SlideShare a Scribd company logo

Secure Coding Practices for Developers

Download as PPTX, PDF
Scott Hurrey
Scott Hurrey

Blackboard Developers Office Hours - Secure Coding Practices - March 13, 2013

Education
1 of 37
Developer Office Hours Secure Coding Practices Scott Hurrey Developer Relations Engineer Blackboard Partnerships scott.hurrey@blackboard.com 202.463.4860 x2620
Statements regarding our product development initiatives, including new products and future product upgrades, updates or enhancements represent our current intentions, but may be modified, delayed or abandoned without prior notice and there is no assurance that such offering, upgrades, updates or functionality will become available unless and until they have been made generally available to our customers. Developer Office Hours 2
Agenda • What is Ruggedness? • Delivering a Rugged Building Block • Secure Design Principles • Secure Coding Guidelines with the Private Security APIs • Verification Techniques Developer Office Hours 3
Reference: http://www.ruggedsoftware.org/ Developer Office Hours 4
The Rugged Software Manifesto Highlighting a few concepts from the manifesto • Recognize that your Building Block becomes part mission-critical platform • Recognize that your code will be used (or manipulated) in ways you cannot anticipate • It may be attacked by talented and persistent adversaries • So….refuse to be the source of a vulnerability or weakness Developer Office Hours 5
Secure Starter Building Block Features & Methodology Highlights Common Security Pitfalls Shows Flaws Creating Vulnerabilities Good Code Good Code / Bad Code Examples Bad Code How to Use the Security Framework Developer Office Hours 6
Secure Starter Building Block How To Access DANGER! This is experimental code containing purposefully designed-in vulnerabilities for teaching and learning purposes Google Code site - bb-secure- starter Shortcut: http://goo.gl/3YqDq (points to…trust me…) http://code.google.com/p/bb- secure-starter/ Download the B2 .war file Install ONLY on an isolated, non- production instance Developer Office Hours 7
Secure Starter Building Block Release 1.0.0 – Three Tutorials Note: These are NOT vulnerabilities in Blackboard Learn Core, BUT an insecure Building Block would expose your Blackboard Learn instance to such issues Three Common Security Pitfalls: • Handling User Input • Verifying Authenticity of Requests • Restricting Access to Pages Developer Office Hours 8
Secure Starter Building Block Where Did It Install To? Developer Office Hours 9
Secure Starter Building Block Available Tutorials Developer Office Hours 10
Definitions Risk = Vulnerability x Threat x Asset Term Definition Secure Coding Practices Input Validation, Escaping, Access Control, etc. Vulnerability Software weakness that allows an attack to be successful Threat Source and means of a particular type of attack Asset Information or system of value Risk Potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Ways to Reduce Risk (severity of a potential issue): • Reduce the Vulnerability through a Secure Coding Practice • Reduce the Threat, perhaps through a Security Design Principle • Reduce the Asset, perhaps through evaluating what information is collected/modified/displayed Developer Office Hours 11
Legend Secure Design Principles 1. Defense in Depth 6. Cryptology 2. Secure Defaults 7. Fail Secure 3. Least Privilege 8. Robustness &Re-use 4. Compartmentalization 9. Expected Ability &Presence 5. Security by Obscurity is a 10. Error Handling Myth Developer Office Hours 12
Legend Secure Coding Practices 1. Input Validation 5. File Handling 2. Escaping 6. Authenticity Validation 3. Safe HTML (Sanitation) 7. Error Handling & Exceptions 4. Arbitrary Redirects 8. Access Control Developer Office Hours 13
Reflecting User Input Bad Code <bbNG:step title="Results" instructions=""> <c:if test="${exists == '1'}"> <h3>User ${username} located</h3> <bbNG:dataElement label="Given Name" labelFor="givenName"> ${givenName} </bbNG:dataElement> <bbNG:dataElement label="Email" labelFor="email"> ${email} </bbNG:dataElement> </c:if> </bbNG:step> Developer Office Hours 14
