AppSec Initiative - owasp-esapi-java

Transcript AppSec Initiative - owasp-esapi-java

)
Establishing an Enterprise Security API
to Reduce Application Security Costs
Jeff Williams
Aspect CEO and Founder
Volunteer Chair of OWASP
[email protected]
410-707-1487
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
)
The Problem…
Spring
Jasypt
Java
Pattern
Commons
Validator
Cryptix
JCE
xml-enc
Write Custom
Code
Java URL
Encoder
Log4j
JAAS
ACEGI
Struts
Stinger
BouncyCastle
Reform
xml-dsig
Anti-XSS
HDIV
Many
More
Java Logging
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Standard
Control
2
)
Vulnerability Theory
 A risk is a path from threat agent to business impact
Threat Agent
Vector
Vulnerability
Control
Technical Impact
Vector
Vector
Vector
Vector
Business Impact
Business
Impact
Vulnerability
Vulnerability
Control
Asset
Business
Impact
Function
Business
Impact
Missing
Control
Vulnerability
Asset
Vector
Vulnerability
Control
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
3
)
More Vulnerability Theory
 Every vulnerability stems from….
 Missing control
) Lack of encryption
) Failure to perform access control
 Broken control
) Weak hash algorithm
) Fail open
 Ignored Control
) Failure to use encryption
) Forgot to use output encoding
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
4
)
Time to Stamp Out Homegrown Controls
 Security controls are very difficult to get right
) Requires extensive understanding of attacks
 One was built with stuff “Larry” had lying around!
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
5
)
Imagine an Enterprise Security API
 All the security controls a developer needs
 Standard
 Centralized
 Organized
 Integrated
 High Quality
 Intuitive
 Tested
 Solves the problems of missing and broken controls
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
6
)
Ignored Controls
 Not solved but we can make it far simpler…
) Coding Guidelines
) Static Analysis
) Developer Training
) Unit Testing
) Etc…
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
7
Enterprise Security API
Custom Enterprise Web Application
SecurityConfiguration
IntrusionDetector
Logger
Exception Handling
Randomizer
EncryptedProperties
Encryptor
HTTPUtilities
Encoder
Validator
AccessReferenceMap
AccessController
User
Enterprise Security API
Authenticator
)
Existing Enterprise Security Services/Libraries
8
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
8
)
Validation, Encoding, and Injection
Any Interpreter
Global Validate
Canonicalize
Specific Validate
Sanitize
Any Encoding
Controller
Web Service
Database
Mainframe
Business
Functions
User
Data
Layer
Etc…
User
Interface
File System
Canonicalize
Set Character Set
Validate
Encode For HTML
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
9
)
Handling Validation, and Encoding
User
isValidCreditCard
isValidDataFromBrowser
isValidDirectoryPath
isValidFileContent
isValidFileName
isValidHTTPRequest
isValidListItem
isValidRedirectLocation
isValidSafeHTML
isValidPrintable
safeReadLine
Controller
Validator
Business
Functions
Data Layer
Encoder
Canonicalization
Double Encoding Protection
Sanitization
Normalization
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Backend
encodeForJavaScript
encodeForVBScript
encodeForURL
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForDN
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
10
)
Handling Authentication and Users
User
Controller
Roles
Business
Functions
Data Layer
Strong Passwords
ESAPI
CSRF Tokens
Logging
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Intrusion
Detection
Users
Access
Control
Timeout
Random Tokens
Authentication
Lockout
Backend
Remember Me
Screen Name
11
)
Handling Access Control
isAuthorizedForURL
isAuthorizedForData
isAuthorizedForFunction
Web Service
isAuthorizedForService
Controller
Database
Mainframe
Business
Functions
User
Data
Layer
Etc…
isAuthorizedForFile
User
Interface
File System
isAuthorizedForFunction
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
12
)
Handling Direct Object References
http://app?id=9182374
http://app?id=1
http://app?file=7d3J93
Acct:9182374
Web Service
Database
Mainframe
Access
Reference Map
User
Etc…
Report123.xls
File System
Indirect References
Direct References
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
13
)
Handling Sensitive Information
User
Integrity Seals
Controller
