David Rook. The Principles of Secure Development. OWASP Ireland Conference, Dublin

Similar documents
How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Strategic Information Security. Attacking and Defending Web Services

Reducing Application Vulnerabilities by Security Engineering

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Intrusion detection for web applications

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

The Top Web Application Attacks: Are you vulnerable?

IoT IT Security and Secure Development Life Cycle

Adobe Systems Incorporated

Thick Client Application Security

Learning objectives for today s session

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

(WAPT) Web Application Penetration Testing

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web application security

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Introduction: 1. Daily 360 Website Scanning for Malware

Essential IT Security Testing

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Sichere Software- Entwicklung für Java Entwickler

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Still Aren't Doing. Frank Kim

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Table of Contents. Page 2/13

Web Application Vulnerability Testing with Nessus

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Protecting Against SQLi in Real-Time

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Criminal charges are not pursued: Hacking PKI

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

A6- Sensitive Data Exposure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Metasploit The Elixir of Network Security

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Programming Flaws and How to Fix Them

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Secure Coding in Node.js

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Application Security Testing. Generic Test Strategy

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Web Application Security

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

What someone said about junk hacking

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

2010: and still bruteforcing

Penetration Testing in Romania

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Rational AppScan & Ounce Products

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

2015 Vulnerability Statistics Report

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

Web Engineering Web Application Security Issues

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Enterprise Application Security Workshop Series

Secure development and the SDLC. Presented By Jerry

Web Application Penetration Testing

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Some Notes on Web Application Firewalls

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Client logo placeholder XXX REPORT. Page 1 of 37

Hack Yourself First. Troy troyhunt.com

What is Web Security? Motivation

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web App Security Audit Services

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

OWASP Top Ten Tools and Tactics

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

Testing the OWASP Top 10 Security Issues

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Secure Development Lifecycle. Eoin Keary & Jim Manico

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

RMAR Technologies Pvt. Ltd.

Passing PCI Compliance How to Address the Application Security Mandates

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Check list for web developers

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Where every interaction matters.

DEVELOP ROBOTS DEVELOPROBOTS. We Innovate Your Business

Integrating Security Testing into Quality Control

Transcription:

David Rook The Principles of Secure Development OWASP Ireland Conference, Dublin

if (slide == introduction) System.out.println("I m David Rook"); Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms Security Ninja (www.securityninja.co.uk) Speaker at security events (national and international) IIA Web Development Working Group Facebook hacker and published security author (insecure magazine, bloginfosec etc)

Agenda It is broken so lets fix it The current approach The Principles of Secure Development An example of a real world implementation

It is broken so lets fix it Cross Site Scripting, 10 years old? SQL Injection, 11 years old? 33% of all vulnerabilities in 2008 and 2009 (so far) are XSS or SQL Injection (Based on CVE numbers) CVE statistics: http://web.nvd.nist.gov/view/vuln/statistics

It is broken so lets fix it CVE's Total SQLi XSS

It is broken so lets fix it 7000 6000 5000 4000 CVE's Total SQLi XSS 3000 2000 1000 0 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000

It is broken so lets fix it 7000 SQLi & XSS = 32.24% 6000 5000 4000 CVE's Total SQLi XSS 3000 2000 1000 0 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000

Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime.

Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure application development: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities.

The current approach (And why I think it fails to deliver secure applications) The cart before the horse Security guys tell developers about specific vulnerabilities We hope they figure out how to prevent them Inevitably security flaws end up in live code Security guys complain when data gets stolen

The current approach (And why I think it fails to deliver secure applications) What if we taught drivers in the same way? Instructor tells driver about the different ways to crash We hope the driver figures out how not to crash Inevitably the driver will crash People complain when they get crashed into

The current approach (And why I think it fails to deliver secure applications) Many lists of vulnerabilities OWASP Top 10 White Hat Sec Top 10 SANS Top 25 Others??!= Secure development guidance

The current approach (And why I think it fails to deliver secure applications) Many lists of vulnerabilities OWASP Top 10 White Hat Sec Top 10 SANS Top 25 Others??!= Secure development guidance 45 vulnerabilities, 42 unique names 8 secure coding principles to prevent them

What we need to do Put the application security horse before the cart Security guys tell developers how to write secure code Developer doesn t need to guess anymore Common vulnerabilities prevented in applications Realistic or just a caffeine fueled dream?

