SlideShare ist ein Scribd-Unternehmen logo

Secure coding presentation Oct 3 2020

Moataz Kamel
Moataz Kamel

Secure Coding, What you need to know as a developer, SAST, DAST, DevOps, OWASP, Application Security

Software
1 von 37
Downloaden Sie, um offline zu lesen
Secure Coding What you need to know as a developer by Moataz Kamel Oct 3, 2020
Introduction ● 20 years in the software industry ● 14 years delivering security software in the cloud ● Expertise in Email & Web Security cloud gateways, SDLC, and Scaled Agile/DevOps ● BASc and MASc in Computer Engineering ● Started as a developer, then architect, then Director then Sr. Director of Development
Motivation: Why application security?
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Top Attacker motivations: ● Financial ● Reputation ● Hacktivism
Free burgers… really?
Growth of Software Vulnerabilities... “Reacting to vulnerabilities in existing systems is not working…” We need to “ eliminate vulnerabilities resulting from coding errors before they are deployed.” - Robert C. Seacord (CERT) CVE = Common Vulnerabilities and Exposures https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/ http://www.open-std.org/JTC1/SC22/WG23/docs/ISO-IECJTC1-SC22-WG23_N0023-Secure-Coding-Standards.pdf
What is Secure Coding? Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Viega, John; Gary McGraw (2001). Building Secure Software: How to Avoid Security Problems the Right Way. MAddison-Wesley Professional. p. 528. ISBN 978-0201721522.
A Side Note... Traditionally, Secure Coding ⇒ Application Security (i.e. Javascript, Python, PHP etc) Application Security ⍯ Network Security (i.e .Firewalls, VLANs, WAF, etc) However, DevOps ⇒ Infrastructure as Code Therefore, Secure Coding ⇒ Application Security && Infrastructure Security
Understand the Attack Surface Code you write + Libraries, Frameworks, + Communication Paths in/out + Code that protects paths + Data used in the application + Code that protects the data + <Infrastructure it all runs on> https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
Introducing OWASP ● A volunteer organization of people dedicated to spreading the word about secure coding and application security ● The OWASP website owasp.org is one of the largest collections of application security knowledge that has been compiled and is freely available. ● There are many (194) OWASP projects that are free and open source that you can download to test or improve the security posture of your software ● A great place to start is with the Quick Developers Guide and the Secure Coding Practices Quick Reference Guide Open Web Application Security Project
OWASP First Steps Open Web Application Security Project Appsec Tutorial
OWASP Top 10 Web App Sec Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoringhttps://owasp.org/www-project-top-ten/ The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. (Current Version 2017) Open Web Application Security Project
A1: Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection Open Web Application Security Project
Injection: Example Attack Scenarios Scenario #1: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; What happens when the attacker modifies the ‘id’ parameter value in their browser to send: ‘ or ‘1’=’1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of the query to return all the records from the accounts table. SELECT * FROM accounts WHERE custID='' or '1'='1' More dangerous attacks could modify or delete data, or even invoke stored procedures. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection https://www.w3schools.com/sql/sql_injection.asp
Injection: Example Attack Scenarios Scenario #2: txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; Suppose the following user input User id: 105; DROP TABLE Suppliers This changes the meaning of the query to return all the records from the accounts table. SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers; https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection https://www.w3schools.com/sql/sql_injection.asp
Injection: How to Prevent? Failure to properly validate input leads to almost all of the major application vulnerabilities! Defense Options (SQL injection) 1. Use prepared statements with parameterized queries 2. Use stored procedures 3. Whitelist input validation (i.e. compare against a list of valid inputs) 4. Escape all user-supplied inputs (i.e. escape any special characters) https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = @0"; db.Execute(txtSQL,txtUserId);
A2: Broken Authentication Broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials. In recent years, broken authentication attacks have accounted for many of the worst data breaches. https://auth0.com/blog/what-is-broken-authentication/ https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication Open Web Application Security Project
Authentication: Example Attack Scenarios Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. https://auth0.com/blog/what-is-credential-stuffing/
Authentication: Example Attack Scenarios Scenario #2: Session Hijacking can occur if application session timeouts are not set properly and sessions are not encrypted. If an attacker snoops on a public wifi network, they could steal the session information and use it to browse as that user.
Authentication: Best Practices ● Use unique UserIds that are hard to guess ● Implement password strength controls ● Implement secure password recovery ● Store passwords securely ● Compare password hashes with safe functions ● Transmit passwords only over TLS or other strong transport ● Require re-authentication for sensitive features ● Consider strong transaction authentication ● Protect against automated attacks using MFA and/or account lockout https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html OAuth 2.0 and OpenID Connect (in plain English), https://auth0.com/blog/what-is-broken-authentication/ Session Management ● Control session Length (timeout) ● Rotate and invalidate session ids ● Don’t put session ids in URLs (use session cookies or JWTs) ● Understand your build-in session management framework and keep it up to date (e.g. J2EE, ASP.NET, PHP, etc) ● Always use TLS for the entire web session
A3: Sensitive Data Exposure Sensitive data like passwords, credit card numbers, health records, personal information require extra protection. Rather than directly attacking crypto, attackers can steal data from web service applications in a numbers of ways if that data is not encrypted and if keys are not stored and handled in a safe way. Open Web Application Security Project https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure
