OWASP Top Ten Proactive Controls v2
OWASP Top Ten Proactive Controls v2
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registered
in Europe as a worldwide charitable organization focused on improving the security of
software.
Our mission is to make application security visible, so that people and organizations can make
informed decisions about true application security risks.
Everyone is welcomed to participate in OWASP and all of our materials are available under
free and open software licenses.
OWASP Top Ten Proactive Controls v2 … What’s new ?
Introducing new " proactive controls " to the Top Ten list.
Mobile contents : some best practices to consider when building mobile apps (secure
storage, authentication, etc.).
OWASP Top Ten Proactive Controls – v2
1A1 – Verify for A2 – A3 – Encode
Security Early Parameterize
and Often Queries Data
A5 – Implement A6 – Implement
A4 – Validate Identity and
Appropriate
All Inputs Authentication
Access Controls
Controls
A7 – Protect A8 – Implement
Logging and
A9 – Leverage
Security Frameworks
Data Intrusion Detection and Libraries
Convert scanning output into reusable Proactive Controls to avoid entire classes of problems.
The DevOps challenge to security …
http://fr.slideshare.net/StephendeVries2/continuous-security-testing-with-devops
SecDevOps !
BDD-Security Testing framework
http://www.continuumsecurity.net/bdd-intro.html
The BDD-Security framework can be configured using natural language (Given, When
& Then format) to describe security requirements, and performs an automated scan for
common vulnerabilities.
Tests written in Jbehave : "scenario" is equivalent to a test, and a "story" is equivalent to a test
suite.
BDD-Security Testing framework
http://www.continuumsecurity.net/bdd-intro.html
The @Restricted annotation is used to tell the framework which users can access which pages :
A4 – Insecure A5 – Security
A6 – Sensitive
Direct Object Misconfiguratio Data Exposure
References n
A10 – Unvalidated
C2: Parameterize Queries
Power of SQL Injection …
The perfect password …
✓ Upper
✓ Lower
Secure Usage
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
Risks Addressed A2 – Broken
A1 – Authentication and A3 – Cross-Site
Injection Session Scripting (XSS)
Management
A4 – Insecure A5 – Security
A6 – Sensitive
Direct Object Misconfiguratio Data Exposure
References n
A10 – Unvalidated
C3: Encode Data Before Use In A Parser
<
<
Anatomy of a XSS attack
The Problem
The solution
System.Web.Security.AntiXSS
Microsoft.Security.Application. AntiXSS
Can encode for HTML, HTML attributes, XML,
CSS and JavaScript.
Native .NET Library
Very powerful well written library
For use in your User Interface code to defuse
script in output
OWASP Java Encoder Project
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
PHP :
http://twig.sensiolabs.org/doc/filters/escape.html
http://framework.zend.com/manual/2.1/en/modules/zend.escaper.introduction.html
GO :
http://golang.org/pkg/html/template/
Reform project
https://www.owasp.org/index.php/Category:OWASP_Encoding_Project
Other resources
LDAP Encoding Functions :
ESAPI and .NET AntiXSS
A4 – Insecure A5 – Security
A6 – Sensitive
Direct Object Misconfiguratio Data Exposure
References n
A10 – Unvalidated
C4: Validate All Inputs
OWASP HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your
web application while protecting against XSS.
Written with security best practices in mind, has an extensive test suite, and has undergone
adversarial security review
https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules.
Python
https://pypi.python.org/pypi/bleach
PHP
http://htmlpurifier.org/
http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
Ruby on Rails
https://rubygems.org/gems/loofah
http://api.rubyonrails.org/classes/HTML.html
File upload
Upload Verification
Filename and Size validation + antivirus
Upload Storage
Use only trusted filenames + separate domain
Beware of "special" files
"crossdomain.xml" or "clientaccesspolicy.xml".
