1 / 23

A Sneak Peek at the OWASP Enterprise Security API

A Sneak Peek at the OWASP Enterprise Security API. Jeff Williams OWASP Foundation Chair jeff.williams@owasp.org Aspect Security CEO jeff.williams@aspectsecurity.com. The Challenge….

galen
Download Presentation

A Sneak Peek at the OWASP Enterprise Security API

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Sneak Peek at the OWASP Enterprise Security API Jeff Williams OWASP Foundation Chair jeff.williams@owasp.org Aspect Security CEO jeff.williams@aspectsecurity.com

  2. The Challenge… Developers need to rip, mix, and burn authentication, access control, input validation, encoding, encryption, logging, error handling, etc… Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml-dsig, xml-enc, lots lots more….

  3. Drivers • I’m tired of security “researchers” • Most developers shouldn’t build security controls • When to use a control • How to use a control • Why to use a control (maybe) • All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls • Few organizations have a complete security API

  4. Design • Only include methods that… • Are useful in a large percentage of applications • Focus on the most risky areas • Designed to be simple to understand and use • Interfaces with concrete reference implementation • Full documentation and usage examples • Same basic API across common platforms • Java EE, .NET, PHP, others?

  5. Strawman Existing Enterprise Libraries and Services Preliminary

  6. Customizing • ESAPI is an API • Wrap existing libraries and services • Extend and customize ESAPI • Fill in gaps with reference implementation • Easy to retrofit to existing applications

  7. Project Plan and Status 9/07 – Sneak Peek 2002 – Start Collecting

  8. Quality

  9. Authenticator • Key Methods • createUser(accountName, pass1, pass2) • generateStrongPassword() • getCurrentUser() • login(request, response) • verifyAccountNameStrength(acctName) • verifyPasswordStrength(newPass, oldPass) • Reference Implementation • Use threadlocal variable to store current User • Automatically changes sessionid on login and logout

  10. User • Key Methods • changePassword(old, new1, new2) • disable() enable() • getAccountName() getScreenName() • getCSRFToken() • getLastFailedLoginTime() getLastLoginTime() • getRoles() isInRole(role) • isEnabled() isExpired() isLocked() • loginWithPassword(password, request, response) • logout(request, response) • resetCSRFToken() resetPassword() • verifyCSRFToken(java.lang.String token)

  11. AccessController • Key Methods • isAuthorizedForData(key) • isAuthorizedForFile(filepath) • isAuthorizedForFunction(functionName) • isAuthorizedForService(serviceName) • isAuthorizedForURL(url) • Reference Implementation (not required) • /* | any | deny | default deny rule • /admin/* | admin | allow | admin access to /admin

  12. AccessReferenceMap • Key Methods • getDirectReference(indirectReference) • getIndirectReference(directReference) • iterator() • update(directReferences) • Example • http://www.ibank.com?file=report123.xls • http://www.ibank.com?file=a3nr38

  13. Validator • Key Methods • canonicalize(input) • isValidFileUpload(filepath, filename, content) • isValidCreditCard(input) • isValid*****(input) • isValidRedirectLocation(location) • isValidSafeHTML(input) • safeReadLine(inputStream, maxchars) • Canonicalization is really important

  14. Encoder • Key Methods • encodeForBase64(byte[] input) • encodeForDN(input) • encodeForHTML(input) • encodeForHTMLAttribute(input) • …, encodeForJavascript, encodeForLDAP, encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPath • Function names help tell developer when to use • Some of these are quite hard

  15. HTTPUtilities • Key Methods • changeSessionIdentifier(request) • formatHttpRequestForLog(request, sensitiveList) • getFileUploads(request, tempDir, finalDir) • killAllCookies(request, response) • killCookie(name, request, response) • sendRedirect(location • setCookie(name, value, age, domain, path, response) • setNoCacheHeaders(response) • Safer ways of dealing with HTTP, uses HTTPOnly

  16. Encryptor • Key Methods • decrypt(ciphertext) • encrypt(plaintext) • hash(plaintext, salt) • loadCertificateFromFile(file) • getTimeStamp() • seal(data, expiration) verifySeal(seal, data) • sign(data) verifySignature(signature, data) • Simple master key in configuration • Minimal certificate support

  17. EncryptedProperties • Key Methods • getProperty(key) • setProperty(key, value) • keySet() • load(inputStream) • store(outputStream, comments) • Simple protected storage for configuration data

  18. Randomizer • Key Methods • getRandomInteger(min, max) • getRandomReal(min, max) • getRandomString(length, characterSet) • Several pre-defined character sets • Lowers, uppers, digits, specials, letters, alphanumerics, password, etc…

  19. Exception Handling • EnterpriseSecurityException • AccessControlException • AuthenticationException • AvailabilityException • CertificateException • EncryptionException • ExecutorException • IntrusionException • ValidationException • Allows a sensible security exception framework

  20. Logger • Key Methods • getLogger(applicationName,moduleName) • logCritical(type, message, throwable) • logDebug(type, message, throwable) • logError(type, message, throwable) • logSuccess(type, message, throwable) • logTrace(type, message, throwable) • logWarning(type, message, throwable) • All EnterpriseSecurityExceptions are automatically logged

  21. IntrusionDetector • Key Methods • addException(exception) • createQuota(exception, limit) • Current Plan • EnterpriseSecurityExceptions are automatically sent to IntrusionDetector • Can set a quota for any exception • Detects exceeding quota in a specified time period

  22. OWASP Top Ten Coverage

  23. Closing Thoughts • I have learned an amazing amount (I thought I knew) • An ESAPI is a key part of a balanced breakfast • Integrated API has huge benefits over separate libraries • Secondary benefits • May help static analysis do better • Enables security upgrades across applications • Simplifies developer training • Next year – experiences moving to ESAPI

More Related