The OWASP Enterprise Security API
-
Upload
samson-parks -
Category
Documents
-
view
57 -
download
4
description
Transcript of The OWASP Enterprise Security API
![Page 1: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/1.jpg)
Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
The OpenWeb Application Security Project
http://www.owasp.org
The OWASPEnterprise Security API
Jeff WilliamsOWASP Foundation [email protected]
Aspect Security [email protected]
![Page 2: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/2.jpg)
2
Java Logging
The Challenge…
Reform
ACEGIStruts
Stinger
Anti-XSS
BouncyCastle
Spring
Log4jCommonsValidator
Jasypt
JCE
JAASCryptix
HDIVxml-dsig
xml-enc
Many More
![Page 3: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/3.jpg)
3
Philosophy
Using security controls is different from buildingAll the security guidelines, courses, tutorials,
websites, books, etc… are all mixed up because everyone builds their own controls
Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe)
Most enterprises need the same set of calls
![Page 4: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/4.jpg)
4
Design
Only include methods that…Are widely useful and focus on the most risky areas
Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples
Same basic API across common platforms Java EE, .NET, PHP, others?Useful to Rich Internet Applications?
![Page 5: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/5.jpg)
5
Architecture Overview
Custom Enterprise Web Application
Enterprise Security API
Au
then
ticato
r
User
Access
Con
trol
ler
Access
Refe
ren
ceM
ap
Valid
ato
r
En
co
der
HT
TP
Uti
liti
es
En
cr
yp
tor
En
cry
pte
dP
rop
ert
ies
Ran
do
miz
er
Excep
tio
n
Han
dlin
g
Log
ger
Intr
usi
on
Dete
cto
r
Secu
rit
yC
on
fig
ura
tion
Existing Enterprise Security Services/Libraries
![Page 6: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/6.jpg)
6
Create Your ESAPI Implementation
Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI
implementationFill in gaps with the reference implementation
Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
![Page 7: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/7.jpg)
7
Frameworks and ESAPI
ESAPI is NOT a framework Just a collection of security functions, not “lock
in”
Frameworks already have some securityControls are frequently missing, incomplete, or
wrong
ESAPI Framework Integration ProjectWe’ll share best practices for integratingHopefully, framework teams like Struts adopt
ESAPI
![Page 8: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/8.jpg)
Project Plan and Status
8
6/06 – Sketch Informal API
4/07 - Formalize Strawman API
5/07 – Start Java EE Reference Implementation
7/07 - Form Expert Panel
11/07 - Release RC1
2002 – Start Collecting
9/07 – Sneak Peek
![Page 9: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/9.jpg)
9
Quality
![Page 10: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/10.jpg)
Backend
Handling Authentication and Identity
Controller Business Functions
User Data Layer
ESAPIA
ccess
Con
trol
Log
gin
g
Intr
usio
nD
ete
cti
on
Au
then
ticati
on
Users
![Page 11: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/11.jpg)
11
Authenticator
Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response) logout()verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)
Use threadlocal variable to store current User Automatically change session on login and
logout
![Page 12: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/12.jpg)
12
User
Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime()
getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password,
request, response) resetCSRFToken() resetPassword()verifyCSRFToken(token)
![Page 13: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/13.jpg)
Enforcing Access Control
Controller
UserInterface
Business
Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
Function
Check
![Page 14: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/14.jpg)
14
AccessController
Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)
Reference Implementation (not required) /admin/* | admin | allow | admin access to
/admin /* | any | deny | default deny rule
![Page 15: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/15.jpg)
Handling Direct Object References
Web Service
Database
Mainframe
File System
UserAccess
ReferenceMap
Etc…Indirect
ReferenceDirect
Reference
http://app?file=7d3J93
Report123.xls
![Page 16: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/16.jpg)
16
AccessReferenceMap
Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)
Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38
![Page 17: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/17.jpg)
Validating and Encoding Untrusted Input
Web Service
Directory
Database
File System
User Business Processing