Image Upload Verification
Enforce proper image size limits
Use image rewriting libraries
Set the extension of the stored image to be a valid image extension
Ensure the detected content type of the image is safe
Generic Upload Verification
Ensure decompressed size of file < maximum size
Ensure that an uploaded archive matches the type expected (zip, rar)
Ensure structured uploads such as an add-on follow proper standard
Risks Addressed
A2 – Broken
A1 – Authentication and A3 – Cross-Site
Injection Session Scripting (XSS)
Management
A4 – Insecure A5 – Security
A6 – Sensitive
Direct Object Misconfiguratio Data Exposure
References n
A10 – Unvalidated
C5: Establish Authentication and Identity Controls
Password cracking
Password management best practices
1) Do not limit the type of characters or length of user password within reason
Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013)
Password management best practices
Use PBKDF2 when FIPS certification or enterprise support on many platforms is required
Use Scrypt where resisting any/all hardware accelerated attacks is necessary but enterprise support
and scale is not. (bcrypt is also a reasonable choice)
Password management best practices
✓ Upper
✓ Lower
Password1! ✓ Number
✓ Special
✓ Over 8 characters
User authentication best practices
Require 2 identity questions
Last name, account number, email, DOB
Enforce lockout policy
Ask one or more good security questions
https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet
Access control logic that needs to be manually added to every endpoint in code
RBAC
if (user.hasAccess("DELETE_ACCOUNT")) {
deleteAccount();
}
ASP.NET Roles vs Claims Authorization
5
Apache Shiro Permission Based Access Control
http://shiro.apache.org/
Check if the current user have a permission to act on a certain type of entity
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
Apache Shiro Permission Based Access Control
http://shiro.apache.org/
Check if the current user have access to a specific instance of a type : instance-level permission check
if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) {
log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
Risks Addressed
A1 – Injection A2 – Broken A3 – Cross-Site A4 – Insecure
Authentication and Scripting (XSS) Direct Object
Session References
Management
Forward Secrecy
https://whispersystems.org/blog/asynchronous-security/
Certificate Pinning
https://www.owasp.org/index.php/Pinning_Cheat_Sheet
If you own a site that you would like to see included in the preloaded Chromium HSTS list, start sending
the HSTS header and then contact: https://hstspreload.appspot.com/
What is Pinning ?
Pinning is a key continuity scheme
Detect when an imposter with a fake but CA validated certificate attempts to act like the real server
2 Types of pinning
Carry around a copy of the server's public key;
Great if you are distributing a dedicated client-server application since you know the server's
certificate or public key in advance
Note of the server's public key on first use
Trust-on-First-Use (TOFU) pinning
Useful when no a priori knowledge exists, such as SSH or a Browser
Encrypting data in Transit : Browser-Based TOFU Pinning
https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Freezes the certificate by pushing a fingerprint of (parts of) the certificate chain to the browser
Example:
Public-Key-Pins: pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
pin-sha1="qvTGHdzF6KLavt4PO0gs2a6pQ00=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
max-age=10000; includeSubDomains
Encrypting data in Transit : Pinning in Play (Chrome)
https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Encrypting data in Transit : Forward Secrecy
https://whispersystems.org/blog/asynchronous-security/
If you use older SSL ciphers, every time anyone makes a SSL connection to your server, that message is
encrypted with (basically) the same private server key
Perfect forward secrecy: Peers in a conversation instead negotiate secrets through an ephemeral
(temporary) key exchange
With PFS, recording ciphertext traffic doesn't help an attacker even if the private server key is stolen!
AES
AES-ECB
AES-GCM
AES-CBC
Unique IV per message
Padding
Key storage and management
+
Cryptographic process isolation
Confidentiality !
HMAC your ciphertext
Integrity !
Derive integrity and confidentiality keys from
same master key with labeling
Don't forget to generate a master key from
a good random source
Encrypting data at Rest : Google KeyCzar
https://github.com/google/keyczar
Keyczar is an open source cryptographic toolkit for Java, Python and C++.
Designed to make it easier and safer for developers to use cryptography in their applications.
Secure key rotation and versioning
Safe default algorithms, modes, and key lengths
Automated generation of initialization vectors and ciphertext signatures
Sample Usage :
Crypter crypter = new Crypter("/path/to/your/keys");
String ciphertext = crypter.encrypt("Secret message");
String plaintext = crypter.decrypt(ciphertext);
Encrypting data at Rest : Libsodium
https://www.gitbook.com/book/jedisct1/libsodium/details
Avoid side effects : define a minimal but effective logging approach to track user activities
Input validation failure server side when client side validation exists
Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes,
radio buttons or select lists
Honeypot URL (e.g. a fake path listed in robots.txt like e.g. /admin/secretlogin.jsp)
App Layer Intrusion Detection : Detection Points Examples
Further study :
AppeSensor OWASP Project
libinjection : from SQLi to XSS – Nick Galbreath
Attack Driven Defense – Zane Lackey
C9: Leverage Security Frameworks and Libraries
Leverage Security Frameworks and Libraries
Don't reinvent the wheel : use existing coding libraries and software frameworks
Use native secure features of frameworks rather than importing third party libraries.
Stay up to date !
Risks Addressed : All of them (but not consistently)
A1 – Injection A2 – Broken A3 – Cross-Site A4 – Insecure
Authentication and Scripting (XSS) Direct Object
Session References
Management
Ensure that error messages displayed to users do not leak critical data,
but are still verbose enough to explain the issue to the user.
Ensure that exceptions are logged in a way that gives enough information
for Q/A, forensics or incident response teams to understand the problem.
OWASP Top Ten
Proactive Controls 2.0