Weitere ähnliche Inhalte
Ähnlich wie how to secure web applications with owasp - isaca sep 2009 - for distribution (20)
Kürzlich hochgeladen (20)
how to secure web applications with owasp - isaca sep 2009 - for distribution
- 1. How to secure web applications with OWASP
Santosh Satam
Head-Technical Services MIEL
- 2. No noble thing can be done without risks.
Michel De Montaigne
© 2009 MIEL eSecurity Pvt Ltd
Confidential
2
- 3. Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this presentation may not be based on
historical information or facts and may be “forward looking statements” and may be subject to risks and uncertainties that could cause actual results
to differ materially and adversely from those that may be projected by such forward looking statements.
MIEL makes no representation or warranties with respect to the contents hereof and shall not be responsible for any loss or damage caused to the
user by the direct or indirect use of this Presentation. MIEL may alter, modify or otherwise change in any manner the content hereof, without
obligation to notify any person of such revision or changes.
All company and product names are trademarks of the respective companies with which they are associated.
COPYRIGHT © 2009 MIEL e-Security Pvt. Ltd.
All rights reserved.
Softcopy Name : MIEL – OWASP Presentation – ISACA Sep 2009
Published Date : Sep 2009
Author : Santosh Satam
© 2009 MIEL eSecurity Pvt Ltd
Confidential
3
- 4. Agenda
Introduction to Application
Security
OWASP Projects
Way Forward
© 2009 MIEL e-Security Pvt. Ltd
Confidential
4
- 5. You have been appointed as Head of Application Security
Your first task is to define roadmap for application security ..
© 2009 MIEL e-Security Pvt. Ltd
Confidential
5
- 6. You started digging into maze of applications ..
© 2009 MIEL eSecurity Pvt Ltd
Confidential
6
- 7. COTS (Commercial Off the shelf) Applications
In-house Developed Applications
Legacy Systems
Interface to External Systems
Support Applications
Open Source Applications
Application Hosted in Cloud (SaaS)
© 2009 MIEL eSecurity Pvt Ltd
Confidential
7
- 8. Even after two weeks you are still struggling …
© 2009 MIEL eSecurity Pvt Ltd
Confidential
8
- 9. Stakeholders in Application Security
Top
Management
Auditors BU Heads
IT/Network Admin Quality Assurances
Project
Managers Architects Developers
© 2009 MIEL eSecurity Pvt Ltd
Confidential
9
- 11. What is OWASP ?
OWASP – Open Web Application Security Project
Open group focused on understanding and improving the
security of web applications and web services!
© 2009 MIEL e-Security Pvt. Ltd
Confidential
11
- 12. Who is using OWASP ?
© 2009 MIEL e-Security Pvt. Ltd
Confidential
12
- 14. OWASP – Guides throughout SDLC
© 2009 MIEL eSecurity Pvt Ltd
Confidential
14
- 15. Requirements Phase
OWASP METHODS
Identify Security Requirement AND TOOLS
Identify Mis-use cases
Free Tools
Identify Attack Surface
Identify Deployment Scenarios * WebGoat Training Tool
Projects
* Web AppSec Guide
© 2009 MIEL eSecurity Pvt Ltd
Confidential
15
- 16. Requirements Phase – Define Security Requirement
Business Requirements Security Requirement
The application stores credit card data Strong encryption should be
that must be protected. used to protect the sensitive
customer data.
The application transmits sensitive user Communication channels must be
information over the un-trusted network encrypted.
