1. Secure
Coding
for
Java
(an
introduc3on)
Java
User
Group
Poitou-‐Charentes
(Niort)
27
Juin
2013
Sébas3en
Gioria
Sebas0en.Gioria@owasp.org
Chapter
Leader
OWASP
France
Friday, June 28, 13
2. http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation & Technology @ Advens
Twitter :@SPoint / @OWASP_France
2
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Ne
vous
inquietez
pas
c’est
le
seul
slide
en
anglais,
par
contre
il
y
aura
des
trucs
d’écrits
partout
en
bas...
Friday, June 28, 13
3. ForeWords
• This
is
a
presenta,on
made
from
my
own
experience
with
some
company
using
OWASP
materials.
• Only
the
documents
from
OWASP
wiki
are
OWASP
officials
(see
hEps://www.owasp.org)
• Some
extracts
come
from
document
I
wrote
as
OWASP
leader,
this
is
why
you
could
find
it
elsewhere.
5
Friday, June 28, 13
4. • Applica,on
Security
:
–where
we
are
(no
bullshit)
–where
we
are
(hopefully)
going
?
• Using
OWASP
materials
to
secure
code
• Secure
Coding
principles
Agenda
Friday, June 28, 13
10. Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
NO
YES
Friday, June 28, 13
11. Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
YES
Friday, June 28, 13
12. Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
13. Why
Applica0on
Security
?
6
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
14. Why
Applica0on
Security
?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
15. Why
Applica0on
Security
?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Next
Step
Friday, June 28, 13
16. We
are
living
in
a
Digital
environment,
in
a
Connected
World
vMost
of
websites
vulnerable
to
aTacks
vImportant
%
of
web-‐based
Business
(Services,
Online
Store,
Self-‐care,
Telcos,
SCADA,
...)
Why
Applica0on
Security
?
Age
of
An0virus
Age
of
Network
Security
Age
of
Applica0on
Security
7
Friday, June 28, 13
17. Consequences
of
bad
or
no
security
–IdenPty
theQ
–Hardware
theQ
–IT
downPme
–Bad
Media
coverage
–Financials
loss
–Customers
loss
–Legals/business
penalty
8
Friday, June 28, 13
37. What
you
CIO
Said
:
I
got
a
Firewall
!
27
Friday, June 28, 13
38. What
your
business
user
said
:
I
have
SSL
based
Web
Site
28
Friday, June 28, 13
39. What
your
business
user
said
:
only
the
hacker
can
aMack
my
website
• Tools
are
more
and
more
simples.
• Try
a
simple
request
on
google
website
on
SQL
InjecPon
and
look
at
it.
• An
aEack
on
a
Web
Server
cost
100$/
200$
per
day
on
the
underground
market.
29
Friday, June 28, 13
40. What
your
user
said
:
a
vulnerability
on
internal
ApplicaPon
is
not
criPcal.
• No,
The
web
is
anywhere,
and
CSRF,
HTML5
CORS
and
more
can
make
this
complete
destrucPve
• Be
aware
and
share
this
:
• AJAX
doing
a
lot
of
things
without
you
• Be
aware
and
share
this
:
•
HTML5
will
come
with
“nice”
user
funcPonality
,
but
with
big
impact
on
security
(WebSocket,
CORS,
...)
30
Friday, June 28, 13
41. But
I
do
Security
tesPng
!
17
Security
Tes3ng
Coding
Friday, June 28, 13
42. Majors OWASP
publications you can use
All are on the wiki https://www.owasp.org
All are under GPL or friendly licenses
Majors publications you can use to secure
your projects/SDLC
Building
Guide
Code Review
Guide
Testing Guide
Application Security Desk Reference (ASDR)
Top10 reference this 3 guides
Ø OWASP Top10
Ø Auditor/Testing Guide
Ø Code Review Guide
Ø Building Guide
Ø Application Security Verification
Standard (ASVS)
Ø Secure Coding Practices
12
Friday, June 28, 13
57. What
is
ASVS
?