Reflecting User Input Good Code <bbNG:step title="Results" instructions=""> <c:if test="${exists == '1'}"> <h3>User ${bbNG:HtmlEscape(username)} located</h3> <bbNG:dataElement label="Given Name" labelFor="givenName"> ${givenName} </bbNG:dataElement> <bbNG:dataElement label="Email" labelFor="email"> ${email} </bbNG:dataElement> </c:if> </bbNG:step> Developer Office Hours 15
Restricting Access to Pages Bad Code Action Class No call to check entitlements public ActionForward saveMissingAuthorizationCheck(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) { // immediately perform privileged actions…. } JSP No call to restrict access to the page (entitlement attribute) <bbNG:genericPage ctxId="ctx"> Developer Office Hours 16
Restricting Access to Pages Good Code Action Class Call to check entitlements in action class public ActionForward saveMissingAuthorizationCheck(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) { SecurityUtil.checkEntitlement (StarterUtil.SYSTEM_ADMIN_ENTITLEMENT); // now perform privileged actions…. } JSP Call to restrict access to the page (entitlement attribute) <bbNG:genericPage ctxId="ctx" entitlement="system.admin.VIEW"> Developer Office Hours 17
Verifying Request Authenticity Bad Code Action Class Extended LegacySecureDispatchAction public class AuthenticityInsecureAction extends LegacySecureDispatchAction { // No explicit call to // checkXSRFSecurity(actionForm, request); JSP Nonce not required to be passed in (isSecure, nonceId) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST"> Developer Office Hours 18
Verifying Request Authenticity Good Code – Pre-9.1 SP10 Action Class Keep LegacySecureDispatchAction public class AuthenticitySecureAction extends LegacySecureDispatchAction { // Make explicit call to checkXSRFSecurity(actionForm, request); JSP Require nonce to be passed in (isSecure=true, nonceId=package name to ActionForm) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST" isSecure="true" nonceId="blackboard.plugin.starter.struts.AuthenticityForm" > Developer Office Hours 19
Verifying Request Authenticity Good Code – Post-9.1 SP10 Action Class Switch to SecureDispatchAction, checks nonce by default public class AuthenticitySecureAction extends SecureDispatchAction { // No longer need to explicitly call nonce check //checkXSRFSecurity(actionForm, request); JSP Leave as-is, nonce not required to be passed in (isSecure, nonceId) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST"> Developer Office Hours 20
Design and Code Securely Let’s look at a small subset of Secure Design Principles and Secure Coding Practices Security Design Principles Secure Coding Practices 1. Defense in Depth 1. Input Validation 2. Compartmentalization 2. Escaping 3. Security != Obscurity 3. HTML Sanitization 4. Fail Secure 5. Least Privilege Developer Office Hours 21
Defense-In-Depth Example: TSA “Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system. A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre- empted, deterred, or to fail during the attempt.” 1 1 http://www.tsa.gov/what_we_do/layers/index.shtm Developer Office Hours 22
Defense-In-Depth Example: Blackboard Learn  Layering security defenses in an application can reduce the chance of a successful attack • Existing and upcoming countermeasures for Blackboard Learn • Prevents single point of failure • Increases robustness and future use Developer Office Hours 23
Defense-In-Depth Your Building Block  Follow All Secure Design Principles  Follow All Secure Coding Guidelines • Failure to follow these suggestions can increase the risk of system and data compromise • Your Building Block can affect various layers of System Architecture beyond Blackboard Learn and circumvent existing Security Controls Developer Office Hours 24
Secure Default Settings  Deploy B2 with minimum permissions necessary • If a permission is not required, do not include it in your Building Block • For example, do not include blanket filesystem access permissions unless absolutely necessary. Developer Office Hours 25
Fail Securely  Transaction initialization, shutdown and aborts should always keep the application in a secure state Example: Access Control Check If CheckAccessDenied() Display Error Message () DenyAccess() Else Perform Privileged Action () Endif Developer Office Hours 26
