OWASP Application Security Awareness

OWASP

September 16th 2010

Martin Knobloch OWASP Netherland Chapter Leader OWASP Global Education Committee OWASP Global Connection Committee Sogeti Netherlands B.V. [email protected] +31-6 52 32 76 79 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation http://www.owasp.org

Agenda What is OWASP? Secure Application

 OWASP Top Ten OWASP near you

OWASP

OWASP Mission

to make application security "visible," so that people and organizations can make informed decisions about application security risks

OWASP

3

OWASP World

OWASP is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

OWASP

www.owasp.org

OWASP

5

5

OWASP Resources and Community Documentation (Wiki and Books) • Code Review, Testing, Building, Legal, more …

Code Projects • Defensive, Offensive (Test tools), Education, Process, more …

Chapters • Over 100 and growing

Conferences • Major and minor events all around the world OWASP

2009 OWASP Supporters

OWASP

The Wisdom of Crowds Diversity of opinion Decentralization Aggregation Independence

OWASP

8

OWASP Worldwide Community Participants 25000 20000 15000 10000 5000 0

Chapters 160 140 120 100 80 60 40 20 0

OWASP

9

OWASP Dashboard Worldwide Users

Most New Visitors

250

22,782,709 page views

200 150 100 50

0 1-10-2002

1-10-2003

1-10-2004

1-10-2005

1-10-2006

1-10-2007

OWASP

10

OWASP Conferences (2008-2009)

Minnesota Oct 2008 Denver Spring 2009

NYC Sep 2008 DC Sep 2009

Brussels May 2008

Germany Nov 2008 Poland May 2009

Ireland 2009 Portugal Summit Nov 2008

Israel Sep 2008

India Aug 2008

Taiwan Oct 2008

Gold Coast Feb 2008 +2009

OWASP

11

OWASP Projects Are Alive!

2009

…

2007

2005 2003 2001

OWASP

12

Web Server Hardened OS Firewall

Firewall

Network Layer

App Server

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks OWASP

Billing

Human Resrcs

Directories

APPLICATION ATTACK

Web Services

Custom Developed Application Code

Legacy Systems

Your security “perimeter” has huge holes at the application layer Databases

Application Layer

Security Perimeter

What is Web Application Security? Not Network Security Securing the “custom code” that drives a web application Securing libraries Securing backend systems Securing web and application servers

Network Security Mostly Ignores the Contents of HTTP Traffic Firewalls, SSL, Intrusion Detection Systems, Operating System Hardening, Database Hardening OWASP

Tools – At Best 45%  MITRE found that all application security tool vendors‟ claims put together cover only 45% of the known vulnerability types (695)  They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

OWASP

OWASP Top Ten Critical Vulnerabilities

OWASP

16

OWASP Projects Lifecycle  Define Criteria for Quality Levels  Alpha, Beta, Release

 Encourage Increased Quality  Through Season of Code Funding and Support  Produce Professional OWASP books

 Provide Support  Full time executive director (Kate Hartmann)  Full time project manager (Paulo Coimbra)  Half time technical editor (Kirsten Sitnick)  Half time financial support (Alison Shrader)  Looking to add programmers (Interns and professionals) OWASP

OWASP Live CD

OWASP

18

Want More OWASP?                         

OWASP .NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project

                       

OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project

OWASP

19

Part of the ‘Big 4’

Building Guide

Code Review Guide

Testing Guide

Application Security Desk Reference (ASDR)

OWASP

The Building Guide Free and open source Gnu Free Doc License

Most platforms Examples are J2EE, ASP.NET, and PHP

Comprehensive Thread Modeling Advise & Best Practices Web Services Key AppSec Area‟s:  Authorization/Authentication  Session Management  Data Validation

OWASP

21

Secure Code Review Guide  What it is :

 What it isn't:

 Examination of developed source code for quality.

 Silver Bullet

 Security = Quality  Robust & Stable code

 Replacement for poor application development

 More Expensive

 Easy

 Can be more Accurate

 Cheap (Not Manual anyways)

 Requires unique skill set to do properly

 Replacement for other security controls

OWASP

OWASP

OWASP Code review tools Code Crawler: Alessio Marziali

Paulo Prego Orizon Framework

OWASP

Testing Guide v3: Index 1. Frontispiece

2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing

5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection OWASP

What’s new?  V2 8 sub-categories (for a total amount of 48 controls)  V3 10 sub-categories (for a total amount of 66 controls)  36 new articles!

Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing

Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix

OWASP

SDLC & OWASP Guidelines

OWASP Framework

OWASP

27

CLASP  Comprehensive, Lightweight Application Security Process Centered around 7 AppSec Best Practices Cover the entire software lifecycle (not just development)  Adaptable to any development process

Defines roles across the SDLC 24 role-based process components Start small and dial-in to your needs

OWASP

OWASP Tools and Technology

OWASP

29

Part of the ‘Big 4 +1’ ASVS

Building Guide

Code Review Guide

Testing Guide

Application Security Desk Reference (ASDR) OWASP

OWASP Application Security Verification Std Standard for verifying the security of web applications

Four levels Automated Manual Architecture Internal

OWASP

31

Coverage Depth – Level of Rigor

No malicious developers



The design has to be right The controls have to be right

 

Scan

 Breadth – Number of Requirements

OWASP

What does the ASVS look like?  “Verification Levels” section  “Detailed Verification Requirements” section  “Verification Reporting Requirements” section

OWASP

What are ASVS verification levels?

OWASP

Levels in more detail Level 1 – Automated Verification – Level 1A – Dynamic Scans (Partial Automated Verification) – Level 1B – Source Code Scans (Partial Automated Verification)

Level 2 – Manual Verification – Level 2A – Manual Pentesting (Partial Manual Verification) – Level 2B – Manual Source Code Review (Partial Manual Verification)

Level 3 – Design Verification Level 4 – Internal Verification

OWASP

Earning a level… Security control behavior

Security control use

• Is the control designed right? • Is the control used right?

Security control implementation

• Is the control implemented right?

Security control verification

• What do you have to do to verify the control?

Documentation

• How do you have to write it up?

OWASP

Level 1 in more detail Automated verification of a web application or web service treated as groups of components within single monolithic entity.

OWASP

Application Security Verification Techniques Find Vulnerabilities Using the Running Application

Find Vulnerabilities Using the Source Code

Manual Application Penetration Testing

Manual Security Code Review

Automated Application Vulnerability Scanning

Automated Static Code Analysis

OWASP

Appliaction Security Verification Standaard 5

Manual Security Code Review (Specialist)

4 3

Auto Source Code Review (Tool)

1

2

External App Scan (Tool)

Threat Analysis & Architecture Review (Analyst)

0

(Defined by Business)

Business Criticality (Impact of Loss)

Manual Penetration Testing (Specialist)

0

1

2

3

4

5

Expected Security Assurance (Assessment Depth – Expected Level of Security) (Defined by Corporate Security)

OWASP

39

3

AL6 AL5

2

AL4 AL2

1

(Defined by Business)

Business Criticality

4

5

Appliaction Security Verification Standaard

AL3

0

AL1 0

1

2

3

Expected Security Assurance

4

5

(Defined by Corporate Security)

 AL1: Architecture Review/Threat Analysis - Design level review to identify critical assets, sensitive data stores and business critical interconnections. In addition to architecture reviews is threat analysis to determine potential attack vectors, which could be used in testing.  AL2: Quick Hit Application Security Check - Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification.  AL3: Basic Application Security Check – AL2 + verification and validation of scan results. Security areas not scanned (encryption, access control, etc.) must be lightly tested or code reviewed. OWASP

40

3

AL6 AL5

2

AL4 AL2

1

(Defined by Business)

Business Criticality

4

5

Appliaction Security Verification Standaard

AL3

0

AL1 0

1

2

3

Expected Security Assurance

4

5

(Defined by Corporate Security)

 AL4: Standard Application Security Verification – AL3 + verification of common security mechanisms and common vulnerabilities using either manual penetration testing or code review or both. Not all instances of problems found - Sampling allowed.  AL5: Enhanced Application Security Verification – AL1 + AL3 + verification of all security mechanisms and vulnerabilities based on threat analysis model using either manual penetration testing or code review or both.  AL6: Comprehensive Application Security Verification – AL1 + AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested. OWASP

41

SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager

OWASP

SAMM Security Practices From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a „silo‟ for improvement

OWASP

Under each Security Practice Three successive Objectives under each Practice define how it can be improved over time This establishes a notion of a Level at which an organization fulfills a given Practice

The three Levels for a Practice generally correspond to: (0: Implicit starting point with the Practice unfulfilled) 1: Initial understanding and ad hoc provision of the Practice 2: Increase efficiency and/or effectiveness of the Practice 3: Comprehensive mastery of the Practice at OWASP scale

Check out this one...

OWASP

Per Level, SAMM defines... Objective Activities Results Success Metrics Costs Personnel Related Levels

OWASP

Approach to iterative improvement Since the twelve Practices are each a maturity area, the successive Objectives represent the “building blocks” for any assurance program

Simply put, improve an assurance program in phases by: Select security Practices to improve in next phase of assurance program Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics OWASP

Applying the model

OWASP

Conducting assessments SAMM includes assessment worksheets for each Security Practice

OWASP

Assessment process Supports both lightweight and detailed assessments Organizations may fall in between levels (+)

OWASP

Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels

Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out

Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place OWASP

Roadmap templates  To make the “building blocks” usable, SAMM defines Roadmaps templates for typical kinds of organizations  Independent Software Vendors  Online Service Providers  Financial Services Organizations  Government Organizations

 Organization types chosen because  They represent common use-cases  Each organization has variations in typical software-induced risk  Optimal creation of an assurance program is different for each OWASP