• A
standard
that
provides
a
basis
for
the
verificaPon
of
web
applicaPons
applicaPon-‐
independent.
• A
standard
life-‐cycle
model
independent.
• A
standard
that
define
requirements
that
can
be
applied
across
applicaPons
without
special
interpretaPon. 43
Friday, June 28, 13
58. What
are
ASVS
responses
?
• How
much
trust
can
be
placed
in
a
web
applicaPon?
• What
features
should
be
built
into
security
controls?
• How
do
I
acquire
a
web
applicaPon
that
is
verified
to
have
a
certain
range
in
coverage
and
level
of
rigor?
Friday, June 28, 13
60. But
ASVS
stand
for
VerificaPon
?
• ASVS
just
said
funcPonals
needs
for
controls.
• You
should
use
it
as
a
Secure
Coding
Policy.
★Don’t
be
medium(ASVS
Level1/2),
just
target
excellence
(ASVS
Level
4)
24
Friday, June 28, 13
61. Using
ASVS
as
a
secure
coding
policy
• ASVS
:
Verify
that
all
password
fields
do
not
echo
the
user’s
password
when
it
is
entered.
➡All
Password
fields
must
be
define
as
HTML
password
fields
and
must
not
echo
user
password.
➡All
login
forms
must
include
autocomplete=off
tag
• ASVS
:
Verify
that
all
input
validaPon
is
performed
on
the
server
side.
➡Performs
all
input
valida,on
on
the
server.
Nothing
in
the
browser
25
Friday, June 28, 13
62. Posi,ve
aatude
Nega0ve
The
tester
shall
search
for
XSS
holes
Posi0ve
Verify
that
the
applica0on
performs
input
valida0on
and
output
encoding
on
all
user
input
See:
hTp://www.owasp.org/index.php/
XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet
56
Friday, June 28, 13
64. OWASP
Secure
Coding
PracPces
• Small
document
(only
9
pages)
• Could
be
use
as
an
simple
checklist
for
your
policy.
• Could
be
use
together
with
ASVS
or
alone.
• More
technical
and
deeper
approach
than
ASVS
.
• Wrote
and
use
by
Boeing
:)
28
Friday, June 28, 13
65. Secure
Coding
PracPces
Contents
• Input
ValidaPon
• Output
Encoding
• AuthenPcaPon
and
Password
Management
• Session
Management
• Access
Control
• Cryptographic
PracPces
• Error
Handling
and
Logging
• Data
ProtecPon
• CommunicaPon
Security
• System
ConfiguraPon
• Database
Security
• File
Management
• Memory
Management
• General
Coding
PracPces
29
Friday, June 28, 13
67. (extracts
from
OWASP
Secure
Coding
Prac0ces/OWASP
CheatSheets
OWASP
ASVS,
...)
Let
talk
Secure
Coding
now
31
Friday, June 28, 13
68. Some
secures
principles
to
follow
32
•Deep
defense
of
applica,on
is
mandatory
• Following
less
privileges
is
the
best
soluPon
• Segregate
duty
more
that
user
think
➡Remember
that
applica,on
need
to
answer
user
needs
and
not
security
pleasure.
Friday, June 28, 13
69. Deep
defense
of
a
Web
Applica0on
(example)
70
Fi
re
w
all
Applica0onWeb
Apps
SGBDApp ServerWeb
Server
Browser
User auth
Input
Validation
Secure
configuration
Good crash mecanisms
• Critical data transport
protection
• Preventing session and ID
theft
Critical data protections
Logs/Audit of
transactions
Authorisation
and
authentication
Authorisation and
authentication
Critical data protectionsPreventing parameters
thefts
Friday, June 28, 13
70. Fail
securely
• Don’t
give
user
technical
details
of
the
error/crash.
