SlideShare a Scribd company logo

Secure code practices

Download as PPT, PDF
Hina Rawal
Hina Rawal

Secure code best practices for developers. And comparison of 2017 and 2021 OWASP top 10 with description of vulnerability and mitigation.

Education
1 of 33
Secure code Best practices Part 1 OWASP 2017 -2021
Index  Comparison OWASP 2017- 2021  OWASP top 10:  Injection  Broken Authentication  Cross site scripting  Sensitive data exposure  Insecure Deserialization  Broken Access control  Insufficient logging and monitoring  Server side request forgery  Known Vulnerability  Security misconfiguration
OWASP Top 10 Vulnerabilities from 2017 - 2021
Injection Vulnerability  Injections are at the head of the OWASP Top 10 and Injection flaws called SQL Injection are common in web applications.  Occur: When the Web application developer does not ensure that values received from a Web form, cookie, input parameter, and so forth are validated or encoded before passing them to SQL queries that will be executed on a database server.  Mitigation: Trust no-one: Assume all user-submitted data is evil and validate and sanitize everything. Don't use dynamic SQL when it can be avoided: used prepared statements, parameterized queries or stored procedures instead whenever possible. Escaping: Use character-escaping functions for user-supplied input provided by each database management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL statement provided by the developer
BROKEN AUTHENTICATION & SESSION MANAGEMENT  Broken Authentication & Session Management allows anonymous attacks aimed at attempting to steal valuable data, especially personally identifiable information.  Occur: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Application session timeouts aren’t set properly.  Mitigation: User name and password must be strong. Use SSL certificate, Session time outs and login expiration must be there. Implement WAF(filter all the incoming website traffic)
CROSS-SITE SCRIPTING  Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code.  Occur: occurs if the server does a poor job of processing HTML escape sequences. Occurs when a attack vector contains JavaScript that doesn't come in a user request. Instead, the JavaScript code is downloaded from the server .  Mitigation: Force inputs to the same data type; Input Validation; Output sanitization; Client and server-side sanitization
Sensitive data exposures  Sensitive data, such as credit card numbers, Court data, or passwords should have extra protection given the potential of damage if it falls into the wrong hands. If data is stored or transferred as plain text, if older/weaker encryption is used, or if data is decrypted carelessly, attacker can gain access and exploit the data.  Occur: Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens.  Mitigation: The data is never stored in clear text. The data is never transmitted in clear text. The algorithms used to encrypt the data are considered strong enough. Encrypt data during transport and at rest. Minimize data surface area. Disable autocomplete on forms that collect data. Disable caching on forms that collect data.
INSECURE DESERIALIZATION  It occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. • It’s frequently possible for an attacker to abuse these deserialization features when the application is deserializing untrusted data which the attacker controls.  Mitigation: Implementing integrity checks such as digital signatures on any serialized objects to prevent data tampering. Monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
XXE (XML External Entity)  Web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end application.  Occur: This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery.  Mitigation: Use less complex data formats such as JSON, and avoiding serialization of sensitive data. Disable XML external entity and DTD processing in all XML parsers in the application
Broken Access control  Access control, or authorization, is how web apps let different users access different content, data or functions.  Occur: This vulnerability happens when the application fails to properly validate authorization after the user has been authenticated.  Mitigation: Protect all your endpoints using a role-based model which you should define once. By this you reduce inconsistencies in your overall access control policy. • Verify access to resources using IDs should always implement a verification step to make sure that the user has proper authorization. • Deny access to your resources by default, unless you want them public.
INSUFFICIENT LOGGING AND MONITORING  Lack of proper logging, monitoring, and alerting allows attacks and attackers go unnoticed.  Occur: Insufficient logging and monitoring vulnerability occurs when the security-critical events aren’t logged properly, and the system is not monitoring the current happenings. The lack of these functionalities can make the malicious activities harder to detect and it affects effective incident handling when an attack happens.  Mitigation: Make sure the logs are backed up and synced to another server. The attacker should not be able to clear all the logs after hacking the server. Go over the system and make sure sensitive actions are logged. This would include logins, high-value transactions, password changes, and so on.