A3: Sensitive Data Exposure: Example Attack Scenarios Scenario #1: Using a technique known as “Google Hacking”, an attacker searches for sites with txt, log, or cfg files with admin_password exposed in plain text The attacker then uses the admin password to gain access to resources on the site.
A3: Sensitive Data Exposure: Example Attack Scenarios Scenario #2: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure Encrypted at rest SELECT User,CreditCardNum FROM transactions WHERE user=1199 or 1=1; All users, credit cards decrypted All users, credit cards decrypted
A3: Sensitive Data Exposure: Best Practices ● Classify sensitive data; don’t store if not needed, discard as soon as possible ● Encrypt data at rest, never store in plaintext ● Use strong, up-to-date encryption algorithms (AES 256). Consider open, peer-reviewed libraries like Google/Tink ● Manage encryption keys securely (don’t store secrets in code, config files or env variables, use key stores or secret vaults like KeyWhiz, Hashicorp Vault, or Amazon KMS. ● Encrypt data in transit with secure protocols like TLS and use perfect forward secrecy (PFS) and HTTP Strict Transport Security (HSTS). https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
A4: XML External Entities (XXE) An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) XML Open Web Application Security Project
A4: XML External Entities (XXE): Example Attack Scenarios Scenario #1: An attacker discovers a gaming website that allows users to upload game configurations in XML format.The attacker uploads the following xml to the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> This results in the server displaying the contents of the passwd file which the attacker then users to take over the web server. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE)
A4: XML External Entities (XXE): Example Attack Scenarios Scenario #2: An attacker discovers a 3d printing website that allows users to upload CAD drawings in XML format.The attacker uploads the following xml to the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/" >]> <foo>&xxe;</foo> The resulting call is called Server-Side Request Forgery (SSRF) where the server hosting the website makes a call to the named website in the external entity tag. This type of request forgery can be used to gain access to privileged information on the private network of the host or to . https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) https://portswigger.net/web-security/xxe (Exploiting XXE to perform SSRF attacks)
A4: XML External Entities (XXE): Best Practices ● Use less complex data formats like JSON if appropriate ● Patch or upgrade all XML processors and libraries ● Disable XML external entity and DTD processing in all XML parsers ● Verify that XML file upload functionality validates incoming XML https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
A5: Broken Access Control Access control enforces policies such that users cannot act outside their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing business functions outside of the limits of the user (e.g. payment authorization, granting permissions) https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control XML Open Web Application Security Project
A5: Broken Access Control Example Attack Scenarios Scenario #1: An attacker observes the following request made by the application when loading their banking dashboard. https://mybankingapp.test/cgi-bin/hpe.py?accountId=4462 The server code is as follows: pstmt.setString(1, request.getParameter("accountId")); ResultSet results = pstmt.executeQuery( ); The attacker modifies the request to use the bank account number of another user by changing the accountId parameter from 4462 to 4463 and receives the account details of another user. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control https://www.packetlabs.net/broken-access-control/ XML
A5: Broken Access Control Example Attack Scenarios Scenario #2: An attacker reviews the html from a popular banking website and finds this comment: <!-- JQuery to perform several actions: • Load account balance data • Load transaction data • If user is customer support a search field will appear. o Queries /cgi-bin/customer_search.py o Parameters (optional): accountID, customerID, transactionDate --> <div id=”accountBalance”> The attacker crafts a request based on this information to search the customer database: https://mybankingapp.test/cgi-bin/customer_search.py?limit=5 The application responds with a list of 100 customers from the applications database. https://www.packetlabs.net/broken-access-control/ XML
A5: Broken Access Control: Best Practices ● Access control must be enforced in server side checks ● With the exception of public resources, Deny access by default ● Implement access control once and reuse through the application (linked to authentication & session management) ● Disable web server directory listing ● Log access control failures and alert admins when appropriate ● Rate limit API and controller to protect against automated attacks ● Include functional access control in unit and integration testing https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html XML
Security Tools Static Application Security Testing (SAST): ● Analyzes source code to find security vulnerabilities ● Can be run as part of the build Dynamic Application Security Testing (DAST): ● Analyzes running application to find security vulnerabilities ● Can find security vulns like XSS, insecure server config, etc
Next Gen Tools
In Conclusion Keep Learning! (check out the links in the references) Experiment with OWASP tools! Let security awareness be your superpower! Stay Safe and Stay Secure!
References ● OWASP Top Ten Application Security Risks ● OWASP Secure Coding Practices Quick Reference Guide ● OWASP Developer Quick Start Guide ● CERT Security and Secure Coding Standards (for C and C++) ● 2019 CWE (Common Weakness Enumeration) Top 25 Software Errors ● CIS (Center for Internet Security) Top 20 Controls ● UC Berkley Secure Coding Practice Guidelines ● Common Vulnerabilities and Exposures ● What Is the NIST Cybersecurity Framework ● SAST Tutorial: Everything you Need to Know ● OWASP Security Knowledge Framework ● https://www.horangi.com/blog/real-life-examples-of-web-vulnerabilities
Security Practices 1.Validate Input 2.Compiler warnings 3. Design for security 6. Least Privilege 7. Defense In Depth 8. Sanitize sent data 4. KIS 5. Default Deny 9. QA https://wiki.sei.cmu.edu/confluence/display/seccode/Top%2B10%2BSecure%2BCoding%2BPractices https://www.slideshare.net/websecurify/secure-coding 10. Coding Standard