• Clean
state
or
use
objects
in
catch
clause
34
Friday, June 28, 13
71. Fail
securely
• Don’t
give
user
technical
details
of
the
error/crash.
• Clean
state
or
use
objects
in
catch
clause
34
Friday, June 28, 13
72. Don’t
try
to
make
obscure
things
72
Friday, June 28, 13
73. Don’t
try
to
make
obscure
things
72
GEOPORTAIL
Friday, June 28, 13
74. Don’t
try
to
make
obscure
things
72
Friday, June 28, 13
75. Don’t
try
to
make
obscure
things
72
GOOGLE MAPS
Friday, June 28, 13
76. • ObfuscaPon
is
not
the
soluPon
• There
is
someone
in
the
matrix
who
will
send
you
evil
data
• Be
evil
!
• Protect
area
with
filter
is
the
best
soluPon
36
Friday, June 28, 13
77. Controls
• Controls
need
:
–to
be
simple
–to
be
used
correctly
–funcPonal
–present
in
every
part
of
the
applicaPon
74
Bad understanding of a control result of unused
it by developers and application will be
vulnerable.
Friday, June 28, 13
78. Minimals
controls
to
have
• You
must
have
at
least
this
components
in
your
applicaPon
:
–AuthenPcaPon
–AuthorizaPon
–Logging
and
audit
–Secure
Storage
–Secure
transport
–Secure
input
and
output
manipulaPon
of
data
75
Friday, June 28, 13
80. Implement
good
passwd
strategy
• Password
length
-‐ Categorize
applicaPons
:
• Important
:
at
least
6
characters
• Cri0cal
:
at
least
8
characters
and
perhaps
mul0-‐factors
authen0ca0on
• High
Cri0cal
:
at
least
14
characters
and
mul0-‐factors
authen0ca0on
• Password
strength
-‐ Implement
passwd
complexity
with
previous
categories
• at
least
:
1
upper,
1
lower,
1
digit,
1
special
• don’t
allow
dic0onnary
passwd
• don’t
allow
con0nuous
characters
40
Friday, June 28, 13
81. Implement
good
passwd
strategy
•Let
the
user
choose
it
•Force
the
user
to
change
it
regulary,
and
add
no
reuse
capability.
•Don’t
allow
too
much
“I
forgot
my
passwd”
•Don’t
allow
change
of
passwd
without
user
approval;
require
actual
passwd
from
the
user
and
more
for
high
cri0cal.
•Add
sleep
strategy
!
•Add
detec3on
of
misuse
strategy
!
•Don’t
store
passwd
in
clear
!!!!!
use
hash
!
41
Friday, June 28, 13
82. MulP-‐Factor
authenPcaPon
•Passwds
are
bad
•Passwds
are
guessable
•MulP-‐factor
combine:
–something
you
have
(token,
mobile,
...)
–something
you
know
(details
about
you,
passwd,
...)
–somePme,
something
you
are
(biometrics)
–Use
it
for
high
criPcal
applicaPons.
42
Friday, June 28, 13
83. Implement
good
global
strategy
• Ask
second
authenPcaPon
for
criPcal
transacPons
(with
mulP-‐factor
auth...)
• Force
authenPcaPon
to
be
in
TLS/SSL
• Regenerate
Session
ID
aQer
authenPcaPon
• Force
Session
ID
to
be
“secure”
• LimiPng
forgoEen
passwd,change
of
login/
passwd
43
Friday, June 28, 13
84. How
to
do
?
• Authen0cate
all
pages
but
not
public
pages
(login,
logout,
help,
....)
• Don’t
allow
more
than
one
authen0ca0on
mecanism
• Authen3cate
on
the
SERVER
• Simply
send
back
“user
or
passwd
mismatch”
and
nothing
else
aker
a
failed
authen0ca0on.
• Logged
all
failed
and
all
correct
authen0ca0on
• Aker
each
authen0ca0on
give
the
user
the
last
status
of
his
authen0ca0on.
