[Wroclaw #3] Security fix or workaround
Transcript of [Wroclaw #3] Security fix or workaround
Security fix or workaround: which way to select?
Bohdan Serednytskyi, OWASP Lviv
•OWASP Lviv Chapter•Security Consulting Team at SoftServe
We are…
Communication with client
Project Execution
Delivering Results
Consulting Dev Team in issues fixing
Usual Project Flow
Tools will solve all our problems
Clients Vision
https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg
Automated Tools Effectiveness
• All application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE).• They also found very little overlap
between tools, so to get 45% you need them all (assuming their claims are true)
MITRE Claims
Case with One Educational Application
Risk VulnerabilityCritical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)High SESSION TOKEN DOES NOT CHANGE AFTER LOGINMedium
USERLOGINID ENUMERATIONWEAK PASSWORD REQUIREMENTS
NO LOGOUT FUNCTION IMPLEMENTED
ACCOUNT ENUMERATION
IMPROPER ACCESS CONTROLSTUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE
Low ERROR MESSAGES REVEAL SENSITIVE INFORMATION
INTERNAL IP ADDRESS DISCLOSURE
INSUFFICIENT PASSWORD HISTORY MANAGEMENT
Remediation Status
PARTIALLY FIXEDNEED IMPROVEMENTFIXEDFIXEDFIXED
FIXED
FIXED
FIXED
NOT FIXED
FIXED
FIXED
FIXED
Security Test Results
XSS Vulnerability Fixing
‘});alert(1)”
Initial payload
Protection implemented by Developers Team\‘});alert(1)”
\‘});alert(1)”
Modified payload\\‘});alert(1)”
CSRF and Information Leakage Fixing
Best Practices
Every security flaw is a process problem
Security vulnerabilities are “patterned”.
Security issue could be widespread amongst all code bases.
Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within the prescribed time frame or budget
Involve Security Expert
Recommendations
Use Fast Fix Methods - WAFs
A security solution on the web application level which does not depend on the application itself
Security Expert is not a Developer
•OWASP Secure Coding Practices•OWASP Guide Project•OWASP Enterprise Security API•Microsoft Web Protection Library
Resources
Security is a Journey
Not a Destination
• Patching• Updating• Continuous Security
Monitoring• Regular Security Tests
Questions?
Thank You!
http://owasp-lviv.blogspot.com/