Server Side request forgery : SSRF  SSRF refers to an attack which lets an attacker send crafted requests from the back-end server of a vulnerable web application. SSRF is commonly used by attackers to target internal networks that are behind firewalls and can not be reached from the external network.  Occur: when the attacker has full or partial control of the request sent by the web application. If the vulnerable web application processes the user-supplied URLs then the application is vulnerable to SSRF attacks.  Mitigation: Use a whitelist of approved domains and protocols through which remote resources can be acquired by the web server. User input should always be sanitized or validated.
Using component with known vulnerabilities  Web services to include a component with a known security vulnerability. When that happens, it falls under this category, independently of what kind of component is vulnerable, making this a very frequent finding.  The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins.  Mitigation: Make sure you are using updated plugins for your web application. Delete plugins that are not used, disable features that are of no use, block ports that are not in use
Security misconfiguration  Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls, but doing so with errors.  Occur: Security Misconfiguration occurs when Web Application component are poorly configured.  Mitigation: Secure installation processes should be implemented, including: • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. • Remove or do not install unused features and frameworks. • Implement security headers both client side or server side .
Part (2)
Secure Coding Practices Checklist Input Validation: • Conduct all data validation on a trusted system (e.g., The server) • Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.) • There should be a centralized input validation routine for the application • Specify proper character sets, such as UTF-8, for all sources of input. • Encode data to a common character set before validating (Canonicalize) • All validation failures should result in input rejection • Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8, decoding is completed 16
• Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code. • Verify that header values in both requests and responses contain only ASCII characters • Validate data from redirects (An attacker may submit malicious content directly to the target of the redirect, thus circumventing application logic and any validation performed before the redirect) • Validate for expected data types • Validate data range • Validate data length • Validate all input against a "white" list of allowed characters, whenever possible 17
• If any potentially hazardous characters must be allowed as input, be sure that you implement. • additional controls like output encoding, secure task specific APIs and accounting for the utilization • of that data throughout the application . Examples of common hazardous characters include: • < > " ' % ( ) & + ' " • If your standard validation routine cannot address the following inputs, then they should be checked • discretely • o Check for null bytes (%00) • o Check for new line characters (%0d, %0a, r, n) • o Check for “dot-dot-slash" (../ or ..) path alterations characters. • In cases where UTF-8 extended 18
• character set encoding is supported, address alternate representation like: %c0%ae%c0%ae/ • (Utilize canonicalization to address double encoding or other forms of obfuscation attacks) Output Encoding: • Conduct all encoding on a trusted system (e.g., The server) • Utilize a standard, tested routine for each type of outbound encoding • Contextually output encode all data returned to the client that originated outside the application's trust boundary. HTML entity encoding is one example, but does not work in all cases 19
• Encode all characters unless they are known to be safe for the intended interpreter • Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP • Sanitize all output of un-trusted data to operating system commands. Authentication and Password Management: • Require authentication for all pages and resources, except those specifically intended to be public • All authentication controls must be enforced on a trusted system (e.g., The server) • Establish and utilize standard, tested, authentication services whenever possible 20
• Use a centralized implementation for all authentication controls, including libraries that call external • authentication services • Segregate authentication logic from the resource being requested and use redirection to and from the • centralized authentication control • All authentication controls should fail securely • All administrative and account management functions must be at least as secure as the primary authentication mechanism • Utilize authentication for connections to external systems that involve sensitive information or functions 21
• If your application manages a credential store, it should ensure that only cryptographically strong one-way salted hashes of passwords are stored and that the table/file that stores the passwords and keys is write-able only by the application. (Do not use the MD5 algorithm if it can be avoided) • Password hashing must be implemented on a trusted system (e.g., The server). • Validate the authentication data only on completion of all data input, especially for sequential authentication implementations • Use only HTTP POST requests to transmit authentication credentials 22
