1 / 49

Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org

Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org. “The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|.

miles
Download Presentation

Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting Web Applicationswith ESAPI and AppSensorManuel Lopez Arredondomanuel.lopez@owasp.org

  2. “The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”| http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/

  3. Why Security isimportant? Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:.PonemonInstitute LLC.

  4. Why Security isimportant? Verizon. (2012). 2012 Data BREACH Investigations Report:.VerizonLLC.

  5. Why Security isimportant?

  6. What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services

  7. What is OWASP Community Driven 30,000 Mail List Participants 200 Active Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters

  8. OWASP Guadalajara Chapter What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date https://www.owasp.org/index.php/Guadalajara

  9. What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documentation 250,000+ unique visitors 800,000+ page views (monthly)

  10. Quality Resources Tools Code 40% 10% 50% Documentation

  11. OWASP Top Ten (2010 Edition) A4: Insecure Direct Object References • A1: Injection • A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access • A8: Insecure Cryptographic Storage • A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

  12. A1 – Injection

  13. Account: SKU: Account: SKU: SQL Injection – Illustrated "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 DB Table   HTTP response   SQL query HTTP request Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Billing Human Resrcs Application Layer APPLICATIONATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

  14. A2 – Cross-Site Scripting (XSS)

  15. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

  16. Enterprise Security API Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org Purpose: Afree, open source, web application security control library that makes it easier for programmers to write lower-risk applications https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API for Reboot

  17. ESAPI - Vision • Build a common set of security controls for today's most popular programming languages. • Have interfaces in common across programming languages as much as possible and natural. • Provide at least a simple reference implementation for each security control to serve as example if not useful in itself. • Easily extensible • Provide functionality that is most often needed, but lacking (or inconsistent) in various frameworks / languages.

  18. Using ESAPI (1 of 3) • Getting started • https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Download: http://code.google.com/p/owasp-esapi-java/ • ESAPI Cheat Sheet: https://www.owasp.org/index.php/ESAPI_Cheat_Sheet • ESAPI Swingset: http://code.google.com/p/owasp-esapi-java-swingset/

  19. Using ESAPI (2 of 3) • Getting help • ESAPI User mailing list (focuses on Java version): https://lists.owasp.org/mailman/listinfo/esapi-user • ESAPI Developer mailing list: https://lists.owasp.org/mailman/listinfo/esapi-dev • ESAPI Project page: http://www.esapi.org/ (coming soon)

  20. Using ESAPI (3 of 3) • Getting involved • Many other language implementations, all playing catch up • ESAPI for Java version needs help with user documentation • ESAPI 2.1 (Java) starting soon • ESAPI Swingset and Swingset Interactive → Port to use ESAPI 2.0

  21. Enterprise Security API Existing Enterprise Security Services/Libraries

  22. Potential Enterprise ESAPI Cost Savings

  23. Basic ESAPI Approach – Examples • In Java: String input = request.getParameter( "input" ); // Throws ValidationException or IntrusionException // if problem String cleaned = ESAPI.validator().getValidInput("Secure input example", input, "SafeString", // regex spec 200, // max lengyh false,// no nulls true); // canonicalize String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);

  24. Basic ESAPI Approach – Examples • In PHP: $cleanTmp = array(); // local in scope $cleanParams = array(); // local in scope $cleanTmp['username'] = ESAPI::getValidator()->getValidInput( "Secure input example", $input, "SafeString", 200, false, true); $cleanParams['username'] = ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);

  25. OWASP ESAPI Project ScorecardFeature Set vs. Programming Language

  26. Source Code and JavadocOnline Now! http://code.google.com/p/owasp-esapi-java

  27. AppSensor Project Leader(s): Michael Coates, John Melton, Colin Watson Purpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc) https://www.owasp.org/index.php/AppSensor Create attack aware applications

  28. Detecting Attacks the Right Way • Detect INSIDE the Application • Automatic Detection • Comprehensive • Minimize False Positives • Understand Business Logic • Immediate Response • No Manual Efforts Required

  29. Implementing AppSensor Detection Points Application Log Server AppSensor Brain Response Listener

  30. VIDEO DEMO

  31. Takeaways • Open Source solutions • Low cost and low effort • Think out of the box for development teams • Techniques used on the Industry • OWASP Google Summer of Code 2013 https://www.owasp.org/index.php/GSoC

  32. Q & A

  33. Backup

  34. About OWASP • Online since December 1st 2001 • Not-for-profit charitable organization • OPEN Everything at OWASP is radically transparent from our finances to our code. • INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges. • GLOBAL Anyone around the world is encouraged to participate in the OWASP community. • INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community. • https://www.owasp.org/index.php

  35. OWASP Success Story

  36. OWASP Guadalajara Chapter What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date https://www.owasp.org/index.php/Guadalajara

  37. Application Developers • New attacks/ defense guideline • Cheat Sheets • Web Goat-emulator-designed to teach web application security lessons

  38. Application Testers and Quality Assurance Testing guide Penetration testing tools Application Security Verification Standard Project

  39. OWASP ZAP Proxy/ WebScarab / CSRF Tester

  40. OWASP Testing Framework 4. Web Application Penetration Testing • 4.2 Information Gathering • 4.3 Configuration Management Testing • 4.4 Business logic testing • 4.5 Authentication Testing • 4.6 Authorization Testing • 4.7 Session Management Testing • 4.8 Data Validation Testing • 4.9 Testing for Denial of Service • 4.10 Web Services Testing • 4.11 Ajax Testing http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

  41. Application Project Management and Staff Define the process SDLC Code Review Code review tool http://codecrawler.codeplex.com/Release/ProjectReleases.aspx http://orizon.sourceforge.net

  42. Download Get OWASP Books

  43. Business advantages of being associated with OWASP • The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses • The organization itself gets security benefit at reduced costs • Security code review tools are free • Lots of open & free security testing tools • Security guidelines & best practices • Opportunity to endorse organization's logo in OWASP events, conferences, & website • The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group • If you are looking to expand your business in emerging market here is an opportunity to reach out • When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain • Membership options : https://www.owasp.org/index.php/Membership

  44. Join Us ! Subscribe mailing list https://www.owasp.org/index.php/Guadalajara Chapter Leaders: Eduardo Cerna Mauel Lopez

  45. App Sensor Design AppSensor “Brain” Demo App App Logs Embedded AppSensor Response

More Related