Empfohlen

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Empfohlen

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software EngineeringRohitha Liyanagama
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 

Was ist angesagt? (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure code
Secure codeSecure code
Secure code
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 

Ähnlich wie Secure coding presentation Oct 3 2020

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsIRJET Journal
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptxAlmaOraevi
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 

Ähnlich wie Secure coding presentation Oct 3 2020 (20)

Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
C01461422
C01461422C01461422
C01461422
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention Methods
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 

Kürzlich hochgeladen

tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 

Kürzlich hochgeladen (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 

Secure coding presentation Oct 3 2020

  • 1. Secure Coding What you need to know as a developer by Moataz Kamel Oct 3, 2020
  • 2. Introduction ● 20 years in the software industry ● 14 years delivering security software in the cloud ● Expertise in Email & Web Security cloud gateways, SDLC, and Scaled Agile/DevOps ● BASc and MASc in Computer Engineering ● Started as a developer, then architect, then Director then Sr. Director of Development
  • 6. Growth of Software Vulnerabilities... “Reacting to vulnerabilities in existing systems is not working…” We need to “ eliminate vulnerabilities resulting from coding errors before they are deployed.” - Robert C. Seacord (CERT) CVE = Common Vulnerabilities and Exposures https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/ http://www.open-std.org/JTC1/SC22/WG23/docs/ISO-IECJTC1-SC22-WG23_N0023-Secure-Coding-Standards.pdf
  • 7. What is Secure Coding? Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Viega, John; Gary McGraw (2001). Building Secure Software: How to Avoid Security Problems the Right Way. MAddison-Wesley Professional. p. 528. ISBN 978-0201721522.
  • 8. A Side Note... Traditionally, Secure Coding ⇒ Application Security (i.e. Javascript, Python, PHP etc) Application Security ⍯ Network Security (i.e .Firewalls, VLANs, WAF, etc) However, DevOps ⇒ Infrastructure as Code Therefore, Secure Coding ⇒ Application Security && Infrastructure Security
  • 9. Understand the Attack Surface Code you write + Libraries, Frameworks, + Communication Paths in/out + Code that protects paths + Data used in the application + Code that protects the data + <Infrastructure it all runs on> https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
  • 10. Introducing OWASP ● A volunteer organization of people dedicated to spreading the word about secure coding and application security ● The OWASP website owasp.org is one of the largest collections of application security knowledge that has been compiled and is freely available. ● There are many (194) OWASP projects that are free and open source that you can download to test or improve the security posture of your software ● A great place to start is with the Quick Developers Guide and the Secure Coding Practices Quick Reference Guide Open Web Application Security Project
  • 11. OWASP First Steps Open Web Application Security Project Appsec Tutorial
  • 12. OWASP Top 10 Web App Sec Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoringhttps://owasp.org/www-project-top-ten/ The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. (Current Version 2017) Open Web Application Security Project
  • 13. A1: Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection Open Web Application Security Project
  • 14. Injection: Example Attack Scenarios Scenario #1: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; What happens when the attacker modifies the ‘id’ parameter value in their browser to send: ‘ or ‘1’=’1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of the query to return all the records from the accounts table. SELECT * FROM accounts WHERE custID='' or '1'='1' More dangerous attacks could modify or delete data, or even invoke stored procedures. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection https://www.w3schools.com/sql/sql_injection.asp
  • 15. Injection: Example Attack Scenarios Scenario #2: txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; Suppose the following user input User id: 105; DROP TABLE Suppliers This changes the meaning of the query to return all the records from the accounts table. SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers; https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection https://www.w3schools.com/sql/sql_injection.asp
