a sneak peek at the owasp enterprise security api

Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

The OpenWeb Application Security Project

http://www.owasp.org

A Sneak Peek at the OWASP Enterprise Security API

Jeff WilliamsOWASP Foundation Chairjeff.williams@owasp.org

Aspect Security CEOjeff.williams@aspectsecurity.com

The Challenge…

Developers need to rip, mix, and burn authentication, access control, input validation, encoding, encryption, logging, error handling, etc…

Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml-dsig, xml-enc, lots lots more….

2

Drivers

I’m tired of security “researchers”

Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe) All the security guidelines, courses, tutorials,

websites, books, etc… are all mixed up because everyone builds their own controls

Few organizations have a complete security API

3

Design

Only include methods that…Are useful in a large percentage of applicationsFocus on the most risky areas

Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples

Same basic API across common platforms Java EE, .NET, PHP, others?

4

Strawman

5

Preliminary

Customizing

ESAPI is an APIWrap existing libraries and servicesExtend and customize ESAPIFill in gaps with reference implementation

Easy to retrofit to existing applications

6

Project Plan and Status

7

2002 – Start Collecting

9/07 – Sneak Peek

Quality

8

Authenticator

Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response)verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)

Reference ImplementationUse threadlocal variable to store current UserAutomatically changes sessionid on login and logout

9

User

Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime() getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) logout(request, response) resetCSRFToken() resetPassword()verifyCSRFToken(java.lang.String token)

10

AccessController

Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)

Reference Implementation (not required) /* | any | deny | default deny rule /admin/* | admin | allow | admin access to /admin

11

AccessReferenceMap

Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)

Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38

12

Validator

Key Methodscanonicalize(input) isValidFileUpload(filepath, filename, content) isValidCreditCard(input) isValid***** (input) isValidRedirectLocation(location) isValidSafeHTML(input)safeReadLine(inputStream, maxchars)

Canonicalization is really important13

Encoder

14

HTTPUtilities

Key MethodschangeSessionIdentifier(request) formatHttpRequestForLog(request, sensitiveList)getFileUploads(request, tempDir, finalDir)killAllCookies(request, response)killCookie(name, request, response)sendRedirect(locationsetCookie(name, value, age, domain, path, response) setNoCacheHeaders(response)

Safer ways of dealing with HTTP, uses HTTPOnly15

Encryptor

Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)

Simple master key in configuration Minimal certificate support

16

EncryptedProperties

Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)

Simple protected storage for configuration data

17

Randomizer

Key MethodsgetRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)

Several pre-defined character setsLowers, uppers, digits, specials, letters,

alphanumerics, password, etc…

18

Exception Handling

EnterpriseSecurityExceptionAccessControlExceptionAuthenticationExceptionAvailabilityExceptionCertificateExceptionEncryptionExceptionExecutorException IntrusionExceptionValidationException

Allows a sensible security exception framework

19

Logger

Key MethodsgetLogger(applicationName,moduleName) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)

All EnterpriseSecurityExceptions are automatically logged

20

IntrusionDetector

Key MethodsaddException(exception) createQuota(exception, limit)

Current PlanEnterpriseSecurityExceptions are automatically

sent to IntrusionDetectorCan set a quota for any exceptionDetects exceeding quota in a specified time

period

21

OWASP Top Ten Coverage

22

Closing Thoughts

I have learned an amazing amount (I thought I knew)

An ESAPI is a key part of a balanced breakfast Integrated API has huge benefits over separate libraries

Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training

Next year – experiences moving to ESAPI

23