• Authentication failure responses should not indicate which part of the authentication data was incorrect. For example, instead of "Invalid username" or "Invalid password", just use "Invalid username and/or password" for both. Error responses must be truly identical in both display and source code • Authentication credentials for accessing services external to the application should be encrypted and stored in a protected location on a trusted system (e.g., The server). The source code is NOT a secure location • Only send non-temporary passwords over an encrypted connection or as encrypted data, such as in an encrypted email. Temporary passwords associated with email resets may be an exception. 23
• Enforce password complexity requirements established by policy or regulation. Authentication credentials should be sufficient to withstand attacks that are typical of the threats in the deployed environment. (e.g., requiring the use of alphabetic as well as numeric and/or special characters) • Enforce password length requirements established by policy or regulation. Eight characters is commonly used, but 16 is better or consider the use of multi-word pass phrases • Password entry should be obscured on the user's screen. (e.g., on web forms use the input type "password") • Password reset and changing operations require the same level of controls as account creation and authentication. 24
25 • Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account must be disabled for a period of time sufficient to discourage brute force guessing of credentials, but not so long as to allow for a denial-of- service attack to be performed • Password reset questions should support sufficiently random answers. (e.g., "favorite book" is a bad question because “The Bible” is a very common answer) • If using email based resets, only send email to a pre- registered address with a temporary link/password • Temporary passwords and links should have a short expiration time • Enforce the changing of temporary passwords on the next use
• Notify users when a password reset occurs • Prevent password re-use • Passwords should be at least one day old before they can be changed, to prevent attacks on password re-use • Enforce password changes based on requirements established in policy or regulation. Critical systems may require more frequent changes. The time between resets must be administratively controlled • Disable "remember me" functionality for password fields • The last use (successful or unsuccessful) of a user account should be reported to the user at their next successful login 26
• Implement monitoring to identify attacks against multiple user accounts, utilizing the same password. • This attack pattern is used to bypass standard lockouts, when user IDs can be harvested or guessed • Change all vendor-supplied default passwords and user IDs or disable the associated accounts • Re-authenticate users prior to performing critical operations • Use Multi-Factor Authentication for highly sensitive or high value transactional accounts • If using third party code for authentication, inspect the code carefully to ensure it is not affected by any malicious code 27
Session Management: • Use the server or framework’s session management control The application should only recognize these session identifiers as valid • Session identifier creation must always be done on a trusted system (e.g., The server) • Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers • Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site 28
• Logout functionality should fully terminate the associated session or connection • Logout functionality should be available from all pages protected by authorization • Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. In most cases it should be no more than several hours • Disallow persistent logins and enforce periodic session terminations, even when the session is active. Especially for applications supporting rich network connections or connecting to critical systems • Generate a new session identifier on any re- authentication 29
• If a session was established before login, close that session and establish a new session after a successful login • Do not allow concurrent logins with the same user ID • Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters • Protect server side session data from unauthorized access, by other users of the server, by implementing appropriate access controls on the serve • Generate a new session identifier and deactivate the old one periodically. (This can mitigate certain session hijacking scenarios) 30
• Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication. Within an application, it is recommended to consistently utilize HTTPS rather than switching between HTTP to HTTPS. • Supplement standard session management for sensitive server-side operations, like account management, by utilizing per-session strong random tokens or parameters. This method can be used to prevent Cross Site Request Forgery attacks • Supplement standard session management for highly sensitive or critical operations by utilizing per-request, as opposed to per-session, strong random tokens or parameters 31
• Set the "secure" attribute for cookies transmitted over an TLS connection • Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value 32
Thank You 33

