Developing Secure Applications Martin Knobloch
-
Upload
phpseminar -
Category
Business
-
view
1.703 -
download
4
Transcript of Developing Secure Applications Martin Knobloch
Developing Secure Applications
Martin Knobloch Sogeti Nederland B.V. Design and Software Architecture
www.OWASP.org
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar
Proactive Security Strategy: • To make application security a standard
subject of application development > By making all roles inside an application
development process aware about the possibilities and threats.
• Supplying education, standards, tooling, protocols and best practices to optimise Secure Development Process
• Technologies > Functional Design / Information Analysis > Design & Software Architecture > Java > Oracle
> CMS/Portals > PHP
> Cobol / Uniface > Test
Developing Secure Applications! PHP Business Seminar
Open Web Application Security Project:
• World Wide Open Source Community!
• Dedicated to finding and fighting the causes of insecure software.
• Tools > WebGoat Project > WebScarab Project > ...
• Documentation > Top Ten Project > Guide Project > AppSec FAQ Project > Testing Guide Project > PHP Project > ...
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure!
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar
Developing Secure Applications! PHP Business Seminar
User requirements
Business requirements
System requirements
F
u
n
c
t
i
o
n
a
l
Non
f
u
n
c
t
i
o
n
a
l
Business rules
Externe interfaces
Constraints
‘Why’
‘What’
‘How’ ‘Who?’
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar
The environments in where the software applications run where closed.
• By this, the applications could be developed ‘open’.
Developing Secure Applications! PHP Business Seminar
The environments became more open over time.
The environments in where the software applications run where closed.
• By this, the applications could be developed ‘open’.
Developing Secure Applications! PHP Business Seminar
The environments became more open over time.
• Which means, the applications have to become more closed.
The environments in where the software applications run where closed.
• By this, the applications could be developed ‘open’.
Developing Secure Applications! PHP Business Seminar
The Problems: • Cookies, HTTP authentication, SSL.. • Low learning curve • Easy to attack (web) applications
Developing Secure Applications! PHP Business Seminar
Consciously! • Cracker • Hacker • Scriptkiddie
Risk =( )*Value Threats * Vulnerabilities Countermeasures
Unconsciously! • User • System • Environment
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar
Applications are about information!
3 pillars of Information Security:
> Confidentiality
> Integrity
> Availability
Insecure Insecure
Functional
Specification
Technical
Implementation
Developing Secure Applications! PHP Business Seminar
An application is secure if it acts and reacts, as it expected, at any time!
Secure
Developing Secure Applications! PHP Business Seminar
OWASP TOP TEN: 1. Cross Site Scripting 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communication 10. Failure to Restrict URL Access
Developing Secure Applications! PHP Business Seminar
Source: www.mitre.org
de username is ‘Administrator'
en het wachtwoord is ‘TopSecret‘
USERNAME: Administrator PASSWORD: *****
de username is ‘Administrator'
en het wachtwoord is ‘crap‘ of 1=1;
USERNAME: Administrator PASSWORD: ***** of 1=1
Developing Secure Applications! PHP Business Seminar
Example:
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
PROTOCOLS RULES
STANDARDS BEST PRACTICES
TOOLING
Developing Secure Applications! PHP Business Seminar
EVALUATION FEEDBACK
E X P E R I E N C E
E D U C A T I O N
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar
Developing Secure Applications! PHP Business Seminar
System Environment
Internet Web Applicatie
Back Office
Database
Firewall Firewall Firewall
DMZ
Private Network Private Network
System User? Systeem rechten?
Error handling? Error handling? Fout afhandeling?
Database Rechten?
User Rights? User Rights? Gebruikers rechten?
Developing Secure Applications! PHP Business Seminar
• Security Requirements?
• Security Awareness!
• Application Security?
• Secure Development Process!
• Stay Secure?
• Summary, Questions And Discussion
Developing Secure Applications! PHP Business Seminar Functional Designers & Architects: > It is not only about what functionality the application has
to supply, it also what it may not!
Engineers: > Quality is not just ‘does it work’ .
Testers: > Security weaknesses are not different from other,
functional, bugs. They can be traced down the same way.
Managers: > Reserve project time for security > Understand security as manditory value of an application
Security Analyst: Involve a security Analyst at the beginning of the design
phase.
Developing Secure Applications! PHP Business Seminar