Lets make secure development easier Keep It Short and Simple (KISS) The principles must be clearly defined Language/Platform/Framework independent Should cover more than just the common vulnerabilities More secure software and greater ROI on security training?

Input Validation Output Validation Error Handling Authentication and Authorisation Session Management Secure Communications Secure Storage Secure Resource Access

Input Validation Identify and define the data your application must accept

Input Validation Identify and define the data your application must accept Create regex s to validate each data type (content and size) For example, a credit card number data type: \d{12,16}$

Input Validation Identify and define the data your application must accept Create regex s to validate each data type (content and size) For example, a credit card number data type: \d{12,16}$ Use whitelisting for validation where possible

Input Validation Identify and define the data your application must accept Create regex s to validate each data type (content and size) For example, a credit card number data type: \d{12,16}$ Use whitelisting for validation where possible Blacklisting approach harder and potentially less secure Blacklist example, replacing single quotes: s.replaceall(pattern.quote(" ' "), Matcher.quoteReplacement(" " "))

Output Validation Identify and define the data your application must output

Output Validation Identify and define the data your application must output Understand where (i.e. in a URL) your data should end up Choose the correct output encoding for the data's destination

Output Validation Identify and define the data your application must output Understand where (i.e. in a URL) your data should end up Choose the correct output encoding for the data's destination Proper encoding means this attack: www.examplesite.com/home.html?day=<script>alert(document.cookie)</script> Becomes: day=%3cscript%3ealert%28document.cookie%29%3c/script%3e

Error Handling Even the best apps will crash at some point, be prepared!

Error Handling Even the best apps will crash at some point, be prepared! Crashes/errors can help an attacker if you don t handle them

Error Handling Even the best apps will crash at some point, be prepared! Crashes/errors can help an attacker if you don t handle them Handle error conditions securely, sanitise the message sent

Error Handling Even the best apps will crash at some point, be prepared! Crashes/errors can help an attacker if you don t handle them Handle error conditions securely, sanitise the message sent No error handling = information leakage Microsoft OLE DB Provider for ODBC Drivers(0x80040E14) [Microsoft][ODBC SQL Server Driver] [SQL Server]Invalid column name /examplesite/login.asp, line 10

Authentication and Authorisation Even simple apps often have a need to authenticate users

Authentication and Authorisation Even simple apps often have a need to authenticate users Often at least two levels of authorisation

Authentication and Authorisation Even simple apps often have a need to authenticate users Often at least two levels of authorisation Need to prevent horizontal and vertical privilege escalation

Authentication and Authorisation Even simple apps often have a need to authenticate users Often at least two levels of authorisation Need to prevent horizontal and vertical privilege escalation Implement strong passwords and management systems

Authentication and Authorisation Even simple apps often have a need to authenticate users Often at least two levels of authorisation Need to prevent horizontal and vertical privilege escalation Implement strong passwords and management systems Ensure A+A is secure, not a false sense of security (CAPTCHA?)

Authentication and Authorisation Even simple apps often have a need to authenticate users Often at least two levels of authorisation Need to prevent horizontal and vertical privilege escalation Implement strong passwords and management systems Ensure A+A is secure, not a false sense of security (CAPTCHA?) Don t rely on fields that are easily spoofed (referrer field)

Session Management Used to manage authenticated users, no need to re-auth

Session Management Used to manage authenticated users, no need to re-auth You need to ensure that your sessionid s have sufficient entropy

Session Management Used to manage authenticated users, no need to re-auth You need to ensure that your sessionid s have sufficient entropy SessionID s must not be predictable or reusable

Session Management Used to manage authenticated users, no need to re-auth You need to ensure that your sessionid s have sufficient entropy SessionID s must not be predictable or reusable Never build your own session management, it will fail

Session Management Used to manage authenticated users, no need to re-auth You need to ensure that your sessionid s have sufficient entropy SessionID s must not be predictable or reusable Never build your own session management, it will fail Protect sessionid s when in transit (i.e. SSL!)

