1 / 61

2011 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping

OWASP Education Computer based training. 2011 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping. Keith Turpin The Boeing Company Application Security Assessments Lead OWASP Secure Coding Practices Lead OWASP Global Projects Committee keith.turpin@owasp.org. Nishi Kumar

lovey
Download Presentation

2011 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Education Computer based training 2011 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping • Keith TurpinThe Boeing CompanyApplication Security Assessments Lead • OWASP Secure Coding Practices Lead • OWASP Global Projects Committee • keith.turpin@owasp.org • Nishi Kumar • IT Architect Specialist • Chair, Software Security Forum at FIS • OWASP CBT Project Lead • OWASP Global ProjectsCommittee • Nishi.Kumar@owasp.org

  2. Objectives • Provide an overview of the 2011 CWE/SANS Top 25 • Discuss mapping relationships between CWE/SANS Top 25, OWASP Top 10 for 2010 and PCI DSS V2 • Understand the CWE/SANS Top 25 weaknesses and • how to remediate them

  3. Organizations • MITRE - http://www.mitre.org/ The MITRE Corporation is a not-for-profit organization that manages several Federally Funded Research and Development Centers. Mitre currently runs various IT security projects including the Common Weakness Enumeration (CWE) and it is the official source for the CWE/SANS Top 25 Most Dangerous Software Errors. CWE Database - http://cwe.mitre.org/ • SANS - http://www.sans.org The SysAdmin, Audit, Network, Security (SANS) Institute operates as a commercial research and education company. SANS is well known for its Internet Storm Center, its comprehensive list of computing security training programs and its work with Mitre on the CWE/SANS Top 25 Most Dangerous Software Errors.

  4. Selection and Ranking • Builds on the original 2009 and 2010 versions • Methodology - Qualitative rather than quantitative • Factors in ranking: • Prevalence • Importance • Likelihood of exploit • Initially started with 41 candidate weaknesses

  5. 2011 CWE/SANS Top 25

  6. 2011 CWE/SANS Top 25

  7. OWASP Top 10 & SANS CWE Top 25 mapping

  8. OWASP Top 10 & SANS CWE Top 25 mapping

  9. SANS CWE Top 25

  10. Mapping Considerations • SANS CWE Top 25 is only a fraction of the full CWE list of weaknesses • SANS CWE Top 25 applies to both web and non-web applications • OWASP defines ten risks focused on web applications • OWASP's list tends to use broader risk categories • PCI DSS requirements points to both of the above lists as industry best practices • PCI DSS specifies its own set of requirements

  11. [1] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

  12. [1] CWE-89Improper Neutralization of Special Elements used in an SQL Command('SQL Injection')

  13. [2] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  14. [2] CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  15. [3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') • Example: C • char last_name[20];...................................Declare array with 20 character limit • printf ("Enter your last name: "); • scanf ("%s", last_name); ...........................Get input (no limit) and store in array • The software does not limit the size of the name entered by the user, so an entry of more than 20 characters will cause a buffer overflow, since the "last_name" array can only hold 20 characters

  16. [3] CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  17. [4] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Try this in your browser's address bar: javascript:alert(document.cookie)

  18. [4] CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') E.g. outputencodingwith HTML entity encoding:The < character becomes: &lt; The " character becomes: &quot; This tag <script> becomes: &lt;script&gt

  19. [5] CWE-306Missing Authentication for Critical Function

  20. [5] CWE-306Missing Authentication for Critical Function

  21. [6] CWE-862 Missing Authorization

  22. [6] CWE-862Missing Authorization

  23. [7] CWE-798Use of Hard-coded Credentials

  24. [7] CWE-798Use of Hard-coded Credentials

  25. [8] CWE-311Missing Encryption of Sensitive Data

  26. [8] CWE-311Missing Encryption of Sensitive Data

  27. [9] CWE-434Unrestricted Upload of File with Dangerous Type Example: This PHP file provides access to the host OS <?php system($_GET['cmd']); ?> http://server.example.com/upload_dir/malicious.php?cmd=ls%20-l

  28. [9] CWE-434Unrestricted Upload of File with Dangerous Type

  29. [10] CWE-807Reliance on Untrusted Inputs in a Security Decision https://example.com/accountInfo?acct=Bob) Bob makes request for his own acct https://example.com/accountInfo?acct=Tom) Bob makes request for Tom’s acct

  30. [10] CWE-807Reliance on Untrusted Inputs in a Security Decision

  31. [11] CWE-250Execution with Unnecessary Privileges

  32. [11] CWE-250Execution with Unnecessary Privileges

  33. [12] CWE-352Cross-Site Request Forgery (CSRF) • Example of a legitimate request: • http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 • Example or a forged request using a hidden image tag: • <img src=http://example.com/app/transferFunds?amount=1500&destinationAccount= • attackersAcct#width="0" height="0" />

  34. [12] CWE-352Cross-Site Request Forgery (CSRF)

  35. [13] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Expected Request:http://app/page.jsp?include=file.txt Malicious Request: http://app/page.jsp?include=/../../../../../../../../../etc/passwd Expected Request:http://app/page.jsp?file=graphic.gif Malicious Request: http://app/page.jsp?file=serverlogs.txt%00.gif

  36. [13] CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Direct object reference: http://app?file=Report123.xls Mapped value reference: http://app?file=1 (In sever side code: 1 = Report123.xls)

  37. [14] CWE-494Download of Code Without Integrity Check Example: Java URL[] classURLs= new URL[]{ new URL("file:subdir/") }; URLClassLoader loader = new URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader); This code does not ensure that the class loaded is the intended one, for example by verifying the class's checksum. An attacker may be able to modify the class file to execute malicious code.

  38. [14] CWE-494Download of Code Without Integrity Check

  39. [15] CWE-863 Incorrect Authorization Attacker notices the URL indicates his role /user/getAccounts He modifies it to another directory (role) /admin/getAccounts Attacker views more accounts than just their own

  40. [15] CWE-863 Incorrect Authorization

  41. [16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere • <div id="WeatherWidget"> • <script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script> • </div>

  42. [16] CWE-829 Inclusion of Functionality from Untrusted Control Sphere

  43. [17] CWE-732Incorrect Permission Assignment for Critical Resource

  44. [17] CWE-732Incorrect Permission Assignment for Critical Resource

  45. [18] CWE-676 Use of Potentially Dangerous Function

  46. [18] CWE-676 Use of Potentially Dangerous Function

  47. [19] CWE-327Use of a Broken or Risky Cryptographic Algorithm

  48. [19] CWE-327Use of a Broken or Risky Cryptographic Algorithm

  49. [20] CWE-131Incorrect Calculation of Buffer Size Example: C int *id_sequence; id_sequence = (int*) malloc(3); if (id_sequence == NULL) exit(1); id_sequence[0] = 13579; id_sequence[1] = 24680; id_sequence[2] = 97531; The size parameter used during the malloc() call is set to '3' which results in a buffer of 3 bytes. The intent was to create a buffer that holds three ints, and in C, each int requires 4 bytes, so an array of 12 bytes is needed. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space

  50. [20] CWE-131Incorrect Calculation of Buffer Size

More Related