Recommended

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 

Recommended

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
vhimsikal
 

More Related Content

What's hot

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 

What's hot (20)

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web application security
Web application securityWeb application security
Web application security
 
Security testing
Security testingSecurity testing
Security testing
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Application Security
Application SecurityApplication Security
Application Security
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 

Similar to Secure code practices

Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 

Similar to Secure code practices (20)

Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 Overview
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

Secure code practices

  • 1. Secure code Best practices Part 1 OWASP 2017 -2021
  • 2. Index  Comparison OWASP 2017- 2021  OWASP top 10:  Injection  Broken Authentication  Cross site scripting  Sensitive data exposure  Insecure Deserialization  Broken Access control  Insufficient logging and monitoring  Server side request forgery  Known Vulnerability  Security misconfiguration
  • 3. OWASP Top 10 Vulnerabilities from 2017 - 2021
  • 4. Injection Vulnerability  Injections are at the head of the OWASP Top 10 and Injection flaws called SQL Injection are common in web applications.  Occur: When the Web application developer does not ensure that values received from a Web form, cookie, input parameter, and so forth are validated or encoded before passing them to SQL queries that will be executed on a database server.  Mitigation: Trust no-one: Assume all user-submitted data is evil and validate and sanitize everything. Don't use dynamic SQL when it can be avoided: used prepared statements, parameterized queries or stored procedures instead whenever possible. Escaping: Use character-escaping functions for user-supplied input provided by each database management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL statement provided by the developer
  • 5. BROKEN AUTHENTICATION & SESSION MANAGEMENT  Broken Authentication & Session Management allows anonymous attacks aimed at attempting to steal valuable data, especially personally identifiable information.  Occur: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Application session timeouts aren’t set properly.  Mitigation: User name and password must be strong. Use SSL certificate, Session time outs and login expiration must be there. Implement WAF(filter all the incoming website traffic)
  • 6. CROSS-SITE SCRIPTING  Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code.  Occur: occurs if the server does a poor job of processing HTML escape sequences. Occurs when a attack vector contains JavaScript that doesn't come in a user request. Instead, the JavaScript code is downloaded from the server .  Mitigation: Force inputs to the same data type; Input Validation; Output sanitization; Client and server-side sanitization
  • 7. Sensitive data exposures  Sensitive data, such as credit card numbers, Court data, or passwords should have extra protection given the potential of damage if it falls into the wrong hands. If data is stored or transferred as plain text, if older/weaker encryption is used, or if data is decrypted carelessly, attacker can gain access and exploit the data.  Occur: Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens.  Mitigation: The data is never stored in clear text. The data is never transmitted in clear text. The algorithms used to encrypt the data are considered strong enough. Encrypt data during transport and at rest. Minimize data surface area. Disable autocomplete on forms that collect data. Disable caching on forms that collect data.
  • 8. INSECURE DESERIALIZATION  It occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. • It’s frequently possible for an attacker to abuse these deserialization features when the application is deserializing untrusted data which the attacker controls.  Mitigation: Implementing integrity checks such as digital signatures on any serialized objects to prevent data tampering. Monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
  • 9. XXE (XML External Entity)  Web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end application.  Occur: This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery.  Mitigation: Use less complex data formats such as JSON, and avoiding serialization of sensitive data. Disable XML external entity and DTD processing in all XML parsers in the application
  • 10. Broken Access control  Access control, or authorization, is how web apps let different users access different content, data or functions.  Occur: This vulnerability happens when the application fails to properly validate authorization after the user has been authenticated.  Mitigation: Protect all your endpoints using a role-based model which you should define once. By this you reduce inconsistencies in your overall access control policy. • Verify access to resources using IDs should always implement a verification step to make sure that the user has proper authorization. • Deny access to your resources by default, unless you want them public.
  • 11. INSUFFICIENT LOGGING AND MONITORING  Lack of proper logging, monitoring, and alerting allows attacks and attackers go unnoticed.  Occur: Insufficient logging and monitoring vulnerability occurs when the security-critical events aren’t logged properly, and the system is not monitoring the current happenings. The lack of these functionalities can make the malicious activities harder to detect and it affects effective incident handling when an attack happens.  Mitigation: Make sure the logs are backed up and synced to another server. The attacker should not be able to clear all the logs after hacking the server. Go over the system and make sure sensitive actions are logged. This would include logins, high-value transactions, password changes, and so on.