The application must be available 24x7 Mitigate denial of service attack
The application takes user input and uses SQL injection should be
SQL mitigated by Input Validations
© 2009 MIEL eSecurity Pvt Ltd
Confidential
16
- 17. Requirements Phase – Car Security Mis-use Case
Drive Threatens
Steal
the Car the Car
Mitigates
Lock Threatens
the Car Short
the
Ignition
Lock the Mitigates
Transmission
© 2009 MIEL eSecurity Pvt Ltd
Confidential
17
- 19. Requirements Phase – Identify Deployment Scenarios
Infrastructure Security
Scalability
Secure Communication
Compliance
© 2009 MIEL eSecurity Pvt Ltd
Confidential
19
- 20. Design Phase
OWASP METHODS
Security Principles AND TOOLS
Threat Modeling
Free Tools
* WebGoat Training Tool
Projects
* Enterprise Security API
(ESAPI)
* AntiSamy (Java Project)
* AntiSamy (.Net Project)
© 2009 MIEL eSecurity Pvt Ltd
Confidential
20
- 21. Design Phase – Security Principles
© 2009 MIEL eSecurity Pvt Ltd
Confidential
21
- 22. Design Phase – Threat Modeling
Identify Assets
Decompose Application
Identify Threats and Vulnerabilities
Document Threats
Rate Threats
Mitigate Threats
© 2009 MIEL eSecurity Pvt Ltd
Confidential
22
- 23. Design Phase – OWASP ESAPI
© 2009 MIEL eSecurity Pvt Ltd
Confidential
23
- 24. Development Phase
OWASP METHODS
Input Validations AND TOOLS
Output Handling
Free Tools
Session Handling
Error Handling * WebScarab Proxy
Configuration Management * ASP.NET Analyzers
Cryptography Projects
Secure Code Review
* Web AppSec Guide
* Code Review Project
* AppSec Metrics
© 2009 MIEL eSecurity Pvt Ltd
Confidential
24
- 25. Testing Phase
OWASP METHODS
Manual Inspection AND TOOLS
Threat Modeling
Free Tools
Code Review
Penetration Testing * LiveCD
Projects
* OWASP Top 10
* Testing Project
© 2009 MIEL eSecurity Pvt Ltd
Confidential
25
- 26. OWASP Top 10
A1 – Cross Site A6 – Information Leakage
Scripting (XSS) and Improper Error Handling
A2 – Injection Flaws A7 – Broken Authentication
and Session Management
A3 – Insecure Remote A8 – Insecure Cryptographic
File Include Storage
A4 – Insecure Direct A9 – Insecure
Object Reference Communications
A5 – Cross Site Request A10 – Failure to Restrict URL
Forgery (CSRF) Access
© 2009 MIEL e-Security Pvt. Ltd
Confidential
26
- 27. Code Review
• Code review helps to find vulnerabilities that may not be
discoverable in a black-box/zero-knowledge testing scenario.
• It covers following areas:
Syntactical
Business Infrastructure
logic
© 2009 MIEL eSecurity Pvt Ltd
Confidential
27
- 28. OWASP – LiveCD Tools
1 OWASP WebScarab 14 OWASP WSFuzzer
2 OWASP WebGoat 15 Metasploit 3
3 OWASP CAL9000 16 w3af & GTK GUI for w3af
4 OWASP JBroFuzz 17 Netcats collection
5 Paros Proxy 18 OWASP Wapiti
6 nmap & Zenmap 19 Nikto
7 Wireshark 20 Fierce Domain Scaner
8 tcpdump 21 Maltego CE
9 Firefox 3 22 Httprint
10 Burp Suite 23 SQLBrute
11 Grenedel-Scan 24 Spike Proxy
12 OWASP DirBuster 25 Rat Proxy
13 OWASP SQLiX © 2009 MIEL eSecurity Pvt Ltd
Confidential
28
- 29. Deployment Phase
OWASP METHODS
System Hardening AND TOOLS
Power on Sequence
Free Tools
Secure Transmission
Database Security * LiveCD
Projects
* Web AppSec Guide
* Testing Project
© 2009 MIEL eSecurity Pvt Ltd
Confidential
29
- 30. Summary
Implement Application Security
Practices in the Development
Process
Conduct Awareness Program on
Application Security
Conduct Code Reviews
Test, Test and Test each and
“Prevention is
always better than every application before it is put
Cure” to Production
© 2009 MIEL e-Security Pvt. Ltd
Confidential
30
- 32. Useful Links
Description URL
Open Web Application Security Project (OWASP) http://www.owasp.org
SANS http://www.sans.org
CERT http://www.cert.org
ISACA http://www.isaca.org
Security Focus http://www.securityfocus.com
Microsoft Security http://microsoft.com/security/
IBM http://www-
106.ibm.com/developerworks/linux/library/
The Web Application Security Consortium (WASC) http://www.webappsec.org/
The Web Hacking Incidents Database http://www.webappsec.org/projects/whid/
© 2009 MIEL eSecurity Pvt Ltd
Confidential
32
- 33. Application Security - Certifications
• CSSLP - Certified Secure Software Lifecycle Professional
http://www.isc2.org/csslp/
• CSSLP CBK
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Coding
• Secure Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance and Disposal
© 2009 MIEL eSecurity Pvt Ltd
Confidential
33
- 35. Discussion
Santosh Satam
Head – Technical Services
CISA | CISM | CISSP | CSSLP
MIEL e-Security Pvt. Ltd.
E-mail: ssatam@mielesecurity.com
© 2009 MIEL e-Security Pvt. Ltd
Confidential
35