Etc…
EncodeForHTML
Validate
![Page 18: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/18.jpg)
18
Validator
Key Methods isValidFileUpload(filepath, filename, content)getValidDataFromBrowser(type, input) isValidDataFromBrowser(type, input) isValidHTTPRequest (request) isValidRedirectLocation(location) isValidSafeHTML(input), getValidSafeHTML
(input)safeReadLine(inputStream, maxchars)
Canonicalization is really important always ignored
Global validation of HTTP requests
![Page 19: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/19.jpg)
19
<input name="test" value="test" onblur="alert('xss field')">
%26lt;
![Page 20: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/20.jpg)
20
Encoder
Key Methodscanonicalize(input), normalize(input)encodeForBase64(input) encodeForDN(input) encodeForHTML(input) encodeForHTMLAttribute(input)…, encodeForJavascript, encodeForLDAP,
encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPath
![Page 21: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/21.jpg)
Enhancing HTTP
UserBusiness Processin
g
HTTPUtilities
Logging
Add CSRF Token
Secure Cookies
Secure Redirect
No Cache Headers
Verify CSRF Token
Safe Request Logging
Safe File Upload
Add Safe Header
![Page 22: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/22.jpg)
22
HTTPUtilities
Key MethodsaddCSRFToken(href), checkCSRFToken(href)addSafeCookie(name, value, age, domain, path) addSafeHeader(header, value)changeSessionIdentifier()getFileUploads(tempDir, finalDir) isSecureChannel ()killCookie(name)sendSafeRedirect(href)setContentType ()setNoCacheHeaders()
Safer ways of dealing with HTTP, secure cookies
![Page 23: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/23.jpg)
23
Encryptor
Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)
Simple master key in configuration Minimal certificate support
![Page 24: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/24.jpg)
24
EncryptedProperties
Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)
Simple protected storage for configuration data
Main program to preload encrypted data!
![Page 25: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/25.jpg)
25
Randomizer
Key MethodsgetRandomGUID() getRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)
Several pre-defined character setsLowers, uppers, digits, specials, letters,
alphanumerics, password, etc…
![Page 26: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/26.jpg)
26
Exception Handling
EnterpriseSecurityExceptionAccessControlException(userMsg, logMsg)AuthenticationException(userMsg, logMsg)AvailabilityException(userMsg, logMsg)CertificateException(userMsg, logMsg)EncodingException(userMsg, logMsg)EncryptionException(userMsg, logMsg)ExecutorException(userMsg, logMsg) IntrusionException(userMsg, logMsg)ValidationException(userMsg, logMsg)
Sensible security exception framework
![Page 27: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/27.jpg)
27
Logger
Key MethodsgetLogger(applicationName,moduleName) formatHttpRequestForLog(request,
sensitiveList) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)
All EASPI exceptions are automatically logged
![Page 28: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/28.jpg)
Detecting Intrusions
User Business Processing Backend
ESAPI
IntrusionDetector
TailorableQuotas
Log, Logout, and Disable
![Page 29: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/29.jpg)
29
IntrusionDetector
Key MethodsaddException(exception) addEvent(event)
ModelEnterpriseSecurityExceptions automatically
addedSpecify a threshold for each event type
org.owasp.esapi.ValidationException.count=3 org.owasp.esapi.ValidationException.interval=3
(seconds) org.owasp.esapi.ValidationException.action=logout
Actions are log message, disable account
![Page 30: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/30.jpg)
30
SecurityConfiguration
Customizable…Crypto algorithmsEncoding algorithmsCharacter setsGlobal validation rulesLogging preferences Intrusion detection thresholds and actionsEtc…
All security-relevant configuration in one place
![Page 31: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/31.jpg)
Coverage
OWASP Top TenA1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPIValidator, Encoder
Encoder
HTTPUtilities (upload)
AccessReferenceMap
User (csrftoken)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (secure cookie, channel)
AccessController
![Page 32: The OWASP Enterprise Security API](https://reader036.fdocuments.in/reader036/viewer/2022081506/5681364b550346895d9dc941/html5/thumbnails/32.jpg)
32
Closing Thoughts
I have learned an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfastBuild rqmts, guidelines, training, tools around
your ESAPI
Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training
Next year – experiences moving to ESAPI