  • 12. Server Side request forgery : SSRF  SSRF refers to an attack which lets an attacker send crafted requests from the back-end server of a vulnerable web application. SSRF is commonly used by attackers to target internal networks that are behind firewalls and can not be reached from the external network.  Occur: when the attacker has full or partial control of the request sent by the web application. If the vulnerable web application processes the user-supplied URLs then the application is vulnerable to SSRF attacks.  Mitigation: Use a whitelist of approved domains and protocols through which remote resources can be acquired by the web server. User input should always be sanitized or validated.
  • 13. Using component with known vulnerabilities  Web services to include a component with a known security vulnerability. When that happens, it falls under this category, independently of what kind of component is vulnerable, making this a very frequent finding.  The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins.  Mitigation: Make sure you are using updated plugins for your web application. Delete plugins that are not used, disable features that are of no use, block ports that are not in use
  • 14. Security misconfiguration  Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls, but doing so with errors.  Occur: Security Misconfiguration occurs when Web Application component are poorly configured.  Mitigation: Secure installation processes should be implemented, including: • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. • Remove or do not install unused features and frameworks. • Implement security headers both client side or server side .
  • 16. Secure Coding Practices Checklist Input Validation: • Conduct all data validation on a trusted system (e.g., The server) • Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.) • There should be a centralized input validation routine for the application • Specify proper character sets, such as UTF-8, for all sources of input. • Encode data to a common character set before validating (Canonicalize) • All validation failures should result in input rejection • Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8, decoding is completed 16
  • 17. • Validate all client provided data before processing, including all parameters, URLs and HTTP header content (e.g. Cookie names and values). Be sure to include automated post backs from JavaScript, Flash or other embedded code. • Verify that header values in both requests and responses contain only ASCII characters • Validate data from redirects (An attacker may submit malicious content directly to the target of the redirect, thus circumventing application logic and any validation performed before the redirect) • Validate for expected data types • Validate data range • Validate data length • Validate all input against a "white" list of allowed characters, whenever possible 17
  • 18. • If any potentially hazardous characters must be allowed as input, be sure that you implement. • additional controls like output encoding, secure task specific APIs and accounting for the utilization • of that data throughout the application . Examples of common hazardous characters include: • < > " ' % ( ) & + ' " • If your standard validation routine cannot address the following inputs, then they should be checked • discretely • o Check for null bytes (%00) • o Check for new line characters (%0d, %0a, r, n) • o Check for “dot-dot-slash" (../ or ..) path alterations characters. • In cases where UTF-8 extended 18
  • 19. • character set encoding is supported, address alternate representation like: %c0%ae%c0%ae/ • (Utilize canonicalization to address double encoding or other forms of obfuscation attacks) Output Encoding: • Conduct all encoding on a trusted system (e.g., The server) • Utilize a standard, tested routine for each type of outbound encoding • Contextually output encode all data returned to the client that originated outside the application's trust boundary. HTML entity encoding is one example, but does not work in all cases 19
  • 20. • Encode all characters unless they are known to be safe for the intended interpreter • Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP • Sanitize all output of un-trusted data to operating system commands. Authentication and Password Management: • Require authentication for all pages and resources, except those specifically intended to be public • All authentication controls must be enforced on a trusted system (e.g., The server) • Establish and utilize standard, tested, authentication services whenever possible 20
  • 21. • Use a centralized implementation for all authentication controls, including libraries that call external • authentication services • Segregate authentication logic from the resource being requested and use redirection to and from the • centralized authentication control • All authentication controls should fail securely • All administrative and account management functions must be at least as secure as the primary authentication mechanism • Utilize authentication for connections to external systems that involve sensitive information or functions 21