Session Management Used to manage authenticated users, no need to re-auth You need to ensure that your sessionid s have sufficient entropy SessionID s must not be predictable or reusable Never build your own session management, it will fail Protect sessionid s when in transit (i.e. SSL!) Issue a new value for sensitive actions (i.e. funds transfer)

Secure Communications Protect data (i.e. CC no, passwords, sessionid s) in transit

Secure Communications Protect data (i.e. CC no, passwords, sessionid s) in transit As with all crypto, don t create your own

Secure Communications Protect data (i.e. CC no, passwords, sessionid s) in transit As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. SSLv2)

Secure Communications Protect data (i.e. CC no, passwords, sessionid s) in transit As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. SSLv2) Don t just use SSL/TLS for logon pages, protect the session!

Secure Communications Protect data (i.e. CC no, passwords, sessionid s) in transit As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. SSLv2) Don t just use SSL/TLS for logon pages, protect the session! Try to avoid mixing secure and insecure traffic on a page

Secure Storage Protect data (i.e. CC no, passwords, sessionid s) when stored

Secure Storage Protect data (i.e. CC no, passwords, sessionid s) when stored As with all crypto, don t create your own

Secure Storage Protect data (i.e. CC no, passwords, sessionid s) when stored As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. DES)

Secure Storage Protect data (i.e. CC no, passwords, sessionid s) when stored As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. DES) Don t store data in places where you can t confidently secure it

Secure Storage Protect data (i.e. CC no, passwords, sessionid s) when stored As with all crypto, don t create your own Don t use broken protection mechanisms (i.e. DES) Don t store data in places where you can t confidently secure it Strong protection mechanisms, how strong should it be?

The Principles of Secure Development

Secure Resource Access Obscurity!= security, don t try to hide sensitive resources

Secure Resource Access Obscurity!= security, don t try to hide sensitive resources Understand the users flow through an app, cover weak spots

Secure Resource Access Obscurity!= security, don t try to hide sensitive resources Understand the users flow through an app, cover weak spots T-Mobile didn t do the above, Paris Hiltons account hacked

Lets redefine what secure development means Follow a small, repeatable set of principles Try not to focus on specific vulnerabilities Develop securely, not to prevent "hot vuln of the day" Build security into the code, don t try to bolt it on at the end

Evolution, not revolution Don t make things more difficult than they need to be This isn t a new wheel, its just a smoother, easier to use wheel Don t treat security as something separate, integrate it By integrating security fully a security bug is just another bug Secure development doesn t have to be hard, KISS it!

The new approach is working Private banking development company, Switzerland Application Security lead saw the secure development principles

The new approach is working Private banking development company, Switzerland Application Security lead saw the secure development principles Re-designed secure development training for his company

The new approach is working Private banking development company, Switzerland Application Security lead saw the secure development principles Re-designed secure development training for his company Security training costs down, quicker "spin up" of developers

The new approach is working Private banking development company, Switzerland Application Security lead saw the secure development principles Re-designed secure development training for his company Security training costs down, quicker "spin up" of developers Security within their SDLC now based on the principles

The new approach is working Private banking development company, Switzerland Application Security lead saw the secure development principles Re-designed secure development training for his company Security training costs down, quicker "spin up" of developers Security within their SDLC now based on the principles In his own words: You released the "secure development principles" at a time I had issues with my dev teams in how to teach them secure development. Your approach convinced me to look in another direction, not trying to teach every vulnerability but finding the basic principles that help prevent their existence. At that time, this was genius for me: most of my training since has been inspired by your secure development principles.

The new approach is working They modified the principles matrix to match their own terminology

The new approach is working They modified the principles matrix to match their own terminology

Security Ninja new site launch! Security Ninja, brought you by Realex Payments Free application security and compliance resource site

Security Ninja new site launch! Security Ninja, brought you by Realex Payments Free application security and compliance resource site Blog and site managed and updated by myself

Security Ninja new site launch! Security Ninja, brought you by Realex Payments Free application security and compliance resource site Blog and site managed and updated by myself Security presentations, whitepapers, videos and audio online

Security Ninja new site launch! Security Ninja, brought you by Realex Payments Free application security and compliance resource site Blog and site managed and updated by myself Security presentations, whitepapers, videos and audio online Secure Development Principles whitepaper available here today

www.securityninja.co.uk Twitter: @securityninja

QUESTIONS? www.securityninja.co.uk Twitter: @securityninja

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information