44
Friday, June 28, 13
85. • Good
Regex
for
a
passwd
complexity
:
• Good
Storage
of
password
with
SALT
45
(?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
Friday, June 28, 13
87. Session
• Use
Default
Java
Framework
Generator
• Use
other
name
than
the
default
name
of
the
Framework
(rename
JSESSIONID...)
• Force
transport
of
ID
authenPcaPon
on
SSL/TLS.
• Don’t
allow
Session
ID
in
URL
!
• If
using
cookie
:
– Secure
Cookie
– HTTPOnly
Cookie
– LimiPng
path
+
domain
– Max
Age
and
expiraPon
47
Friday, June 28, 13
88. Session
tricky
• AutomaPc
expiraPon
–categorize
applicaPons
:
• default
:
1
hour
• cri0cal
(some
transac0on)
:
20mns
• high
cri0cal
(financials
or
account
impact)
:
5mns
• Renew
Session
ID
aQer
any
privilege
change
• Don’t
allow
simultaneous
logon
• Add
Session
AEack
DetecPon
• add
in-‐session
0ps
:
ip
of
session,
other
random
number,
...
48
Friday, June 28, 13
89. Browser
defenses
• Bind
JavaScript
events
to
close
session
–on
window.close()
–on
window.stop()
–on
window.blur()
–on
window.home()
• Use
Javascripts
Pmer
to
automaPc
close
session
in
high
criPcal
applicaPons
• Disable
WebBrowser
Cross-‐tab
Session
if
possible...(bad
user
experiences....)
–If
you
use
cookie,
this
is
not
possible
!!!!
49
Friday, June 28, 13
90. 50
<session-‐config>
<cookie-‐config>
<http-‐only>true</http-‐only>
<secure>true</secure>
</cookie-‐config>
</session-‐config>
Using
Servlet
3.0
?
Friday, June 28, 13
95. Authen0ca0on
&
Authoriza0on
• Two
Levels
of
authenPcaPon
and
authorizaPon
are
needed
–In
the
ApplicaPon
–In
infrastructure
Table
A
Table
B
Connexion Table A + duty A
Role
A
Role
B
SGBDApp Server
Connexion Table B + Duty B
Friday, June 28, 13
96. AuthorizaPon
• Have
in
mind
the
rule
:
–Nothing
by
default
• Centralize
all
authorizaPon
code
on
the
SERVER
• If
client
state
are
mandatory,
use
encrypPon
and
integrity
checking
on
the
server
side
to
catch
state
tampering.
• Limit
number
of
transacPons
per
user
at
a
interval
Pme.
54
Friday, June 28, 13
97. AuthorizaPon
• Enforce
:
– protec0on
of
URL
to
authorized
account
only
– protec0on
of
func0on
to
authorized
account
only
– protec0on
of
file
access
to
authorized
account
only
• Applica0on
need
to
terminate
session
when
authoriza0on
failed.
• Split
administra0ve
and
user
authoriza0on
• Enforce
dormant
account
:
– loss
privileges.
– “disable
account”
– alerts
55
Friday, June 28, 13
99. Input
ValidaPon
• Ensure
all
data
validaPon
are
done
on
THE
SERVER.
–If
you
do
something
on
client
side
we
can
said
you
do
“painPng”
• Classify
your
data
:
–Trusted
Data
–Untrusted
Data
• Conduct
trusted
path.
• Centralize
your
data
validaPon
• Use
correct
parametrize
query
when
exists
(SQL)
57
Friday, June 28, 13
100. Border
validaPon
• Consider
validaPng
data
along
all
the
entry
points
of
your
ApplicaPon
border
58
Friday, June 28, 13
101. Input
ValidaPon
• Use
proper
characters
set
for
all
input
• Encode
all
data
to
the
same
character
set
before
doing
anything
<=>Canonicalize
• Reject
all
not
validated
datas
• Validate
data
:
–expected
type
(convert
as
soon
as
possible
to
Java
Types)
–expected
range
–expected
length
–expected
values
–expected
“white
list”
if
possible
59
Friday, June 28, 13
102. Input
ValidaPon
• Be
careful
of
using
“hazardous”
characters
(ex:
<>’,”!
