Don’t Write Your Own Security Code – The Enterprise Security API Project OWASP Jeff Williams Aspect Security CEO Volunteer Chair of OWASP [email protected] 410-707-1487 Copyright © 2009 - The.
Download ReportTranscript Don’t Write Your Own Security Code – The Enterprise Security API Project OWASP Jeff Williams Aspect Security CEO Volunteer Chair of OWASP [email protected] 410-707-1487 Copyright © 2009 - The.
Don’t Write Your Own Security Code – The Enterprise Security API Project OWASP Jeff Williams Aspect Security CEO Volunteer Chair of OWASP [email protected] 410-707-1487 Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license The OWASP Foundation http://www.owasp.org OWASP 2 Vulnerabilities and Security Controls Misused 15% Ignored 20% Missing 35% Broken 30% OWASP 3 OWASP SecurityConfiguration IntrusionDetector Logger Exception Handling Randomizer EncryptedProperties Encryptor HTTPUtilities Encoder Validator AccessReferenceMap AccessController User Authenticator What Methods Do Developers Need? Custom Application Enterprise Security API Standardize and Isolate Your Custom Applications App1 App2 Custom Applications App3 App4 App5 AppN Your Enterprise Security API Svc1 Svc2 Svc3 Lib1 Lib2 Lib3 Your Security Services and Libraries OWASP Deceptively Tricky… 1. Input Validation 2. Output Encoding 3. Errors, Logging, and Intrusion Detection Lots more… OWASP 6 Web Escaping and Encoding < Percent Encoding %3c %3C HTML Entity Encoding < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < &lT &Lt < < &lT; ≪ < JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C Simple Double Encoding < --> < --> lt; (double entity) < --> %3c --> %253c (double percent) etc... CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Simple Nested Escaping < --> %3c --> %%33%63 (nested encode percent both nibbles) < --> %3c --> %%33c (nested encode first nibble percent) < --> %3c --> %3%63 (nested encode second nibble percent) < --> < --> &&108;t; (nested encode l with entity) etc... Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Double Encoding with Multiple Schemes < --> < --> %26lt%3b (first entity, then percent) < --> %26 --> 26 (first percent, then entity) etc... Nested Escaping with Multiple Schemes < --> < --> &%6ct; (nested encode l with percent) < --> %3c --> %3c (nested encode 3 with entity) etc... 1,677,721,600,000,000 ways to encode <script> Punycode <- OWASP 77 1. ESAPI Input Validation Validate: getValidDate() getValidCreditCard() getValidSafeHTML() Decoding Engine getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … Codecs: HTML Entity Encoding Percent Encoding JavaScript Encoding LDAP Encoding … Validation Engine Any Encoding User VBScript Encoding CSS Encoding MySQL Encoding Oracle Encoding Any Interpreter Controller Business Functions Data Layer Backend Presentation Layer OWASP 8 HTML Execution Contexts \any \xHH \uHHHH \000 (octal) CSS \specials \xHH \uHHHH JavaScript &#DD &#xHH &entity; HTML Elements HTML Attributes " ' &#DD &#xHH Event Handlers " ' \specials \xHH \uHHHH URI Attributes %HH OWASP 9 ESAPI Swingset http://www.owasp.org/index.php?title=XSS_Prevention OWASP 10 2. ESAPI Output Encoding User Controller Business Functions Data Layer Backend Presentation Layer Encoding Engine Encode: setCharacterEncoding() encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForVBScript() encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP() encodeForDN() … OWASP 11 Applications Enjoy Attacks Live Search YouTube Blogger OWASP 12 3. Errors, Logging, and Detection User Controller Business Functions Data Layer Backend Presentation Layer throw new ValidationException(“User message”, “Log message”); Enterprise Security Exceptions Logger Intrusion Detector Configurable Thresholds Responses •Log Intrusion •Logout User •Disable Account OWASP 13 Quality OWASP 14 Potential Enterprise ESAPI Cost Savings Cost Area Typical With ESAPI AppSec Training (semiannual) $270K $135K AppSec Requirements 250 days ($150K) 50 days ($30K) AppSec Design (Threat Model, Arch Review) 500 days ($300K) 250 days ($150K) AppSec Implementation (Build and Use Controls) 1500 days ($900K) 500 days ($300K) AppSec Verification (Scan, Code Review, Pen Test) 500 days ($300K) 250 days ($150K) AppSec Remediation 500 days ($300K) 150 days ($90K) AppSec Standards and Guidelines 100 days ($60K) 20 days ($12K) AppSec Inventory, Metrics, and Management 250 days ($150K) 200 days ($120K) $2.43M $1.00M Totals OWASP 15 ESAPI Book! http://www.owasp.org/images/7/79/ESAPI_Book.pdf OWASP 16 Questions and Answers Rollout strategy? Integrating existing security libraries? Technical questions? Contact Information: Jeff Williams [email protected] Work: 410-707-1487 Main: 301-604-4882 OWASP 17 ==== EXTRA SLIDES ==== OWASP Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) Validator, Encoder A2. Injection Flaws Encoder A3. Malicious File Execution HTTPUtilities (Safe Upload) A4. Insecure Direct Object Reference AccessReferenceMap, AccessController A5. Cross Site Request Forgery (CSRF) User (CSRF Token) A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A8. Insecure Cryptographic Storage Encryptor A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel) A10. Failure to Restrict URL Access AccessController OWASP 19 Project Plan and Status 12/08 – ESAPI Summit 1/09 – Version 1.5 3/08 – Version 1.1 12/07 - Release RC1 7/07 - Form Expert Panel 5/07 – Start Java EE Reference Implementation 4/07 - Formalize Strawman API 6/06 – Sketch Informal API Versions Java .NET PHP Classic ASP 2002 – Start Collecting Haskell Cold Fusion OWASP 20 Assurance Expert advisory/design/implementation team Includes security consultants, product vendors, software developers Collectively reviewed over 100 million lines of code Given guidance to static analysis tool vendors Taught over 500 application security classes Minimal and modular design/implementationSeveral major enterprises are Tools and Testing using and evaluating ESAPI: • Sun • Oracle • Dept. of Census • Several Financials ~600 JUnit test cases (89% coverage) FindBugs, PMD, Ounce, Fortify clean Code review by several Java security experts Penetration test of sample applications Full Javadoc for all functions Working closely with the Java Servlet Spec team at Sun They’re adopting six new changes to Java EE based on ESAPI OWASP 21