  • 16. Injection: How to Prevent? Failure to properly validate input leads to almost all of the major application vulnerabilities! Defense Options (SQL injection) 1. Use prepared statements with parameterized queries 2. Use stored procedures 3. Whitelist input validation (i.e. compare against a list of valid inputs) 4. Escape all user-supplied inputs (i.e. escape any special characters) https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = @0"; db.Execute(txtSQL,txtUserId);
  • 17. A2: Broken Authentication Broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials. In recent years, broken authentication attacks have accounted for many of the worst data breaches. https://auth0.com/blog/what-is-broken-authentication/ https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication Open Web Application Security Project
  • 18. Authentication: Example Attack Scenarios Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. https://auth0.com/blog/what-is-credential-stuffing/
  • 19. Authentication: Example Attack Scenarios Scenario #2: Session Hijacking can occur if application session timeouts are not set properly and sessions are not encrypted. If an attacker snoops on a public wifi network, they could steal the session information and use it to browse as that user.
  • 20. Authentication: Best Practices ● Use unique UserIds that are hard to guess ● Implement password strength controls ● Implement secure password recovery ● Store passwords securely ● Compare password hashes with safe functions ● Transmit passwords only over TLS or other strong transport ● Require re-authentication for sensitive features ● Consider strong transaction authentication ● Protect against automated attacks using MFA and/or account lockout https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html OAuth 2.0 and OpenID Connect (in plain English), https://auth0.com/blog/what-is-broken-authentication/ Session Management ● Control session Length (timeout) ● Rotate and invalidate session ids ● Don’t put session ids in URLs (use session cookies or JWTs) ● Understand your build-in session management framework and keep it up to date (e.g. J2EE, ASP.NET, PHP, etc) ● Always use TLS for the entire web session
  • 21. A3: Sensitive Data Exposure Sensitive data like passwords, credit card numbers, health records, personal information require extra protection. Rather than directly attacking crypto, attackers can steal data from web service applications in a numbers of ways if that data is not encrypted and if keys are not stored and handled in a safe way. Open Web Application Security Project https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure
  • 22. A3: Sensitive Data Exposure: Example Attack Scenarios Scenario #1: Using a technique known as “Google Hacking”, an attacker searches for sites with txt, log, or cfg files with admin_password exposed in plain text The attacker then uses the admin password to gain access to resources on the site.
  • 23. A3: Sensitive Data Exposure: Example Attack Scenarios Scenario #2: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure Encrypted at rest SELECT User,CreditCardNum FROM transactions WHERE user=1199 or 1=1; All users, credit cards decrypted All users, credit cards decrypted
  • 24. A3: Sensitive Data Exposure: Best Practices ● Classify sensitive data; don’t store if not needed, discard as soon as possible ● Encrypt data at rest, never store in plaintext ● Use strong, up-to-date encryption algorithms (AES 256). Consider open, peer-reviewed libraries like Google/Tink ● Manage encryption keys securely (don’t store secrets in code, config files or env variables, use key stores or secret vaults like KeyWhiz, Hashicorp Vault, or Amazon KMS. ● Encrypt data in transit with secure protocols like TLS and use perfect forward secrecy (PFS) and HTTP Strict Transport Security (HSTS). https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
  • 25. A4: XML External Entities (XXE) An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) XML Open Web Application Security Project
  • 26. A4: XML External Entities (XXE): Example Attack Scenarios Scenario #1: An attacker discovers a gaming website that allows users to upload game configurations in XML format.The attacker uploads the following xml to the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> This results in the server displaying the contents of the passwd file which the attacker then users to take over the web server. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE)
