injection
■ Favorite test is to use ><marquee> tag● Mitigations
○ Escape untrusted input■ Frameworks have tools for that
![Page 16: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/16.jpg)
OWASP: A3-Cross-Site Scripting
![Page 17: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/17.jpg)
OWASP: A6-Sensitive Data Exposure
● Types:○ Personally Identifiable Information○ Credit Cards○ Passwords
● Mitigations○ Encrypt in database
■ Attackers can steal encryption keys○ Use SSL/TLS for transmission○ DON’T STORE IT!
■ Use OpenID■ Email based authentication
![Page 18: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/18.jpg)
OWASP: A6-Sensitive Data Exposure
● Password Storage○ Thou Shalt NOT:
■ Store plaintext passwords■ Encrypt passwords■ Use vanilla SHA1, SHA512, MD5, etc.
○ Thou Shalt:■ Use password storage mechanism
● bcrypt, scrypt, PBKDF2■ Use a unique salt per password
![Page 19: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/19.jpg)
Information Security Careers
● 0% unemployment rate● Federal government is
hiring● Corporate world is hiring● Pays pretty well● Information security is fun● You get to be a cyber-
warrior
![Page 20: Development Security Web Application...OWASP OWASP Top 10-2013 (Select few) A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A6-Sensitive](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fad89ed162ee96d7d652b47/html5/thumbnails/20.jpg)
Contact Information
● Contact Information○ Zak Dehlawi○ [email protected]○ [email protected]
Questions!?‽ and Brainstorm!!1