  • 22. • If your application manages a credential store, it should ensure that only cryptographically strong one-way salted hashes of passwords are stored and that the table/file that stores the passwords and keys is write-able only by the application. (Do not use the MD5 algorithm if it can be avoided) • Password hashing must be implemented on a trusted system (e.g., The server). • Validate the authentication data only on completion of all data input, especially for sequential authentication implementations • Use only HTTP POST requests to transmit authentication credentials 22
  • 23. • Authentication failure responses should not indicate which part of the authentication data was incorrect. For example, instead of "Invalid username" or "Invalid password", just use "Invalid username and/or password" for both. Error responses must be truly identical in both display and source code • Authentication credentials for accessing services external to the application should be encrypted and stored in a protected location on a trusted system (e.g., The server). The source code is NOT a secure location • Only send non-temporary passwords over an encrypted connection or as encrypted data, such as in an encrypted email. Temporary passwords associated with email resets may be an exception. 23
  • 24. • Enforce password complexity requirements established by policy or regulation. Authentication credentials should be sufficient to withstand attacks that are typical of the threats in the deployed environment. (e.g., requiring the use of alphabetic as well as numeric and/or special characters) • Enforce password length requirements established by policy or regulation. Eight characters is commonly used, but 16 is better or consider the use of multi-word pass phrases • Password entry should be obscured on the user's screen. (e.g., on web forms use the input type "password") • Password reset and changing operations require the same level of controls as account creation and authentication. 24
  • 25. 25 • Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account must be disabled for a period of time sufficient to discourage brute force guessing of credentials, but not so long as to allow for a denial-of- service attack to be performed • Password reset questions should support sufficiently random answers. (e.g., "favorite book" is a bad question because “The Bible” is a very common answer) • If using email based resets, only send email to a pre- registered address with a temporary link/password • Temporary passwords and links should have a short expiration time • Enforce the changing of temporary passwords on the next use
  • 26. • Notify users when a password reset occurs • Prevent password re-use • Passwords should be at least one day old before they can be changed, to prevent attacks on password re-use • Enforce password changes based on requirements established in policy or regulation. Critical systems may require more frequent changes. The time between resets must be administratively controlled • Disable "remember me" functionality for password fields • The last use (successful or unsuccessful) of a user account should be reported to the user at their next successful login 26
  • 27. • Implement monitoring to identify attacks against multiple user accounts, utilizing the same password. • This attack pattern is used to bypass standard lockouts, when user IDs can be harvested or guessed • Change all vendor-supplied default passwords and user IDs or disable the associated accounts • Re-authenticate users prior to performing critical operations • Use Multi-Factor Authentication for highly sensitive or high value transactional accounts • If using third party code for authentication, inspect the code carefully to ensure it is not affected by any malicious code 27
  • 28. Session Management: • Use the server or framework’s session management control The application should only recognize these session identifiers as valid • Session identifier creation must always be done on a trusted system (e.g., The server) • Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers • Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site 28
  • 29. • Logout functionality should fully terminate the associated session or connection • Logout functionality should be available from all pages protected by authorization • Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. In most cases it should be no more than several hours • Disallow persistent logins and enforce periodic session terminations, even when the session is active. Especially for applications supporting rich network connections or connecting to critical systems • Generate a new session identifier on any re- authentication 29
  • 30. • If a session was established before login, close that session and establish a new session after a successful login • Do not allow concurrent logins with the same user ID • Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters • Protect server side session data from unauthorized access, by other users of the server, by implementing appropriate access controls on the serve • Generate a new session identifier and deactivate the old one periodically. (This can mitigate certain session hijacking scenarios) 30
  • 31. • Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication. Within an application, it is recommended to consistently utilize HTTPS rather than switching between HTTP to HTTPS. • Supplement standard session management for sensitive server-side operations, like account management, by utilizing per-session strong random tokens or parameters. This method can be used to prevent Cross Site Request Forgery attacks • Supplement standard session management for highly sensitive or critical operations by utilizing per-request, as opposed to per-session, strong random tokens or parameters 31
  • 32. • Set the "secure" attribute for cookies transmitted over an TLS connection • Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value 32