Handling User Input When to use Input Validation, Escaping and Safe HTML Required Action Input Validation Escaping Safe HTML Rendered as text Yes Yes No Input to be added Yes Yes, but be careful No to JavaScipt Input to be added Yes Yes No as a parameter to a URL Rendered as HTML No No Yes Developer Office Hours 27
Input Validation DO: • Validate Input – Applicable to ALL parameters, URLs and HTTP Header content – Perform at a “trust boundary” – e.g. at every tier – Remember DB is the last line of defense – Use a recommended Validation Strategy • Reject Violations Developer Office Hours 28
Input Validation Validation Strategies Validation Strategy (Best to Worst) Definition Often Used For Exact match Finite list of known values, such Enumerated types or as enumerated types or structured data structured data Accept known good No known list of finite values, UUIDS, pk ids, but specific patterns strings or numbers Sanitize with whitelist Remove/encode/replace Freeform text areas characters not on approved list (similar to Safe HTML) Reject/encode known Blacklist rejection/HTML Freeform text areas bad escaping of known malicious chars. “Arms race” No validation No validation N/A Developer Office Hours 29
Output Encoding and Escaping DO: • Escape ALL untrusted data in proper context – Applicable to ALL input, such as URL Parameters, form fields, headers or cookies – Often missed when output to HTML tags and attributes, taglibs, CSS, JavaScript data values and URIs Context Trusted Users Untrusted Users Non-VTBE, like Query Escape Escape Strings VTBE Unrestricted HTML Safe HTML Developer Office Hours 30
Output Encoding and Escaping DO NOT: • Restrict escaping to roles unless related to VTBE – NO! EscapeUntrusted(), escapeThenFilter() DO: • Escape server-side using approved methods Context Java JSP HTML XSSUtil.escape(evil) ${bbNG:HtmlEscape(evil)} JavaScript JsResource.encode(evil) ${bbFn:jsEncode(evil)} URL EncodeUtility.urlEncode(evil) ${bbFn:urlEncode(evil)} UrlUtil.addParameterToUrl(url,key,evil, true) Developer Office Hours 31
Output Encoding and Escaping Example Missing escaping, remember XSSUtil.filter is not relevant Action Class request.setAttribute(“username”, request.getParameter(“username”)); JSP <h3>User ${username} located</h3> Action Class request.setAttribute(“username”, XSSUtil.escape(request.getParameter(“username”))); JSP <h3>User ${bbNG:HtmlEscape(username)} located</h3> Developer Office Hours 32
Output Encoding and Escaping More Examples // Escape for HTML Tags <b>${bbNG:HtmlEscape(evil)}</b> // Escape for HTML Attributes <input type="text" name="foo" value="${bbNG:HtmlEscape(evil)}"> // Escape for JavaScript <script type='text/javascript'> function foo() { return confirm("${bbFn:jsEncode(evil)}") } </script> // Escape for URLs url = UrlUtil.addParameterToUrl( url, “bar", evil, true ); url = "/webapps/foo?bar="+EncodeUtility.urlEncode(evil); <c:set var=“fooURL" value="/webapps/foo/bar.jsp?foo=${bbFn:urlEncode(evil)}"/> Developer Office Hours 33
Safe HTML DO: • Use when rendering input to be executed as HTML – e.g. VTBE-related fields DO NOT: • Use directly from untrusted input • Use as a replacement for appropriate input validation or output escaping Developer Office Hours 34
Safe HTML Blacklisting • List of URL prefixes for which the global XSS filtering should NOT be performed. • Add entries here to work around issues that arise in Building Blocks or other areas that are sensitive to the changing of request parameter values. • Configuration file located at /usr/local/blackboard/content/vi/bb_bb60/plug ins/bb-xss-filter/webapp/WEB- INF/classes/blackboard/xss/request/bb-xss- global-filter-exceptions.txt Developer Office Hours 35
Safe HTML Whitelisting • This filter controls allowable HTML tags in the Content Editor (VTBE). • You can modify the default policy through the UI • Policy can be downloaded from System Admin->Safe HTML Filters->Safe HTML Filter for Content Editor, edited and the uploaded via the same screen • This only affects untrusted users, like students Developer Office Hours 36
Questions, Comments, Concerns • Feel free to ask. • Email me at scott.hurrey@blackboard.com • Report Learn vulnerabilities to LearnSecurity@blackboard.com • Report vulnerabilities in Partner Building Blocks to BbPartnerTeam@blackboard.com Developer Office Hours 37