Business
Functions
Encrypted
Properties
Data Layer
Encryptor
Strong GUID
Safe Config Details
Backend
Encryption
Digital Signatures
Random Tokens
Timestamp
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Salted Hash
14
)
Handling Exceptions, Logging, and Detection
User
User Message
(no detail)
Controller
Business
Functions
Enterprise Security
Exceptions
AccessControlException
AuthenticationException
AvailabilityException
EncodingException
EncryptionException
ExecutorException
IntegrityException
IntrusionException
ValidationException
Data Layer
Logger
Intrusion
Detector
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Backend
Log Message
(w/Identity)
Configurable Thresholds
Responses
•Log Intrusion
•Logout User
•Disable Account
15
)
Handling HTTP
User
Controller
Business
Functions
Data Layer
Add Safe Header
No Cache Headers
HTTP Utilities
Set Content Type
Backend
sendSafeForward
sendSafeRedirect
Add Safe Cookie
Kill Cookie
isSecureChannel
Change SessionID
Safe Request Logging
Safe File Uploads
CSRF Tokens
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
Encrypt State in Cookie
Hidden Field Encryption
Querystring Encryption
16
)
Handling Application Security Configuration
User
Controller
Business
Functions
Data Layer
Backend
ESAPI
ESAPI
Configuration
•Select crypto algorithms
•Select encoding algorithms
•Define sets of characters
•Define global validation rules
•Select logging preferences
•Establish intrusion detection thresholds
and actions
•Etc…
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
17
)
Coverage
OWASP Top Ten
OWASP ESAPI
A1. Cross Site Scripting (XSS)
Validator, Encoder
A2. Injection Flaws
Encoder
A3. Malicious File Execution
HTTPUtilities (Safe Upload)
A4. Insecure Direct Object Reference
AccessReferenceMap, AccessController
A5. Cross Site Request Forgery (CSRF)
User (CSRF Token)
A6. Leakage and Improper Error Handling
EnterpriseSecurityException, HTTPUtils
A7. Broken Authentication and Sessions
Authenticator, User, HTTPUtils
A8. Insecure Cryptographic Storage
Encryptor
A9. Insecure Communications
HTTPUtilities (Secure Cookie, Channel)
A10. Failure to Restrict URL Access
AccessController
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
18
)
Frameworks and ESAPI
 Frameworks already have some security
) Controls are frequently missing, incomplete, or wrong
 ESAPI is NOT a framework
) Just a collection of security building blocks, not “lock in”
) Designed to help retrofit existing applications with security
 ESAPI Framework Integration Project
) We’ll share best practices for integrating
) Hopefully, framework teams like Struts adopt ESAPI
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
19
)
Potential Enterprise Cost Savings
 Application Security Program
) AppSec Training
) Secure Development Lifecycle
) AppSec Guidance and Standards
) AppSec Inventory and Metrics
 Assumptions
) 1000 applications, many technologies, some outsourcing
) 300 developers, 10 training classes a year
) 50 new application projects per year
) Small application security team
) 50 reviews per year
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
20
)
Small Project Costs to Handle XSS
Cost Area
Typical
With Standard XSS Control
XSS Training
1 days
2 hours
XSS Requirements
2 days
1 hour
2.5 days
1 hour
XSS Implementation
(Build and Use Controls)
7 days
16 hours
XSS Verification
(Scan, Code Review, Pen Test)
3 days
12 hours
XSS Remediation
3 days
4.5 hours
18.5 days
4.5 days
XSS Design
(Threat Model, Arch Review)
Totals
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
21
)
Potential Enterprise ESAPI Cost Savings
Cost Area
Typical
With ESAPI
AppSec Training (semiannual)
$270K
$135K
AppSec Requirements
250 days ($150K)
50 days ($30K)
AppSec Design
(Threat Model, Arch Review)
500 days ($300K)
250 days ($150K)
AppSec Implementation
(Build and Use Controls)
1500 days ($900K)
500 days ($300K)
AppSec Verification
(Scan, Code Review, Pen Test)
500 days ($300K)
250 days ($150K)
AppSec Remediation
500 days ($300K)
150 days ($90K)
AppSec Standards and
Guidelines
100 days ($60K)
20 days ($12K)
AppSec Inventory, Metrics,
and Management
250 days ($150K)
200 days ($120K)
$2.43M
$1.00M
Totals
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
22
)
OWASP Project Status
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
23
)
Source Code and Javadoc Online Now!