  • 27. A4: XML External Entities (XXE): Example Attack Scenarios Scenario #2: An attacker discovers a 3d printing website that allows users to upload CAD drawings in XML format.The attacker uploads the following xml to the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/" >]> <foo>&xxe;</foo> The resulting call is called Server-Side Request Forgery (SSRF) where the server hosting the website makes a call to the named website in the external entity tag. This type of request forgery can be used to gain access to privileged information on the private network of the host or to . https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) https://portswigger.net/web-security/xxe (Exploiting XXE to perform SSRF attacks)
  • 28. A4: XML External Entities (XXE): Best Practices ● Use less complex data formats like JSON if appropriate ● Patch or upgrade all XML processors and libraries ● Disable XML external entity and DTD processing in all XML parsers ● Verify that XML file upload functionality validates incoming XML https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A4-XML_External_Entities_(XXE) https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
  • 29. A5: Broken Access Control Access control enforces policies such that users cannot act outside their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing business functions outside of the limits of the user (e.g. payment authorization, granting permissions) https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control XML Open Web Application Security Project
  • 30. A5: Broken Access Control Example Attack Scenarios Scenario #1: An attacker observes the following request made by the application when loading their banking dashboard. https://mybankingapp.test/cgi-bin/hpe.py?accountId=4462 The server code is as follows: pstmt.setString(1, request.getParameter("accountId")); ResultSet results = pstmt.executeQuery( ); The attacker modifies the request to use the bank account number of another user by changing the accountId parameter from 4462 to 4463 and receives the account details of another user. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control https://www.packetlabs.net/broken-access-control/ XML
  • 31. A5: Broken Access Control Example Attack Scenarios Scenario #2: An attacker reviews the html from a popular banking website and finds this comment: <!-- JQuery to perform several actions: • Load account balance data • Load transaction data • If user is customer support a search field will appear. o Queries /cgi-bin/customer_search.py o Parameters (optional): accountID, customerID, transactionDate --> <div id=”accountBalance”> The attacker crafts a request based on this information to search the customer database: https://mybankingapp.test/cgi-bin/customer_search.py?limit=5 The application responds with a list of 100 customers from the applications database. https://www.packetlabs.net/broken-access-control/ XML
  • 32. A5: Broken Access Control: Best Practices ● Access control must be enforced in server side checks ● With the exception of public resources, Deny access by default ● Implement access control once and reuse through the application (linked to authentication & session management) ● Disable web server directory listing ● Log access control failures and alert admins when appropriate ● Rate limit API and controller to protect against automated attacks ● Include functional access control in unit and integration testing https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html XML
  • 33. Security Tools Static Application Security Testing (SAST): ● Analyzes source code to find security vulnerabilities ● Can be run as part of the build Dynamic Application Security Testing (DAST): ● Analyzes running application to find security vulnerabilities ● Can find security vulns like XSS, insecure server config, etc
  • 35. In Conclusion Keep Learning! (check out the links in the references) Experiment with OWASP tools! Let security awareness be your superpower! Stay Safe and Stay Secure!
  • 36. References ● OWASP Top Ten Application Security Risks ● OWASP Secure Coding Practices Quick Reference Guide ● OWASP Developer Quick Start Guide ● CERT Security and Secure Coding Standards (for C and C++) ● 2019 CWE (Common Weakness Enumeration) Top 25 Software Errors ● CIS (Center for Internet Security) Top 20 Controls ● UC Berkley Secure Coding Practice Guidelines ● Common Vulnerabilities and Exposures ● What Is the NIST Cybersecurity Framework ● SAST Tutorial: Everything you Need to Know ● OWASP Security Knowledge Framework ● https://www.horangi.com/blog/real-life-examples-of-web-vulnerabilities
  • 37. Security Practices 1.Validate Input 2.Compiler warnings 3. Design for security 6. Least Privilege 7. Defense In Depth 8. Sanitize sent data 4. KIS 5. Default Deny 9. QA https://wiki.sei.cmu.edu/confluence/display/seccode/Top%2B10%2BSecure%2BCoding%2BPractices https://www.slideshare.net/websecurify/secure-coding 10. Coding Standard