Recommended

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 

Recommended

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding PracticesThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 

What's hot (20)

Application Security
Application SecurityApplication Security
Application Security
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 

Similar to Secure Coding Practices for Developers

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brickEqual Experts
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at GreenhouseMichael O'Neil
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer JavaBOOSTurSKILLS
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less workIevgenii Katsan
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioChristian Melendez
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 

Similar to Secure Coding Practices for Developers (20)

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brick
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer Java
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 

Recently uploaded

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsManeerUddin
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 

Recently uploaded (20)

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture hons
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 

Secure Coding Practices for Developers

  • 1. Developer Office Hours Secure Coding Practices Scott Hurrey Developer Relations Engineer Blackboard Partnerships scott.hurrey@blackboard.com 202.463.4860 x2620
  • 2. Statements regarding our product development initiatives, including new products and future product upgrades, updates or enhancements represent our current intentions, but may be modified, delayed or abandoned without prior notice and there is no assurance that such offering, upgrades, updates or functionality will become available unless and until they have been made generally available to our customers. Developer Office Hours 2
  • 3. Agenda • What is Ruggedness? • Delivering a Rugged Building Block • Secure Design Principles • Secure Coding Guidelines with the Private Security APIs • Verification Techniques Developer Office Hours 3
  • 4. Reference: http://www.ruggedsoftware.org/ Developer Office Hours 4
  • 5. The Rugged Software Manifesto Highlighting a few concepts from the manifesto • Recognize that your Building Block becomes part mission-critical platform • Recognize that your code will be used (or manipulated) in ways you cannot anticipate • It may be attacked by talented and persistent adversaries • So….refuse to be the source of a vulnerability or weakness Developer Office Hours 5
  • 6. Secure Starter Building Block Features & Methodology Highlights Common Security Pitfalls Shows Flaws Creating Vulnerabilities Good Code Good Code / Bad Code Examples Bad Code How to Use the Security Framework Developer Office Hours 6
  • 7. Secure Starter Building Block How To Access DANGER! This is experimental code containing purposefully designed-in vulnerabilities for teaching and learning purposes Google Code site - bb-secure- starter Shortcut: http://goo.gl/3YqDq (points to…trust me…) http://code.google.com/p/bb- secure-starter/ Download the B2 .war file Install ONLY on an isolated, non- production instance Developer Office Hours 7
  • 8. Secure Starter Building Block Release 1.0.0 – Three Tutorials Note: These are NOT vulnerabilities in Blackboard Learn Core, BUT an insecure Building Block would expose your Blackboard Learn instance to such issues Three Common Security Pitfalls: • Handling User Input • Verifying Authenticity of Requests • Restricting Access to Pages Developer Office Hours 8
  • 9. Secure Starter Building Block Where Did It Install To? Developer Office Hours 9
  • 10. Secure Starter Building Block Available Tutorials Developer Office Hours 10
  • 11. Definitions Risk = Vulnerability x Threat x Asset Term Definition Secure Coding Practices Input Validation, Escaping, Access Control, etc. Vulnerability Software weakness that allows an attack to be successful Threat Source and means of a particular type of attack Asset Information or system of value Risk Potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Ways to Reduce Risk (severity of a potential issue): • Reduce the Vulnerability through a Secure Coding Practice • Reduce the Threat, perhaps through a Security Design Principle • Reduce the Asset, perhaps through evaluating what information is collected/modified/displayed Developer Office Hours 11
  • 12. Legend Secure Design Principles 1. Defense in Depth 6. Cryptology 2. Secure Defaults 7. Fail Secure 3. Least Privilege 8. Robustness &Re-use 4. Compartmentalization 9. Expected Ability &Presence 5. Security by Obscurity is a 10. Error Handling Myth Developer Office Hours 12