Building Assurance Programs

OWASP

Case Studies A full walkthrough with prose explanations of decision-making as an organization improves Each Phase described in detail Organizational constraints Build/buy choices

One case study exists today, several more in progress using industry partners

OWASP

SAMM Business Functions Start with the core activities tied to any organization performing software development Named generically, but should resonate with any developer or manager OWASP

SAMM Security Practices  From each of the Business Functions, 3 Security Practices are defined

 The Security Practices cover all areas relevant to software security assurance  Each one is a „silo‟ for improvement

OWASP

OWASP Software Assurance Maturity Model

OWASP

57

Agenda What is OWASP? Secure Application

 OWASP Top Ten OWASP near you

OWASP

Ultimate Security?!?

OWASP

What is secure Software? An application is secure if it acts and reacts, as it expected, at any time! Functional

Technical

Specification

Implementation

Secure Insecure?

Insecure? OWASP

Applications over time The environments in where the software applications run where closed. • By this, the applications could be developed ‘open’.

OWASP

Applications over time The environments in where the software applications run where closed. • By this, the applications could be developed ‘open’. The environments became more open over time.

OWASP

Applications over time The environments in where the software applications run where closed. • By this, the applications could be developed ‘open’. The environments became more open over time.  What means, the applications have to become more closed.

OWASP

Security Design & Architectuur

OWASP

Ultimate Security?!?

OWASP

The problem: Cookies, HTTP authentication, SLL.. Low learning curve Easy to attack (web) applications

OWASP

OWASP Top 10 2007  A1 - Cross Site Scripting (XSS)

        

A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage & Improper Error Handling A7 - Broken Authentication & Session Management A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access

OWASP

Where do attacks come from? Conscious!

Unconscious!

Cracker Hacker Scriptkiddie

• System • Environment • User

Risk=(

Threat * Vulnerability Countermeasures

)*Value OWASP

What is Software Security about? Applications are about information! 3 pillars of Information Security: Confidentiality Integrity

Availability

OWASP

Security Requirements? ‘Why’

N o n

F

Business requirements

u

n c

‘What’

f u n

t User requirements

i o

n a l

‘How’

c

Business rules

t i o

Constraints

n

a

System requirementsExternal

l

interfaces

OWASP

What is Software Security about? Who..

(the user) in what role?

Where..

thus, with what rights?

..in which process..

..may do..

..on what data? OWASP

Where ‘is’ Software Security?

OWASP

Software Architectuur?

OWASP

Security Development Lifecycles Microsoft SDL

Touchpoints

CLASP OWASP

Summary > Applications are about information > Confidentiality, Integrity & Availability > Explicit security requirements > Make security verifiable! > Security in depth > Security considered through the whole application > Propagation of credentials > Security by default > Who may do what?

More code = more bugs! OWASP

Any questions so far?

OWASP

Agenda What is OWASP Secure Application

 OWASP Top Ten OWASP near you

OWASP

OWASP Top Ten Critical Vulnerabilities

OWASP

78

A1 Cross-Site Scripting (XSS)

OWASP

A1 Cross-Site Scripting (XSS)

Unsafe content is stored in the dynamic part of the web content? 1. Unsafe content is retrieved from the database 2. That unsafe content becomes part of the site 3. The servers sends the response to the client 4. The client receives and interprets the received content. 5. The unsafe content (e.g. a script) causes the browser to send an request to another, unsafe, site! OWASP

A2 Injection Flaws

OWASP

A2 Injection Flaws – SQL injection Screen: USERNAME:[Admin] PASSWORD:[Secret01]

Server: Access if: the username is „Admin‟ & and the password is „Secret01'; OWASP

A2 Injection Flaws – SQL injection Screen: USERNAME:[Admin] PASSWORD:[Secret01 OR 1 = 1]

Server: Access if: the username is „Admin‟ & and the password is „Secret01‟ OR 1 = 1; OWASP

A2 Injection Flaws – SQL injection Screen: USERNAME:[Admin] PASSWORD:[Secret01 OR 1 = 1]

Server: Access if: the username is „Admin‟ & and the password is „whatever‟ OR 1 = 1; OWASP

A3 Malicious File Execution

OWASP

A4 Insecure Direct Object Reference

OWASP

A5 Cross-site Request Forgery (XSRF)

OWASP

A6 Information Leakage / Improper Error Handling

OWASP

A8 Insecure Cryptographic Storage

OWASP

A9 Insecure Communication

OWASP

A10 Failure to Restrict URL Access

OWASP

Agenda What is OWASP? Secure Application

 OWASP Top Ten OWASP near you

OWASP

Subscribe to Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get monthly news letters Contribute to discussions!

OWASP

93

That’s it… http://www.owasp.org http://www.owasp.org/index.php/London

http://www.owasp.org/index.php/Leeds_UK

[email protected] Thank you! OWASP

94