Transcript The OWASP Way Understanding the OWASP Vision and the Top Ten About Me • Software Security Engineer for TD Ameritrade – All information presented.

The OWASP Way
Understanding the OWASP Vision
and the Top Ten
About Me
• Software Security Engineer for TD Ameritrade
– All information presented today is exclusively my own and does not necessarily
reflect the views or position of my employer. Any questions or concerns
regarding material presented today should be addressed to the OWASP Board
of Directors care of Sarah Baso.
Geek Card
• What the Heck is OWASP?
– The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide
not-for-profit charitable organization focused on improving the security of
software. Our mission is to make software security visible, so that individuals
and organizations worldwide can make informed decisions about true
software security risks.
– Everyone is free to participate in OWASP and all of our materials are available
under a free and open software license. You'll find everything about OWASP
here on or linked from our wiki and current information on our OWASP Blog.
OWASP does not endorse or recommend commercial products or services,
allowing our community to remain vendor neutral with the collective wisdom
of the best minds in software security worldwide. We ask that the community
look out for inappropriate uses of the OWASP brand including use of our
name, logos, project names and other trademark issues.
– There are thousands of active wiki users around the globe who review the
changes to the site to help ensure quality. If you're new, you may want to
check out our getting started page. As a global group of volunteers with over
36,000 participants, questions or comments should be sent to one of our
many mailing lists or directed to the OWASP Contact Us Form.
Too
Many
Words
AAAhhhhhhh !!!!!!!!
GoodBye Slides
GoodBye Slides
Geek Style
Did I mention I had a Geek Card?
2 Parts
OWASP
• Security Awareness
Training/Standards/Guidelines for Secure
Software Development in the Web
Application/Mobile Application Space
Projects!
INFORMATION
Projects!
PERFORMANCE
So What is it you would say you OWASP guys do here?
We help the community Exterminate Bugs
Not like This Guy
We like to think we are this guy
But we are probably closer to this guy
We help people fix security related software bugs
What Your Developers See
YOUR LACK OF FAITH
THEY FIND IT DISTURBING
What we see
A random kid with family issues, who just happens to come across attack plans his buddies
found on the internet, and takes down the whole system with one lucky shot
So, how do we help?
By
Looking
For
Stuff
Like
This
A1 - INJECTION
What is it?
•
Injection flaws, such as SQL, OS, and LDAP
injection occur when untrusted data is sent to
an interpreter as part of a command or query.
The attacker’s hostile data can trick the
interpreter into executing unintended
commands or accessing data without proper
authorization.
A1 - INJECTION - Continued
Parameterized Queries
•
the variable data in the SQL statement is replaced with a placeholder such
as a question mark, which indicates to the database engine that this is
aparameter
• Becomes the Database drivers responsibility (think compiled code)
Traditional SQL Statement Parameterized Model
• Execute
• Retrieve Results
• Parse the statement (often called preparing
the statement.)
• Bind the parameter values to the
parameters.
• Execute the statement.
• Optionally, retrieve the results
• Close or finalize the statement.
A2 - Broken Authentication
and Session Management
What is it?
•
Application functions related to
authentication and session management
are often not implemented correctly,
allowing attackers to compromise
passwords, keys, or session tokens, or to
exploit other implementation flaws to
assume other users’ identities.
A2 - Broken Authentication
and Session Management Continued
A3 - Cross-Site Scripting
(XSS)
What is it?
•
XSS flaws occur whenever an application
takes untrusted data and sends it to a web
browser without proper validation or
escaping. XSS allows attackers to execute
scripts in the victim’s browser which can
hijack user sessions, deface web sites, or
redirect the user to malicious sites.
A3 - Cross-Site Scripting
(XSS) - Continued
A4 - Insecure Direct Object
References
What is it?
•
A direct object reference occurs when a
developer exposes a reference to an
internal implementation object, such as a
file, directory, or database key. Without an
access control check or other protection,
attackers can manipulate these references
to access unauthorized data.
A4 - Insecure Direct Object
References - Continued
A5 - Security
Misconfiguration
What is it?
•
Good security requires having a secure
configuration defined and deployed for the
application, frameworks, application server, web
server, database server, and platform. Secure
settings should be defined, implemented, and
maintained, as defaults are often insecure.
Additionally, software should be kept up to date.
A5 - Security
Misconfiguration Continued
A6 - Sensitive Data
Exposure
What is it?
•
Many web applications do not properly
protect sensitive data, such as credit cards,
tax IDs, and authentication credentials.
Attackers may steal or modify such weakly
protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data
deserves extra protection such as encryption
at rest or in transit, as well as special
precautions when exchanged with the
browser.
A6 - Sensitive Data
Exposure - Continued
A7 - Missing Function
Level Access Control
What is it?
•
Most web applications verify function
level access rights before making that
functionality visible in the UI. However,
applications need to perform the same
access control checks on the server when
each function is accessed. If requests are
not verified, attackers will be able to forge
requests in order to access functionality
without proper authorization.
A7 - Missing Function
Level Access Control Continued
A8 - Cross-Site Request
Forgery (CSRF)
What is it?
•
A CSRF attack forces a logged-on victim’s
browser to send a forged HTTP request,
including the victim’s session cookie and any
other automatically included authentication
information, to a vulnerable web application.
This allows the attacker to force the victim’s
browser to generate requests the vulnerable
application thinks are legitimate requests
from the victim.
A8 - Cross-Site Request
Forgery (CSRF) Continued
A9 - Using Components
with Known Vulnerabilities
What is it?
•
Components, such as libraries, frameworks, and
other software modules, almost always run with
full privileges. If a vulnerable component is
exploited, such an attack can facilitate serious
data loss or server takeover. Applications using
components with known vulnerabilities may
undermine application defenses and enable a
range of possible attacks and impacts.
A9 - Using Components
with Known Vulnerabilities
- Continued
A10 - Unvalidated
Redirects and Forwards
What is it?
•
Web applications frequently redirect and
forward users to other pages and websites,
and use untrusted data to determine the
destination pages. Without proper
validation, attackers can redirect victims to
phishing or malware sites, or use forwards to
access unauthorized pages.
A10 - Unvalidated
Redirects and Forwards Continued
What’s Next for
Developers????????
A Marathon Not A Sprint