OWASP. To ensure that strong simple security controls are available to every developer in every...

Post on 17-Dec-2015

226 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

Transcript of OWASP. To ensure that strong simple security controls are available to every developer in every...

The OWASP Enterprise Security API( ESAPI )

OWASP

To ensure thatstrong simple security

controls are available to every developer

in every environment

ESAPI Mission

Where Do Vulnerabilities Come From?

Controls Every Application Needs

Access Control

Authenti-cation and

Identity

App Firewall

Access Reference

Map

Output Escaping

Input Validation

LoggingException Handling

Secure Config

Intrusion Detection

HTTP Utilities

Encryption and Signing

Security Controls

Are Hard

Escaping Gone Wild Percent Encoding%3c%3C

 HTML Entity Encoding

&#60&#060&#0060&#00060&#000060&#0000060<<<<<<&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c<<<<<<&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c<<<

<<< &#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C<<<<<<&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C<<<<<< &lt&lT&Lt&LT<&lT;≪<

JavaScript Escape\<\x3c\X3c\u003c\U003c\x3C\X3C\u003C\U003C 

CSS Escape\3c\03c\003c\0003c\00003c\3C\03C\003C\0003C\00003C

Overlong UTF-8%c0%bc%e0%80%bc%f0%80%80%bc%f8%80%80%80%bc%fc%80%80%80%80%bc

US-ASCII¼

UTF-7+ADw-

Punycode<-

<

Cheaper, Better, Faster

http://www.owasp.org/images/c/c7/Esapi-before-after.JPG

attacks

threats exploits

vulnerabilities

RiskWorld risks

controls

AssuranceWorld

accountability

pentest

scanning

assurance

patterns

verification architecture

policy

impact

flaws

metrics

visibility

completeness

ESAPI Scorecard

Authentication Identity Access Control * * Input Validation Output Escaping Canonicalization Encryption Random Numbers Exceptions Logging IntrusionDetection Security Config App Firewall

http://www.neo-vision.net/webdesign/images/ASP-logo.gif
http://mcct-skads.oan.es/Images/php-logo.png
http://deanlm.com/current_projects/index_files/python_logo.jpg
http://www.willamette.edu/~fruehr/logos/PNGs/HaskellLogo.png

Assurance

http://pmd.sourceforge.net/
http://images.google.com/imgres?imgurl=http://bookshop.gfu.net/AxCMSTemplates_GFU/pics/products/0596007434.jpg&imgrefurl=http://schulungen.gfu.net/junit-schulung.html&h=500&w=291&sz=30&hl=en&start=18&sig2=KAdB0KGiI4Lw6LYsNEFYJQ&um=1&tbnid=rB-fGcYmfT2JHM:&tbnh=130&tbnw=76&ei=divfRrHDAYqaiQGS8-y9Ag&prev=/images?q=junit&svnum=10&um=1&hl=en&sa=N
http://www.fortifysoftware.com/

Deceptively Tricky Problems for Developers

1. Input Validation and Output Encoding2. Authentication and Identity3. URL Access Control4. Business Function Access Control5. Data Layer Access Control6. Presentation Layer Access Control7. Errors, Logging, and Intrusion Detection8. Encryption, Hashing, and Randomness

Lots more…

Stopping InjectionQuick and Dirty

Ad Hoc Escaping

Generic Validation

Stopping InjectionEnterprise

Automatic Escaping

Managed Specific Validation

Managed Generic Validation

Jeff WilliamsAspect Security CEO

OWASP Foundation Chairjeff.williams@aspectsecurity.comhttp://www.aspectsecurity.com

twitter @planetlevel410-707-1487

Questions?

Stopping InjectionQuick and Dirty

Ad Hoc Escaping

Generic Validation

Stopping InjectionStrong Application

Mandatory Escaping

Specific Validation

Generic Validation (+can)

ESAPI Web App Firewall (WAF)

attacker

userESAPI

WAF

Critical Application?

PCI requirement?3rd party

application?Legacy

application?Incident response?

Virtual patchesAuthentication rulesURL access control

Egress filteringAttack surface reduction

Real-time security

AuthN and AuthZQuick and Dirty

User in Session

Simple Authentication Model

Ad Hoc Authorization

AuthN and AuthZStrong Application

Identity Everywhere

Automatic CG Authorization

Alternate Authentication

Automatic FG Authorization

AuthN and AuthZEnterprise

AuthZ Policy Management

AuthZ Entitlement Mgmt

Identity Management

Applications Enjoy Attacks

YouTube

Live Search

Blogger

http://blog.jayare.eu/wp-content/uploads/2007/12/500-internal-server-error-youtube.jpg
http://blog.jayare.eu/wp-content/uploads/2007/12/404-not-found-live.jpg

Accountability and DetectionQuick and Dirty

Ad Hoc Security Logging

Security Exceptions (2 msgs)

Ad Hoc Authorization

Accountability and DetectionStrong Application

Intrusion Detection

Automatic Security Logging

Accountability and DetectionEnterprise

Log Policy Management

Dynamic Incident Response

Centralized Logging

ESAPI Swingset

Top related

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 Technology
Understanding ESAPI, OWASP Delhi
 Technology
OWASP · to the ESAPI web application security control library, OWASP projects and guides span many focus areas and phases of the secure software development lifecycle. Despite the
 Documents
ESAPI: A GUIDED TOUR - OWASP
 Documents
Design Patterns - OWASPdesign patterns. OWASP ESAPI toolkits help software developers guard against security-related design and implementation flaws. Just as web applications and web
 Documents
M7 SERIES - CQB SOUTH, LLC€¦ · SAPI/ESAPI 9.50 x 12.50 1.20 5.20 Multi DKX-M7-MD-SE SAPI/ESAPI 10 x 12 1.20 5.00 Multi DKX-M7-1012-SE SAPI/ESAPI 10.25 x 13.25 1.20 6.10 Multi
 Documents
OWASP Foundation Inc.€¦ · be used to guard against security-related design and implementation flaws. ... Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI
 Documents
OWASP The OWASP Foundation
 Documents
Helen Bravo Director of Product Management at … › europe2013 › sites › eclipsecon...Shiro, Symfony2 – ESAPI is a very useful OWASP security framework • SCA tools that can
 Documents
Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid.
 Documents
Development of Security Framework based on OWASP ESAPI for ... · ESAPI •Enterprise Security API –OWASP Project –Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python,
 Documents
JavaScript-based ESAPI: An In-Depth Overview
 Documents
Introduction - OWASP...2013/02/21  · Zombie browsers, spiced with rootkit extensions OWASP 2013 • Legal disclaimer: • Every point of views and thoughts are mine. • The next
 Documents
Design Patterns - OWASP · 2 The Built-In Singleton Pattern . The ESAPI security control interfaces include an “ESAPI” class that is commonly referred to as a “locator” class.
 Documents
Advanced Web Technology 11) Web Security : ESAPI · Advanced Web Technology 11) Web Security : ESAPI Problems and Solutions: Handling Authentication and Identity 9. The Authenticator
 Documents
Enterprise Security API (ESAPI) Java › media › pdfs › DenimGroup_ESAPI... · ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control
 Documents
proactive controls final - OWASP · The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. ... developer
 Documents
Review OWASP 2014 - OWASP Perú
 Software
Esapi Design Patterns
 Documents
OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org
 Documents

Copyright © 2022 FDOCUMENTS