  • 13. Legend Secure Coding Practices 1. Input Validation 5. File Handling 2. Escaping 6. Authenticity Validation 3. Safe HTML (Sanitation) 7. Error Handling & Exceptions 4. Arbitrary Redirects 8. Access Control Developer Office Hours 13
  • 14. Reflecting User Input Bad Code <bbNG:step title="Results" instructions=""> <c:if test="${exists == '1'}"> <h3>User ${username} located</h3> <bbNG:dataElement label="Given Name" labelFor="givenName"> ${givenName} </bbNG:dataElement> <bbNG:dataElement label="Email" labelFor="email"> ${email} </bbNG:dataElement> </c:if> </bbNG:step> Developer Office Hours 14
  • 15. Reflecting User Input Good Code <bbNG:step title="Results" instructions=""> <c:if test="${exists == '1'}"> <h3>User ${bbNG:HtmlEscape(username)} located</h3> <bbNG:dataElement label="Given Name" labelFor="givenName"> ${givenName} </bbNG:dataElement> <bbNG:dataElement label="Email" labelFor="email"> ${email} </bbNG:dataElement> </c:if> </bbNG:step> Developer Office Hours 15
  • 16. Restricting Access to Pages Bad Code Action Class No call to check entitlements public ActionForward saveMissingAuthorizationCheck(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) { // immediately perform privileged actions…. } JSP No call to restrict access to the page (entitlement attribute) <bbNG:genericPage ctxId="ctx"> Developer Office Hours 16
  • 17. Restricting Access to Pages Good Code Action Class Call to check entitlements in action class public ActionForward saveMissingAuthorizationCheck(ActionMapping mapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response) { SecurityUtil.checkEntitlement (StarterUtil.SYSTEM_ADMIN_ENTITLEMENT); // now perform privileged actions…. } JSP Call to restrict access to the page (entitlement attribute) <bbNG:genericPage ctxId="ctx" entitlement="system.admin.VIEW"> Developer Office Hours 17
  • 18. Verifying Request Authenticity Bad Code Action Class Extended LegacySecureDispatchAction public class AuthenticityInsecureAction extends LegacySecureDispatchAction { // No explicit call to // checkXSRFSecurity(actionForm, request); JSP Nonce not required to be passed in (isSecure, nonceId) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST"> Developer Office Hours 18
  • 19. Verifying Request Authenticity Good Code – Pre-9.1 SP10 Action Class Keep LegacySecureDispatchAction public class AuthenticitySecureAction extends LegacySecureDispatchAction { // Make explicit call to checkXSRFSecurity(actionForm, request); JSP Require nonce to be passed in (isSecure=true, nonceId=package name to ActionForm) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST" isSecure="true" nonceId="blackboard.plugin.starter.struts.AuthenticityForm" > Developer Office Hours 19
  • 20. Verifying Request Authenticity Good Code – Post-9.1 SP10 Action Class Switch to SecureDispatchAction, checks nonce by default public class AuthenticitySecureAction extends SecureDispatchAction { // No longer need to explicitly call nonce check //checkXSRFSecurity(actionForm, request); JSP Leave as-is, nonce not required to be passed in (isSecure, nonceId) <bbNG:form id="exampleCourseUserForm" action="${submitUrl}“ method="POST"> Developer Office Hours 20
  • 21. Design and Code Securely Let’s look at a small subset of Secure Design Principles and Secure Coding Practices Security Design Principles Secure Coding Practices 1. Defense in Depth 1. Input Validation 2. Compartmentalization 2. Escaping 3. Security != Obscurity 3. HTML Sanitization 4. Fail Secure 5. Least Privilege Developer Office Hours 21
  • 22. Defense-In-Depth Example: TSA “Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system. A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre- empted, deterred, or to fail during the attempt.” 1 1 http://www.tsa.gov/what_we_do/layers/index.shtm Developer Office Hours 22
  • 23. Defense-In-Depth Example: Blackboard Learn  Layering security defenses in an application can reduce the chance of a successful attack • Existing and upcoming countermeasures for Blackboard Learn • Prevents single point of failure • Increases robustness and future use Developer Office Hours 23
  • 24. Defense-In-Depth Your Building Block  Follow All Secure Design Principles  Follow All Secure Coding Guidelines • Failure to follow these suggestions can increase the risk of system and data compromise • Your Building Block can affect various layers of System Architecture beyond Blackboard Learn and circumvent existing Security Controls Developer Office Hours 24
  • 25. Secure Default Settings  Deploy B2 with minimum permissions necessary • If a permission is not required, do not include it in your Building Block • For example, do not include blanket filesystem access permissions unless absolutely necessary. Developer Office Hours 25