http://code.google.com/p/owasp-esapi-java
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
24
)
Banned Java APIs
System.out.println() -> Logger.*
Throwable.printStackTrace() -> Logger.*
Runtime.exec() -> Executor.safeExec()
Reader.readLine() -> Validator.safeReadLine()
Session.getId() -> Randomizer.getRandomString() (better not to use at all)
ServletRequest.getUserPrincipal() -> Authenticator.getCurrentUser()
ServletRequest.isUserInRole() -> AccessController.isAuthorized*()
Session.invalidate() -> Authenticator.logout()
Math.Random.* -> Randomizer.*
File.createTempFile() -> Randomizer.getRandomFilename()
ServletResponse.setContentType() -> HTTPUtilities.setContentType()
ServletResponse.sendRedirect() -> HTTPUtilities.sendSafeRedirect()
RequestDispatcher.forward() -> HTTPUtilities.sendSafeForward()
ServletResponse.addHeader() -> HTTPUtilities.addSafeHeader()
ServletResponse.addCookie() -> HTTPUtilities.addSafeCookie()
ServletRequest.isSecure() -> HTTPUtilties.isSecureChannel()
Properties.* -> EncryptedProperties.*
ServletContext.log() -> Logger.*
java.security and javax.crypto -> Encryptor.*
java.net.URLEncoder/Decoder -> Encoder.encodeForURL/decodeForURL
java.sql.Statement.execute -> PreparedStatement.execute
ServletResponse.encodeURL -> HTTPUtilities.safeEncodeURL (better not to use at all)
ServletResponse.encodeRedirectURL -> HTTPUtilities.safeEncodeRedirectURL (better not to use at all)
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
25
)
About Aspect Security
Specialists in
Application Security
• Exclusive focus on Application Security since 2002
• Key contributors to OWASP and authors of OWASP Top Ten
• Application security champions in FISMA and SSE-CMM
Assurance Services
for Critical Applications
• Millions of lines of code verified per month
• Java, JSP, C/C++, C#, ASP, VB.NET, ABAP, PHP, CFMX, Perl…
• Platforms – J2EE, .NET, SAP, Oracle, PeopleSoft, Struts, …
Acceleration Services
for Software, Security, and
Management Teams
• Proven application security initiatives
• Integrate key security activities into existing software teams
• Framework and tool tailoring for producing secure code
Application Security
Education and Training
Curriculum
• Over 180 course offerings per year
• Secure coding for developers (hands-on, language-specific)
• Leaders and managers, testers, architects, threat modeling
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
26
)
Questions and Answers
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
27
)
Extra Slides
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
28
)
Rich Data == Code
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE note SYSTEM "Note.dtd">
<note>
<to>Tove</to>
<from>Jani</from>
<heading>Reminder</heading>
<body>Don't forget me this weekend!</body>
</note>
<xsl:template match="/">
<xsl:param name="parameter"/>
<xsl:value-of select="$parameter"/>
</xsl:template>
{"text": {
"data": "Click Here",
"size": 36,
"style": "bold",
"name": "text1",
"hOffset": 250,
"vOffset": 100,
"alignment": "center",
"onMouseUp": "sun1.opacity =
(sun1.opacity / 100) * 90;"
}
}}
<s:task b:action="xsl-transform"
b:stylesheet="$stylesheet"
b:datasource="$data"
b:destination="id('destination')" >
<s:with-param b:name="parameter"
b:select="'123'">
</s:with-param>
</s:task>
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
29
29
)
Browser Same Origin Policy
www.mybank.com
XHR
TAG
TAG
XHR
JS
investorsblog.net
document, cookies
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
30
)
Browser == Operating System
Javascript
Engine
Java
Engine
Flash EngineQuicktime
Javascript
Engine
Engine
Acrobat
Reader
Silverlight,
etc…
Operating System
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
31
)
DOM Checker
http://code.google.com/p/dom-checker/
IE 7.0.6… latest patches (remote)
Firefox 2.0.0.12 latest patches (remote)
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
32
)
Network == Computer

<program>
loop through top 100 banks {
use local credentials to attempt access to bank
if access allowed {
pull list of attacks from storage
attack 1: use checking service to steal $99
attack 2: post this comment to a blog
...
}
}
</program>
Internet API
Storage
Services
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
CPU, Identities, and Access
33
)
Potential Enterprise ESAPI Cost Savings
Copyright © 2008 – Aspect Security – www.aspectsecurity.com
34