The path of secure software by Katy Anton

The path of secure software by Katy Anton
Join the conversation #DevSecCon The Path of Secure Software BY KATY ANTON CA / VERACODE
Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode (part of CA Technologies) • OWASP Bristol Chapter Leader • Project Co-leader for OWASP Top 10 Proactive Controls
OWASP Top 10 Risks - 2013 A1 – Injection A2 - Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards
Cyber attacks Casinos
New Website
OWASP Application Security Verification Standard (ASVS)
OWASP ASVS
C1. Consider OWASP ASVS • Choose the level of security for your application • Extract the requirements for that level • Use requirements to generate test cases • Integrate security testing in SDLC.
C1. Build Security Into Software Early and Verify It
Development Code Commit Deployment Code review System Tests Pre-commit hooks Unit Tests Unit Test Regression Tests C1. Verify for Security Early and Often
C1. Vulnerabilities Addressed - All Top Ten! A1 – Injection A2 – Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards
SQL injection example $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
C2. Query Parameterization Example String cmd = String.Format(“SELECT * FROM users where userID = {}”,userID) reader = cmd.ExecuteReader(); Example of Query ParameterisationHow not to do it ! .
C2. Query Parameterization - Correct Usage string cmd= "SELECT * FROM users WHERE userId = @Id"; SqlCommand sql = new SqlCommand(cmd); sql.SqlParameter("@Id", System.Data.SqlDbType.Int)); sql.Parameters["@Id"].Value = ID; reader = sql.ExecuteReader();
Secure Database Access Credentials: • Store encrypted credentials out of the source code Database user: • Grant least privilege • Remove unrequired users Stored procedures: • Grant EXECUTE permissions on the stored procedures • Revoke or deny all permissions to the underlying tables for all roles
C2: Vulnerabilities Addressed A1 – Injection A2 – Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards
XSS Example
C3. Encode Your Output
C3. Contextual Encoding Libraries Java OWASP Java Encoder Project .Net AntiXSS PHP Symfony 2+: Twig Zend Framework: ZendEscaper
C3. Vulnerabilities Addressed A1 – Injection A2 – Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 – Unvalidated Redirects and Forwards
C4. Validate All Input
C4. Example of Validations • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
C4. Vulnerabilities Addressed A1 – Injection A2 – Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards
C5. Implement Digital Identity Controls
C5. Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages
C5. Strong cryptographic algorithms • PBKDF2 • scrypt • bcrypt Source: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
NIST: 2017 Digital Identity Guidelines • Allow all ASCII printable characters, including space • Minimum 8 characters length • Allow users to passwords lengthy as they want, within reason. • Offer guidance, such as a password-strength meter • Do not require password to be changed periodically • Permit to use “paste” functionality • Check against a list of bad password Source: https://pages.nist.gov/800-63-3/sp800-63b.html
Hash Password with a modern Hash Problem: • Long passwords can cause DoS • bcrypt truncates passwords to 72 bytes Solution: • SHA-512 - converts long passwords to 512 bits
C5. Secure Password Storage protect(sha512(password), [salt], [workFactor]) + 2nd Factor Authentication Don’t use SMS as multi-factor (use FIDO or dedicated app)
C5. Password Storage – How Not To Do It! $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password]))
C5. Error Messages - How Not To Do It! Error message for not-registered userError message for valid user
C6. Implement Appropriate Access Controls
C7. Protect Data
C7. Data in Transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one MITM Protection - HSTS • HTTPS + Strict Transport Security Header
C7. Data at Rest 1. Strong algorithm – AES 2. Secure key management 3. Adequate access controls and auditing
C8. Implement Logging and Intrusion Detection
C8. Examples of Intrusion Detection Points • Application receives GET when expecting POST • Additional form or URL parameters submitted with request • Input validation failure server side when client side validation exists • Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes, radio buttons or select lists • HTTP headers, Cookies received differ from the expected Source: https://www.owasp.org/index.php/OWASP_AppSensor_Project
Logging Frameworks • Use logging framework • Encode untrusted data -> protection against Log injection attacks • Validate untrusted data-> protection against Log forging attacks
C9. Leverage Security Frameworks and Libraries
C9. Examples • Access Controls • CSRF protection • XSS protection • ORM - SQL injection prevention
Current state of software Source: https://www.veracode.com/resources/state-of-software-security
Cyber breaches Root cause of the top 50 breaches in 2016: #1 A9-Using Components with Known Vulnerabilities Source: snyk.io
Unmanaged 3rd Party Components
C9. API Integration Best Practices “When you wrap a third-party API, you minimize your dependencies upon it: You can choose to move to a different library in the future without much penalty. “ Robert C. Martin
Wrapper Adapter C9. Design Patterns for Integration Façade
C9. Automate OWASP Dependency Check - supported languages: • Java • .NET JavaScript • Retire.JS scanner PHP • PHP Security Checker
C9. Best Practices • Use trusted sources • Encapsulate 3rd party libraries • Hide information • Reduce attack surface • Update regularly / replace
C10. Error and Exception Handling
C10: Best Practices • Centralised error handling • Verbose enough to explain the issue • Don’t leak critical information
C10. Don’t leak information !
A1 – Injection A2 – Broken Auth. and Session Management A3 – Cross-Site Scripting (XSS) A4 – Insecure Direct Object References A5 – Security Misconfiguration A6 – Sensitive Data Exposure A7 – Missing Function Level Access Control A8 – Cross-Site Request Forgery A9 – Using Comp. with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards C10. Vulnerabilities Addressed - All Top Ten!
Developer Controls C1 Build Security Early C4 Validate Input C6 Access Controls C5 Digital Identity C7 Protect Data C10 Error Handling C8 Logging C2 Secure Database Access C9 Leverage security C3 Encode Data
Project Page Project page: https://www.owasp.org/index.php/OWASP_Proactive_Controls Twitter: @OWASPControls
Join the conversation #DevSecCon Thank you Katy Anton Application Security Consultant Ca / Veracode

Check these out next

The path of secure software by Katy Anton

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a The path of secure software by Katy Anton(20)

Más de DevSecCon(20)

Último(20)

The path of secure software by Katy Anton

Hinweis der Redaktion