(+)&
%.)
• Add
specific
validaPon
:
–check
for
null
bytes
(%00)
–check
for
new
lines
(%0D,
%0A,
n,
r,
...)
–check
for
dot-‐dot-‐slashes
(../)
60
Friday, June 28, 13
103. Be
careful
of
encoding
for
specific
valida0on...
URL
%3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e
%0a
HTML
<script>ale
2;t(XSS);</sc&#x
72;ipt>

UTF-8
%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c
%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c
%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003
One space ?
< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >
<script>alert(XSS);</script>
Friday, June 28, 13
108. SQL
=>
a
liEle
bit
beEer
126
Friday, June 28, 13
109. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
110. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
111. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
?1");
List
results
=
jpqlQuery.setParameter(1,
"123-‐ADB-‐567-‐QTWYTFDL").getResultList();
Friday, June 28, 13
112. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
?1");
List
results
=
jpqlQuery.setParameter(1,
"123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
entityManager.createNamedQuery("myCart");
List
results
=
jpqlQuery.setParameter("itemId",
"item-‐id-‐0001").getResultList();
Friday, June 28, 13
113. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
?1");
List
results
=
jpqlQuery.setParameter(1,
"123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
entityManager.createNamedQuery("myCart");
List
results
=
jpqlQuery.setParameter("itemId",
"item-‐id-‐0001").getResultList();
/*
named
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
emp
from
Employees
emp
where
emp.incentive
>
:incentive");
List
results
=
jpqlQuery.setParameter("incentive",
new
Long(10000)).getResultList();
Friday, June 28, 13
114. List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty
65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
?1");
List
results
=
jpqlQuery.setParameter(1,
"123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/*
Native
SQL
*/
Query
sqlQuery
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
?",
Book.class);
List
results
=
sqlQuery.setParameter(1,
"Charles
Dickens").getResultList();
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
entityManager.createNamedQuery("myCart");
List
results
=
jpqlQuery.setParameter("itemId",
"item-‐id-‐0001").getResultList();
/*
named
parameter
in
JPQL
*/
Query
jpqlQuery
=
entityManager.createQuery("Select
emp
from
Employees
emp
where
emp.incentive
>
:incentive");
List
results
=
jpqlQuery.setParameter("incentive",
new
Long(10000)).getResultList();
Friday, June 28, 13
125. Output
encoding
• It’s
a
Defense
in
depth
mechanism
• Encode
ON
THE
SERVER
• Centralize
the
encoder
funcPons
• SaniPze
all
data
send
to
the
client
–HTMLEncode
is
a
minimum
but
did
not
work
on
all
cases
74
Friday, June 28, 13
132. Error
Handling
Your
Applica3on
will
crash
!
• Catch
all
excep0ons
without
excep0on
(remember
the
null
pointer
excep0on
!)
– Clean
all
excep0on
code
of
sensi0ve
datas
– Don’t
give
user
any
details
about
crash,
just
said
“It’s
a
crash,
try
again
later”
• Logs
are
sensi0ve,
you
MUST
PROTECT
THEM
• Log
:
– input
valida0on
failures
– authen0ca0on
request;
especially
failures
– access
control
failures
– systems
excep0ons
– administra0ve
func0onality
– crypto
failures
– invalid/expired
session
token
access
79
Friday, June 28, 13
133. Logging/Errors
• Split
your
logs
with
categories,
examples
:
–Access
–Error
–Debug
–Audit
• Use
log4j
for
standard
logging
80
Friday, June 28, 13
134. Log4J
Example
81
import com.sec.dev;
// Import log4j classes.
import org.apache.log4j.Logger;
import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the
// Logger instance named "MyApp".
static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console.
BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used
// Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application.");
Bar bar = new Bar();
bar.doIt();
logger.info("Exiting application.");
}
}
Friday, June 28, 13
140. Data
protecPon
• Protect
sensiPve
datas,
don’t
store
them
in
clear.
• Store
sensiPve
datas
in
trusted
systems
• Don’t
use
GET
request
for
sensiPve
data.
• Disable
client
site
caching
86
Friday, June 28, 13
148. Secure
CommunicaPons
• Use
TLS/SSL
:
–at
least
SSL
v3.0/TLS
1.0
–minimum
of
128bits
encrypPon
–use
secure
crypto
:
AES
is
good
• Don’t
expose
criPcal
data
in
the
URL
• Failed
SSL/TLS
communicaPons
should
not
fall
back
to
insecure
• Validate
cerPficate
when
used
• Protect
all
page,
not
just
logon
page
!
92
Friday, June 28, 13
149. Force
TLS/SSL
Response
• Use
HTTP
Strict
Transport
Security
(HSTS).
–Available
on
some
browsers
(not
IE)
–draQ
IETF
:
hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐
strict-‐transport-‐sec-‐04
93
HttpServletResponse
...;
response.setHeader("Strict-‐Transport-‐Security",
"max-‐age=7776000;
includeSubdomains");
Friday, June 28, 13
150. ConfiguraPon
94
• Review
all
properPes,
configuraPon
files
• Be
careful
of
default
passwords...
• Remove,
and
not
just
de-‐acPvate,
unused
funcPons/modules
• Use
sandbox
system
when
available
:
Be
careful
of
Java
Signed
code
who
execute
with
more
privileges
!
Friday, June 28, 13
151. Now
you
can
protect
against
him
95
Friday, June 28, 13
152. NEWS
A
BLOG
A
PODCAST
MEMBERSHIPS
MAILING
LISTS
A
NEWSLETTER
APPLE
APP
STORE
VIDEO
TUTORIALS
TRAINING
SESSIONS
SOCIAL
NETWORKING
96
On
est
aussi
des
humains,
et
on
peut
boire
un
coup
tout
simplement
Friday, June 28, 13
153. Dates
• AppSec
Research
Europe
2013
:
20/23
Aout
–
Hambourg
–
Allemagne
• Octobre
2013
:
OSSIR
PARIS
–OWASP
Top10
2013;
quoi
de
neuf
?
•
OWASP
Benelux
:
28/29
Novembre
2013
97
Un
tour
des
JUG
est
prévu
en
France,
si
vous
en
connaissez
un
dans
le
coin...
Friday, June 28, 13
154. Soutenir
l’OWASP
• Différentes
soluPons
:
–Membre
Individuel
:
50
$
–Membre
Entreprise
:
5000
$
–DonaPon
Libre
• Soutenir
uniquement
le
chapitre
France
:
–Single
MeePng
supporter
• Nous
offrir
une
salle
de
mee0ng
!
• Par0ciper
par
un
talk
ou
autre
!
• Dona0on
simple
–Local
Chapter
supporter
:
• 500
$
à
2000
$
98
Friday, June 28, 13
155. Prochains
meePngs
• Septembre
2013
–Salle
:
Mozilla
Center
Paris
–Speaker
:
• Security
on
Firefox
OS
• A
définir
• Novembre
2013
–Salle
:
a
définir
–Speaker
:
a
définir
Septembre
s’annonce
merveilleux
avec
plein
d’annonces
en
tout
genre....
Friday, June 28, 13
156. License
100
Si
vous
avez
tout
suivi
vous
connaissez
le
prochain
slide....
@SPoint
sebas0en.gioria@owasp.org
Friday, June 28, 13