  • 26. Fail Securely  Transaction initialization, shutdown and aborts should always keep the application in a secure state Example: Access Control Check If CheckAccessDenied() Display Error Message () DenyAccess() Else Perform Privileged Action () Endif Developer Office Hours 26
  • 27. Handling User Input When to use Input Validation, Escaping and Safe HTML Required Action Input Validation Escaping Safe HTML Rendered as text Yes Yes No Input to be added Yes Yes, but be careful No to JavaScipt Input to be added Yes Yes No as a parameter to a URL Rendered as HTML No No Yes Developer Office Hours 27
  • 28. Input Validation DO: • Validate Input – Applicable to ALL parameters, URLs and HTTP Header content – Perform at a “trust boundary” – e.g. at every tier – Remember DB is the last line of defense – Use a recommended Validation Strategy • Reject Violations Developer Office Hours 28
  • 29. Input Validation Validation Strategies Validation Strategy (Best to Worst) Definition Often Used For Exact match Finite list of known values, such Enumerated types or as enumerated types or structured data structured data Accept known good No known list of finite values, UUIDS, pk ids, but specific patterns strings or numbers Sanitize with whitelist Remove/encode/replace Freeform text areas characters not on approved list (similar to Safe HTML) Reject/encode known Blacklist rejection/HTML Freeform text areas bad escaping of known malicious chars. “Arms race” No validation No validation N/A Developer Office Hours 29
  • 30. Output Encoding and Escaping DO: • Escape ALL untrusted data in proper context – Applicable to ALL input, such as URL Parameters, form fields, headers or cookies – Often missed when output to HTML tags and attributes, taglibs, CSS, JavaScript data values and URIs Context Trusted Users Untrusted Users Non-VTBE, like Query Escape Escape Strings VTBE Unrestricted HTML Safe HTML Developer Office Hours 30
  • 31. Output Encoding and Escaping DO NOT: • Restrict escaping to roles unless related to VTBE – NO! EscapeUntrusted(), escapeThenFilter() DO: • Escape server-side using approved methods Context Java JSP HTML XSSUtil.escape(evil) ${bbNG:HtmlEscape(evil)} JavaScript JsResource.encode(evil) ${bbFn:jsEncode(evil)} URL EncodeUtility.urlEncode(evil) ${bbFn:urlEncode(evil)} UrlUtil.addParameterToUrl(url,key,evil, true) Developer Office Hours 31
  • 32. Output Encoding and Escaping Example Missing escaping, remember XSSUtil.filter is not relevant Action Class request.setAttribute(“username”, request.getParameter(“username”)); JSP <h3>User ${username} located</h3> Action Class request.setAttribute(“username”, XSSUtil.escape(request.getParameter(“username”))); JSP <h3>User ${bbNG:HtmlEscape(username)} located</h3> Developer Office Hours 32
  • 33. Output Encoding and Escaping More Examples // Escape for HTML Tags <b>${bbNG:HtmlEscape(evil)}</b> // Escape for HTML Attributes <input type="text" name="foo" value="${bbNG:HtmlEscape(evil)}"> // Escape for JavaScript <script type='text/javascript'> function foo() { return confirm("${bbFn:jsEncode(evil)}") } </script> // Escape for URLs url = UrlUtil.addParameterToUrl( url, “bar", evil, true ); url = "/webapps/foo?bar="+EncodeUtility.urlEncode(evil); <c:set var=“fooURL" value="/webapps/foo/bar.jsp?foo=${bbFn:urlEncode(evil)}"/> Developer Office Hours 33
  • 34. Safe HTML DO: • Use when rendering input to be executed as HTML – e.g. VTBE-related fields DO NOT: • Use directly from untrusted input • Use as a replacement for appropriate input validation or output escaping Developer Office Hours 34
  • 35. Safe HTML Blacklisting • List of URL prefixes for which the global XSS filtering should NOT be performed. • Add entries here to work around issues that arise in Building Blocks or other areas that are sensitive to the changing of request parameter values. • Configuration file located at /usr/local/blackboard/content/vi/bb_bb60/plug ins/bb-xss-filter/webapp/WEB- INF/classes/blackboard/xss/request/bb-xss- global-filter-exceptions.txt Developer Office Hours 35
  • 36. Safe HTML Whitelisting • This filter controls allowable HTML tags in the Content Editor (VTBE). • You can modify the default policy through the UI • Policy can be downloaded from System Admin->Safe HTML Filters->Safe HTML Filter for Content Editor, edited and the uploaded via the same screen • This only affects untrusted users, like students Developer Office Hours 36
  • 37. Questions, Comments, Concerns • Feel free to ask. • Email me at scott.hurrey@blackboard.com • Report Learn vulnerabilities to LearnSecurity@blackboard.com • Report vulnerabilities in Partner Building Blocks to BbPartnerTeam@blackboard.com Developer Office Hours 37